Configuring Package Location on your Package Server
This article shows you how to:
- Change the package location
- Secure the package location
Changing the Package Location
It can be beneficial to select a different location on your Package Servers to save disk space. When the storage location for a package is changed to a custom location, the Package Server:
- Moves the files from the old location to the new location
- Deletes the old location
- Checks what is to be downloaded
When files are removed from a package, the Package Server deletes them when it refreshes the package. However, removed files are not deleted if the package has a custom location as it cannot determine if the files are part of the package. Example: several packages with the same destination or the custom location contains user files.
Also, as the Package Server is installed on the same drive as the Altiris Agent you can select a different drive when installing the Agent.
This option is on a per package basis. What that means is that each existing package and all new packages would be configured this way. There currently is not a way to globally change the default location of the packages stored on the package server. All packages will continue to have the default location of "%ProgramFiles%\Altiris\Altiris Agent\Package Delivery". The only way to change this location is by removing the Altiris Agent completely, implying the removal of all subagents, then reinstall the agent on the desired drive.
Changing the Package Location
- In the Altiris Console, click the Configuration tab.
-
Example:
To change the Altiris Agent package location, in the left pane select Altiris Agent > Altiris Agent Rollout > Altiris Agent Package. In the right pane, click the Package Servers tab, select Package Destination Location on Package Servers and enter a location in the field provided. - In the location field, specify a directory path or use system environment variables found on the Package Server. The following are valid paths:
c:\share\<packagefoldername>
f:\<packagefoldername>
\\%COMPUTERNAME%\share\<packagefoldername>
\\%COMPUTERNAME%\eXpress\<packagefoldername>
/var/packages/<packagefoldername>
Warning: Ensure you specify a subfolder that is unique to each package in the Package Destination Location on Package Servers field!
If you do not specify a sub-folder, or use the same folder for more than one package, this can create a dangerous situation that could remove the entire destination folder and its contents. It is absolutely imperative that you configure an appropriate sub-folder when performing this task; otherwise the contents of your entire share could be deleted when the package is deleted!
When a package is removed (either by it becoming invalid or by manually clearing the Package Destination Location on Package Servers field) then the entire folder that the package resides in will be deleted, including any other files originally located there that were not part of the package.
Remember, ensure you specify a folder for each package in the Package Destination Location on Package Servers field!
Securing the Package Location
This section shows you how to:
- Secure the package location
- Allow anonymous access to package locations
- Disable location security
The Agent Connectivity Credentials (ACC), in the Global Altiris Agent Settings page, are used by the Package Server to add file-based security to download package files, if so configured.
Note: The Agent Connectivity Credentials used must be a known account on the Notification Server and every Package Server.
To secure files in packages on the Notification Server and Package Servers configure Windows NTFS file permissions. If the user account can’t be validated on a Package Server (for example, non-trusting domain or computer account from another computer), Altiris agents won’t download files from this Package Server.
Using a domain account as the ACC will work if the Altiris agents, Package Servers, and Notification Server exist in the same domain, or a trust exists between the multiple domains in your environment.
If your environment contains multiple domains and no trust exists between these domains, when you specify an ACC, enter a local user account name and not a domain account user name and password. The format for entering the local user account name as the ACC is one of the following:
- .\localuser
- localuser (where localuser is the name of the local computer account)
If you specify a local account as the ACC, we recommend you enable the Create the Agent Connectivity Credential on Package Servers option on the Settings tab of the Package Server page (provided the ACC is not a Domain Controller). This ensures a local account will be created and applied to the downloaded package files on all Package Servers, if it doesn’t already exist on all Package Server computers, on all trusted and non-trusted domains.
The Altiris Agents can use this local account to connect to Package Servers across nontrusted domains when downloading files.
If you specify a local account and the Create the Agent Connectivity Credential on Package Servers. (provided the ACC is not a Domain Controller) option is disabled, the local account needs to already exist on every Package Server. If not, the Package Server can’t apply security to downloaded packages and will not publish codebases as ready to the Notification Server.
Creating the Agent Connectivity Credential on Package Servers
- In the Altiris Console, select the Configuration tab.
- In the left pane, navigate to Configuration > Server Settings > Notification Server Infrastructure > Package Servers.
- In the right pane, click the Settings tab.
- Select Create the Agent Connectivity Credential on Package Servers (provided the ACC is not a domain account). Selecting this option allows you to enable the following:
- Re-enable the created local account if it has been locked out.
- Create the ACC even if the Package Server is also a Domain Controller.
Allow anonymous access to package locations
You can enable all packages downloaded to Package Servers to have anonymous access applied to the directories containing the package files. Anonymous access will also be enabled for the directory security inside IIS for the hosted Package Server packages.
If this feature is disabled the Agent Connectivity Credentials on the Global Altiris Agent Settings page will be used when applying security to the Package Server files. Any HTTP virtual directories mapped to packages on the Package Server will then have Integrated Windows authentication enabled.
All authenticated users are allowed to download through UNC when anonymous access is enabled. For example, if a Package Server in a non-trusted domain has anonymous access enabled on its files and the ACC account the Altiris Agent uses to connect anonymously to the UNC source cannot be authenticated, access with be denied and no download will occur. However, you can download through HTTP from a Package Server, in a non-trusted domain, using anonymous access because the ACC account doesn’t need to be authenticated.
New Registry key for disabling Package Server directory security
A new Package Server registry key, EnableDACLManagement, has been created to allow you to change how a Package Server manages the security on its packages.
By default, a Package Server manages its packages by setting specific permissions on package directories; this includes overriding any custom permissions you may have set on the directories. When this registry key is activated, Package Server will no longer override existing permissions on package directories.
Take care when using this key as incorrect permissions could potentially render the Package Server directories inaccessible to the Package Server and Altiris Agents.
To ensure a fully functional Package Server, full control for Local Administrator and System need to exist on all package directories in addition to any other custom permissions.
Normally, Altiris Agents and other Package Servers access the packages located on the Package Server computer using the Agent Connectivity Credential (ACC), configured on the Notification Server. To ensure they continue to download packages, configure the Everyone or ACC account with read and execute privileges on the package directories. This is required because when the key is activated, Package Server is instructed not to manage permissions, which includes not applying the ACC or Everyone account to the downloaded packages.
Creating the Registry Key
As the registry key does not exist on a default install of the updated Package Server, create the DWORD key, 'EnableDACLManagement' under the following location in the registry—HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Package Server. Before creating the key, stop the Altiris Agent Service and restart when finished.
The registry key can have one of the following settings:
- 0—Ensures that Package Server will not change existing security on package directories.
- 1—Will cause Package Server to function as normal by applying and resetting permissions on package directories.
