Using AppStream to Deploy Packages on Demand for Your Offsite Users, Part 1
In today's businesses many employees travel a big part of their time. Going to customers, conferences or trade shows. For a lot of them having access to their software is very important. But when a software package breaks down, they are in Trouble.
With SVS it is easy for them to reset an application to get it working again. They just select the package, right click and reset it. But if they push the wrong button, the package is deleted and they will not be able to update the packages.
With SVS pro, you can do much more. In this series of articles I'm going to explain to you how to build an AppStream solution for remote workers. It will give them access to the newest and updated software. The only thing needed is an internet connection.
This article will show you how to build a Multi node AppStream environment were one server is located inside your network with access to local network resources. The second server can be anywhere you like. In my case the second server is located in the DMZ in front of my firewall. The backend is behind the firewall. I do not explain how to configure the DMZ for this. All ports are mentioned in this article, and if you really do not have a clue what I'm talking about, please do not attempt it. The firewall is your first and most important defense protecting you environment.
Main target is to give users a way to retrieve their application based on group membership inside the Active Directory. This will enable remote workers to get the newest packages and software the company is using without needing to step inside the Office.
This article will start with the installation of the front end and the backend.
In the second article we will install the AppStream Composer, compose our VSA's into AppStream format and deploy them. We also install the client on a computer and stream our first package.
In the third article I will show you how to configure the console for the job it needs to do by explaining all the fields.
And finally in the fourth article I show you the user experience.
Now we have to build the heart of our installation. The AppStream backend and front end server.
First of all you need an AppStream backend where you can configure all your packages.
So let's install it:
You need AppStream 5.2.2 for this. Get a copy at the Altiris download site. The evaluation copy will have a free 30 day license built in. If you wish to use this longer, contact you Altiris partner and the needed licenses.
Extract the zip file to your server and double click: Launch.exe
In the screen that appears, select Install Components:
First we install the Streaming Server:
When you select it, the installer is started, and it prepares your server for the installation.
Click Next to continue:
Select "I Accept the terms" in the license agreement, and click Next:
Select the directory where you want to install all the files and click Next.
Select the third option: Multi-node Backend. By separating the front end from the backend you secure your network, because the front end is going to be connected to the internet directly.
Now we have to configure some settings. Do not use the computer name, but the IP adress. You need to change this. I leave the other settings default. If you change them, get yourself a pen and write them down.
Now we have to select a database system. Keeping in mind that the streaming server will connect to the internet I preferre not to use a SQl server. The SQL server 2000 and 2005 are vulnerable for SQL injections, and it will give you additional headaches when you have to prepare for prevention.
I select Install PostgresSQL database. Click Next to continue.
Select new User account. Change the password to a more secure one. The standard password can be guessed.
Check if all default or selected ports are free, and click install.
Now the backend server is installed. This will take about 10 minutes.
Once our backend server is now ready the next step is to configure the AppStream server. Go to the start menu, and select Programs\Altiris\Altiris Streaming console.
The internet browser opens and you can login for the first time.
Login as local user. The default username is admin with no password.
You have several options here. In my installation I select Active Directory. This will give users the same rights as they have in the office. Click Next to continue.
The default AD controller is already selected. You may enter a different AD controller here, but most times the default is the only one.
Fill in the Full Qualified Domain name of the administrator and the password.
Leave testuser and testgroup empty. Click Next to continue.
The connection has established. Click Continue.
Select Explicit login and click Finish. The server is now going to update its settings, and then it is ready.
We only need one more thing. We need a streaming server.
Let's go to the front end server.
Launch the installer again, but instead of the selection of the backend server, now we going to select the front end streaming server. If you already have IIS 6 up and running, make sure you stop the services before you start installing.
Select Multi-node Front End, and click Next to continue.
Now you will be asked for the license file. Import the license file and click Next to continue.
The default settings are selected. If you get an error on the default ports are already in use, please first stop the IIS server.
After clicking Next, the installation will be finished.
Go to My Computer, double click on it, and select services and Applications. Go to services.
Stop the following services:
- AWE Launch server
- AWE Streaming Server
Now we go back to the backend server.
Start the console and login as admin with blank password and local user.
Select Console User Setup.
Click on the tab Network. And Click Add.
Select Network. And click on Select User. Type in the name of the administrator and click on find now. Check mark it in the next screen and click Save.
The network Administrator is now added.
Log Out, and log in again as the administrator, and select Network User.
Select Component. Now we are going to add the streaming server and the launcher server.
Click add.
If you get an error message, then stop the two services on the streaming server first. Do this again for the launcher.
When you go to Component status, you are now able to start the services. Check mark all three and click start.
In this article we built an AppStream backend server in our network.
The streaming server is our front end server.
If you have placed the frontend server in your DMZ, check the ports. You have to create firewall ports to let the servers communicate with each other. Also you have to think of user groups that are reflecting the software you wish to stream. Make sure you have enough internet speed. With 1 MB uplink it will not work. In that case deployment of packages will take ages.
With current 100 mb uplinks, you will have speed anough to use packages of up to 500 mb.
In the Next article I'm going to add packages, create groups and deploy them to our clients over the internet.
Stay in control, and build yourself a cool solution like this.
Regards,
ErikW
www.dinamiQs.com
Thanks for the great article Erik
I just wanted to comment about a couple things.
1) Postgres is a really nice DB for a quick implementation for testing/POC, but it's not supported in production. While MSSQL can be vulnerable, you do have the added protection of it being behind the firewall. Also, the front-end does not communicate with the DB directly.
2) When establishing the AD connection it does not have to be a domain admin account. It can be any domain user account. Just need to make sure the account is at a parent level search base. The way you can tell if the account you are using has visibility to the domain (connect to the GC on 3268) is by entering a user & group name in the "Test" fields. On the next screen it will give you 2 results. First result for a success/failure on the LDAP connection, the 2nd for a success/failure to read the "test" user/group. If you succeed on the connection but fail on the "read" then you are using an account in the wrong search base.
Example of this would be if you have users and groups in two different DCs:
users: DC=A,DC=C,DC=COM
groups: DC=B,DC=C,DC=COM
You would want to use an account from "C" to make sure you have visibility all the way down.
Thanks again and take care.
__________________________________
Gene Kupfer
Senior Technical Support Engineer
AppStream
Now Part of Symantec
__________________________________
For Knowledge Base articles, subscribe here: https://kb.altiris.com
For product information, white papers and trialware, go to: http://www.symantec.com/business/workspace-virtual...
____________________________
Solution build in VMware
I have builded the solution in VMware, and for everybody's experience it would be nice to store it at some internet host who can facilitate it for a while.
With some freeware software it would be nice to read about it on the Juice, know more at www.altiris.com and to feel the experience just by connecting a SVS pro client to it.
Only thing i need is a host?
Anybody? Keep in mind that it will need a minimum of 10 mb upload and it will generate some traffic.
Regards
Erik
www.DinamiQs.com
Regards
Erik
www.DinamiQs.com
Dinamiqs is the home of VirtualStorm (www.virtualstorm.org)
Error
erik, I am receiving an error when I try to add the streaming server as a component in the console. I type in a name that I want to use for the Component Name, Component type is streaming server, I punch in the IP Address of the front-end streaming server, and the default port of 9855, use a blank access key is checked, not currently using a description. When I hit save it comes back with "Failed to add [component name here] - Management Agent responded with the rror message - Unable to communicate with Management Agent at 192.x.x.x:9855
Any ideas?
EDIT: I've fixed this, the services were failing to stop, a reinstall of the streaming server components fixed this.
Would you like to reply?
Login or Register to post your comment.