Symantec pcAnywhere™ Administrator's Guide
Symantec pcAnywhere™ Administrator's Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 12.5 Legal Notice Copyright © 2008 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions.
Technical Support Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion.
■ Version and patch level ■ Network topology ■ Router, gateway, and IP address information ■ Problem description: ■ Error messages and log files ■ Troubleshooting that was performed before contacting Symantec ■ Recent software configuration changes and network changes Licensing and registration If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.
Maintenance agreement resources If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan contractsadmin@symantec.com Europe, Middle-East, and Africa semea@symantec.com North America and Latin America supportsolutions@symantec.
Contents Technical Support ............................................................................................... 3 Chapter 1 Planning a migration and upgrade strategy .................. 11 About migrations and upgrades ...................................................... Migrating from pcAnywhere 12.1 to 12.5 in Windows 2000/2003/2008 Server/XP to ( ) ......................................... Migrating from pcAnywhere 12.0.2 in Windows 2000/2003 Server/XP to Vista .............................
Contents Deploying installation packages using Web-based deployment ............. About Web-based deployment requirements ............................... Setting up the installation Web server ....................................... Customizing the deployment files ............................................. Testing the installation on the Web server .................................. Notifying users of the download location .................................... Deploying pcAnywhere using SMS 2.0 .....
Contents Chapter 5 Integrating pcAnywhere with directory services .......... 75 About directory services ................................................................ Using directory services with pcAnywhere ........................................ Configuring the directory servers .................................................... Configuring the LDAP server .................................................... Configuring Windows Active Directory ......................................
Contents
Chapter 1 Planning a migration and upgrade strategy This chapter includes the following topics: ■ About migrations and upgrades ■ Using Symantec Packager to streamline migrations and upgrades About migrations and upgrades Symantec pcAnywhere supports migration from versions 12.0.x to version 12.5 on Windows 2000/2003/2008 Server/XP/Vista. During a migration, pcAnywhere lets you install over the previous version of the product and preserve user-defined settings.
Planning a migration and upgrade strategy About migrations and upgrades Table 1-1 Migration and upgrade strategy matrix Symantec pcAnywhere version Operating system Restart required Data preserved automatically 12.0 Windows 2000/2003/2008 Server/XP/Vista Yes (for Vista) Host items Caller items Remote items Option sets Registry settings AutoTransfer files (must be converted) Serial ID sets 12.
Planning a migration and upgrade strategy Using Symantec Packager to streamline migrations and upgrades Migrating from pcAnywhere 12.1 to 12.5 in Windows 2000/2003/2008 Server/XP to ( ) Symantec pcAnywhere supports full migration of the full product version and host-only version of pcAnywhere 12.5 to version ( ) in Windows 2000/20003/2008 Server/XP. During the installation, you are prompted to preserve existing configuration settings.
Planning a migration and upgrade strategy Using Symantec Packager to streamline migrations and upgrades The product installation requires you to restart the computer to complete the installation process. Create a custom installation package for the product installation and configure the package to install in passive or silent mode. The product installation does not support preservation of preconfigured product settings.
Chapter 2 Creating custom installation packages This chapter includes the following topics: ■ About Symantec Packager ■ What you can do with Symantec Packager ■ How Symantec Packager works ■ Importing a product module ■ Customizing product settings ■ Creating a custom command ■ Creating installation packages ■ Building product installations and packages ■ Testing packages About Symantec Packager Symantec Packager lets you create, modify, and build custom installation packages that you ca
Creating custom installation packages What you can do with Symantec Packager Note: Symantec Packager runs on Windows 2000/2003 Server/XP Professional/Vista platforms only.
Creating custom installation packages How Symantec Packager works Table 2-1 Package creation process Task Description Import product modules into Product modules contain the installation binary and product template files that are needed to create a custom installation Symantec Packager. of the product. See “Importing a product module” on page 18. Configure products.
Creating custom installation packages Importing a product module Importing a product module Product modules are the building blocks for creating packages. Symantec Packager extracts the product installation binary files and the product template from the product module. The product template details the feature requirements and conflicts, making it possible to create custom installations of the product.
Creating custom installation packages Customizing product settings Table 2-2 Symantec pcAnywhere product configuration options Tab Settings Features You can customize the following features in pcAnywhere such as: Configuration Files ■ User interface (pcAnywhere Manager) ■ Remote components ■ Host components ■ Communications protocols ■ Documentation (online manuals and Help) ■ Symantec installation utilities The pcAnywhere product template includes default remote and host configuration i
Creating custom installation packages Customizing product settings Some features in pcAnywhere have dependencies on other components. Although Symantec Packager has a level of built-in dependency checking, it is possible to build a pcAnywhere installation package that does not include all required files. As you select product features to include or exclude from a package, you should read the feature descriptions that are provided in the Product Editor window on the Features tab.
