Hi sfaucher!
You are right with your guess that 7.5 security initiative eats part of the resources and could increase time for some operations. Unfortunately security does not go cheap and this is a price we need to pay to be secure, but this is not so dramatic in your case. Let me explain.
Part of the security initiative in 7.5 was a package validation and encryption, in order to protect clients from MitM and spoofing attacks. Therefore all packages in 7.5 are being hash validated and this is done on both sides: server and client. This means that when you create a package through the Notification Server console, the NS machine start to calculate the hash of all the files in the package. Later this hash is securely transferred to the interested clients, and when clients download the package, they also do the same: calculate hashes of the received files, in order to be sure no one is spoofed them and they received the correct binaries. The speed of this process could be a less than a second, but could be ten minutes and more, depending on the machine hardware and the size of the content to be hashed. Although those security measures is not possible to turn off for 7.5 SP1 (since a lot of other infrastructure is based on it), it is possible to set-up the appropriate settings in order to have reasonably fast environment.
Now about your case in detail.
1. >>What to do to make a new software resource package available as quickly as possible.
Actually the logic did not changes so dramatically and all processes are remain the same. The only difference is when you finish creating the software resource, the files are start to be hashed by the system on the background thread, so it will not be possible to download such package, until the hashing finishes. I very doubt your timeout of 1 hour is caused by enourmously big package or very slow system. It more look like the standard “Configuration Refresh timeout” on the Package Server (later PS). I guess you need to refresh the configuration on the PS manually, when package gets finish calculating hashes on the NS (not right away after creation of the big package in the console). Also you could either set up smaller amount to the configuration refresh of the PS-es or use “Emergency Policy update” when creating the Managed Software Delivery (emergency policy update will force PS-es and clients to refresh own policies in order to receive the package description immediately and start to download this package).
>> And then after the package shows ready, it takes at least ten to fifteen minutes before clients can download the package without the 'No package sources returned by server' error.
In case there is at least one PS is configured on the NS, the NS will not return own codebases and will return only PS codebases. The message “No package sources returned by server” means that NS still don’t have the information from PS about package being downloaded by PS. This could happen by several reasons: whether PS have not sent the status, or status was not yet processed by NS. Although PS send statuses not later than a minute after getting them to know, the NS could be busy with NSE processing depending on the current load and environment situation. In order to be sure you could check the packages statuses of your PS on “Site Server Settings” page, and if required resend the status manually, by clicking the “Resend status” link on the PS UI when desired package is selected, and then check whether the status is updated on NS.
2. The “Update distribution points” task does not force hashes recalculation of the packages. In your case when you change the files of the package, and want it to be immediately available, you need to run the “NS.Package Refresh” task. This task does the hash re-calculation, validation of the package content, re-generation of package source files. When it finishes, you need just to hit the “Update” configuration on PS. By default this task is scheduled to run once a day. Exact scheduling time could be checked in Windows Task Scheduler.
3. >> What to do to force a client to re-download a software resource package.
The algorithms of this process actually didn’t changed at all. If package is changed, and recalculated on NS (actions from step 2 above are done), the very same “Update” configuration on the Package Server will force it to download a new version of a package. Even more, since the files are now hashed, the only delta changes will be downloaded for the package, and no need to delete manually the package itself.
If you want manually force PS to re-check own packages you could click the “Refresh all packages” link in the PS UI. Although it is not a supported scenario to delete cached files by hands, the SMF still will re-download the content of the package, if it is not found locally.
Here you should be aware of the next: the clients SMF or Package Server, both are working with the packages descriptions sent by NS. They do not check the real files on NS each time they require something. It is an NS responsibility to provide package descriptions which correspond to the actual files. Thus if you need to speed up the processes, you need to be sure your modified packages are properly updated (step 2 above as example).
As for GUID’s: the GUID is unique for each package. You could even create a several Software Resources with one package which will have the same GUID. If you see the different GIUD on the client, this only means that you created a new package on the NS. This case probably need to be investigated with the Symantec Support.
Regards,
Roman.