Creating custom installation packages Customizing product settings 3 4 ■ Select the product features that you want to include in the custom product. ■ Clear the features that you do not want to include. ■ Click the plus sign next to a feature to select or remove its subfeatures. Select one of the following: OK Saves your changes and closes the Product Editor window Apply Saves your changes and lets you continue the product configuration If prompted, type a file name, and then click Save.
Creating custom installation packages Customizing product settings Option sets Lets you configure global options for pcAnywhere to accommodate unique configuration requirements. Host Security IDs Lets you serialize the pcAnywhere installation. Remote connection item files (.chf) Lets you preconfigure the connection and security settings needed to connect to another computer remotely. For more information, see the Symantec pcAnywhere User's Guide.
Creating custom installation packages Customizing product settings Warning: Use caution when configuring a registry key file. An incorrect setting could make the operating system or product inoperable. To include a configuration file 1 2 3 4 In the Symantec Packager window, on the Configure Products tab, do one of the following: ■ Create a new product configuration. ■ Double-click an existing product to edit it.
Creating custom installation packages Customizing product settings policy management and overall strong security practices, such as hardening the operating system. See “Implementing policy-based administration” on page 91. To integrity stamp a product configuration 1 In the Symantec Packager window, on the Configure Products tab, do one of the following: ■ Create a new product configuration. ■ Double-click an existing product to edit it.
Creating custom installation packages Customizing product settings Serializing a pcAnywhere installation Symantec pcAnywhere lets you create a custom installation that contains an embedded security code, or serial ID. This serial ID number must be present on both the host and remote computers to make a connection. Serialization involves the following process: ■ In pcAnywhere, generate a serial ID file (.SID).
Creating custom installation packages Customizing product settings The custom product installation or package must be installed on the host and remote computers. To allow a connection between a host and remote computer, the host and remote computers must have matching serial IDs. To create a serialized installation file 1 2 In the Symantec Packager window, on the Configure Products tab, do one of the following: ■ Create a new product configuration. ■ Double-click an existing product to edit it.
Creating custom installation packages Customizing product settings ■ Create a package that includes the product, and then build the package. Building a package creates a self-extracting .exe file. See “Building product installations and packages” on page 37. Managing configuration settings globally Symantec pcAnywhere option sets let you manage global settings for host and remote connections, file transfer, logging, and other functions to improve performance, enhance security, or manage connections.
Creating custom installation packages Customizing product settings Table 2-4 Symantec pcAnywhere option set properties (continued) Tab Description Directory Services Controls settings for using a directory service to find hosts Remote Printing Contains settings for configuring remote printing Encryption Specifies certificate information required for public-key encryption To configure an option set in pcAnywhere 1 In the pcAnywhere Manager window, on the left navigation bar, click Option Set
Creating custom installation packages Customizing product settings ■ Double-click an existing product to edit it. 2 In the Product Editor window, on the Configuration Files tab, click Option Set File (*.OPT), and then click Add. 3 Browse to the folder that contains the option set files (*.opt) that you created in pcAnywhere, select the one that you want to use, and then click Open. The option set file is added to the list of data and configuration files.
Creating custom installation packages Customizing product settings Target location Lets you select the directory in which you want to install the product on the target computer See “Changing the target installation directory” on page 30. Host object to use as template Lets you select the host configuration file that you want to use as a template for new host connection items that the user creates after installation See “Selecting the default template for host connections” on page 31.
Creating custom installation packages Customizing product settings ■ Double-click an existing product to edit it. 2 In the Product Editor window, on the Installation Options tab, double-click Target location. 3 In the Target Location dialog box, select one of the following: ■ Program Files directory ■ Root of system drive ■ Custom path 4 Under Folder specification, type the full path to the location in which you want to install the product. 5 Click OK.
Creating custom installation packages Customizing product settings 5 To configure the product to automatically start a host when the user starts Windows, in the Product Editor window, on the Installation Options tab, double-click Host object to start with Windows. 6 In the Host object to start with Windows dialog box, under Value, select the .bhf file that you want to use.
Creating custom installation packages Customizing product settings Updating products If you include the LiveUpdate feature in the product configuration, Symantec Packager lets you configure the product to automatically connect to the Symantec LiveUpdate server after installation to download product updates. If you have installed the Symantec LiveUpdate Administration Utility to manage LiveUpdate operations for your network, you can configure the product to connect to the LiveUpdate server on your network.
Creating custom installation packages Creating a custom command To preserve existing configuration settings 1 In the Symantec Packager window, on the Configure Products tab, do one of the following: ■ Create a new product configuration. ■ Double-click an existing product to edit it. 2 In the Product Editor window, on the Installation Options tab, double-click Preserve existing configuration settings.
Creating custom installation packages Creating installation packages To create a custom command 1 In the Symantec Packager window, on the Configure Products tab, on the File menu, click New Custom Command. 2 In the Command Editor window, on the Parameters tab, double-click Description. 3 In the Command Description dialog box, type a descriptive name for the command so that you can easily identify it later. For example: Uninstall pcAnywhere 9.0 without user intervention 4 Click OK.
Creating custom installation packages Creating installation packages which creates an .msi file that can be installed locally. You can deploy the Symantec pcAnywhere .msi file using a third-party deployment tool. The Symantec Packager Deployment Tool does not support MSI deployment.
Creating custom installation packages Building product installations and packages 7 ■ Click OK to save your changes and close the Package Editor window. ■ Click Apply to save your changes and continue the package definition. If prompted, type a file name, and then click Save. Building product installations and packages After you define the contents and installation options for the package definition file, you must build the package definition to create the installation file.
Creating custom installation packages Testing packages Building a package During the build process, Symantec Packager retrieves information from the package definition file and product configuration files to determine what products to include in the installation file, as well as the product features, installation instructions, and custom settings. Symantec Packager then checks the contents of the package for product conflicts. If Symantec Packager encounters a product conflict, the build process stops.
Creating custom installation packages Testing packages if Symantec Packager encounters a conflict that it cannot resolve. You should test packages to verify that product requirements are met and that the installation sequence is correct. You should also open each installed program to ensure that it functions correctly. Ensure that the features that you want are present. This step is especially important if you customize a product to reduce the installation footprint.
Creating custom installation packages Testing packages
Chapter 3 Deploying Symantec pcAnywhere custom installations This chapter includes the following topics: ■ About deployment ■ About package installation file locations ■ Deploying installation packages using Web-based deployment ■ Deploying pcAnywhere using SMS 2.
Deploying Symantec pcAnywhere custom installations About package installation file locations For more information about installing pcAnywhere, see the Symantec pcAnywhere User's Guide. ■ Symantec Packager deployment tool This tool lets you deploy packages to one or more computers on your network. The Symantec Packager deployment tool supports deployment to Microsoft 32-bit computers only (for example, Windows 2000/2003 Server/XP/Vista).
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment Deploying installation packages using Web-based deployment Packages that are created with Symantec Packager can be deployed over your corporate intranet using a Web-based deployment tool that is provided by Symantec. All of the source files that are necessary to implement Web-based deployment are included on the Symantec pcAnywhere CD in the Tools/Web Deploy folder.
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment Table 3-1 Web server and target computer requirements (continued) Deployment Requirements Target computer ■ ■ ■ ■ ■ Internet Explorer 4.0 or later. Symantec pcAnywhere requires Internet Explorer 6.x or later for installation. Windows Installer 3.1 or later (required only for MSI installations). Browser security must allow ActiveX controls to be downloaded to the target computer.
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment Deploy/Webinst Deploy\Webinst\Webinst ■ brnotsup.htm ■ default.htm ■ intro.htm ■ logo.jpg ■ oscheck.htm ■ plnotsup.htm ■ readme.htm ■ start.htm ■ webinst.cab ■ files.ini ■ Launch.bat (required only for MSI installations) ■ Installation packages For example: Symantec pcAnywhere - Full Product.exe Symantec pcAnywhere - Host Only (Network).
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment The Web-based deployment tool supports Microsoft Internet Information Server (IIS) or Apache HTTP Web Server. The procedures for creating a virtual directory on these servers vary. To create a virtual directory on a Microsoft Internet Information Server 1 Do one of the following to launch the Internet Services Manager: ■ In IIS version 4.
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment This file is installed by default in C:\Program Files\ Apache Group\Apache\conf. 2 Type the following lines at the end of the file: DirectoryIndex default.htm #ServerName machinename DocumentRoot "C:\Client\Webinst" For the VirtualHost Replace 111.111.111.111 with the IP address of the computer on which Apache HTTP Server is installed.
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment Customizing Start.htm The parameters in the Start.htm file contain information about the Web server and the location of the files that need to be installed. The configuration parameters are located near the bottom of the Start.htm file, inside the
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment You can also include additional files to support the deployment of third-party applications. To customize Files.ini for package deployment 1 In a text editor, open Files.ini. 2 In the [General] section, edit the line LaunchApplication= so that it references the package executable file that you want to start after the download completes.
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment To customize Files.ini for MSI deployment 1 In a text editor, open Files.ini. 2 In the [General] section, edit the line LaunchApplication= so that it references Launch.bat. For example: LaunchApplication=Launch.bat This launches the MSI installation after the download is complete. You must also edit the Launch.bat file to include the name of the .msi file that you want to deploy.
Deploying Symantec pcAnywhere custom installations Deploying installation packages using Web-based deployment You must also modify the Files.ini file to run Launch.bat. See “Customizing Files.ini for MSI deployment” on page 49. Note: Installation of .msi files requires Windows Installer 3.1 or later. You should ensure that the target computer meets the system requirements before you deploy the product installation. To customize Launch.bat 1 In a text editor, open Launch.bat.
Deploying Symantec pcAnywhere custom installations Deploying pcAnywhere using SMS 2.0 downloaded to the client. When the installation is complete, the security level can be restored to its original setting. Make sure that users understand the system requirements and have the administrative rights that are required for the products that they are installing.
Deploying Symantec pcAnywhere custom installations Deploying pcAnywhere using SMS 2.0 SMS Package A collection of installation sources and packages that is used to inventory and install software on SMS client computers SMS packages can be any type of software program that supports installation using SMS. Package Definition File An SMS-specific information file used by SMS to create and deploy SMS packages The default package definition file (PDF) that is supplied with pcAnywhere is named pcAnywhere.
Deploying Symantec pcAnywhere custom installations Deploying pcAnywhere using SMS 2.0 ■ Advertising the package Preparing the Package Definition File A default Package Definition File (pcAnywhere.pdf) is provided with pcAnywhere. This file can be modified to accommodate any package created with Symantec Packager. To use the supplied Package Definition File without modification, do one of the following: ■ For .exe-based packages, rename the pcAnywhere package that you want to use to Package.exe.
Deploying Symantec pcAnywhere custom installations Deploying pcAnywhere using SMS 2.0 5 Click Next. 6 Click Always obtain files from a source directory. Do not select This package does not contain any files. 7 Click Browse to locate the folder that contains the pcAnywhere package that you created with Symantec Packager (or a supplied, preconfigured package). The Create Package from Definition Wizard uses this folder to point to the pcAnywhere package.
Deploying Symantec pcAnywhere custom installations Using Windows 2000/2003/2008 Server/XP/Vista logon scripts 5 Click Browse, and then and pick the collection to which you want to advertise the installation. 6 Set the schedule, requirements, and appropriate security rights of the package. After the advertisement is created, pcAnywhere should deploy to all of the selected clients.
Deploying Symantec pcAnywhere custom installations Using Windows 2000/2003/2008 Server/XP/Vista logon scripts @echo off setlocal REM ***** Package Variable -- Change to name of pcA Package ***** Set Package=Package.MSI REM ***** EXE or MSI Variable -- Change to package type (MSI or EXE) ***** Set PkgType=MSI Rem ***** File Server Name Variable ***** Rem ***** Change to server containing the pcA Package ***** Set FSName=\\2KServer REM ***** Maps a drive to the network share ***** net use z: %FSName%\PCAHOME
Deploying Symantec pcAnywhere custom installations Using NetWare logon scripts rd pcapkg Net Use Z: /DELETE :End endlocal Testing the Windows logon script Test the completed script on one or two workstations before setting up the script for all users. Windows 2000/2003/2008 Server/XP/Vista users must have local administrative rights on their computers to install the pcAnywhere package.
Deploying Symantec pcAnywhere custom installations Using NetWare logon scripts Writing the NetWare logon script Use the following sample logon script and deployment batch file to roll out pcAnywhere. The script creates the appropriate drive mappings to the local workstation and launches the deployment batch file. The batch file installs the pcAnywhere package and removes the installation files when complete. The following examples assume default installation folders.
Deploying Symantec pcAnywhere custom installations Using NetWare logon scripts REM ***** Creates a folder in the Temp dir, and copies the package ***** C: CD %TEMP% MD pcapkg CD pcapkg Z: COPY %Package% c: REM ***** Launches package installation ***** C: IF %PkgType% == MSI msiexec -i %Package% IF %PkgType% == EXE %Package% REM ***** Cleanup ***** del %Package% CD ..
Chapter 4 Performing centralized management This chapter includes the following topics: ■ About centralized management ■ Managing pcAnywhere hosts remotely ■ Integrating with Microsoft Systems Management Server ■ About the Microsoft Distributed Component Object Model (DCOM) ■ About centralized logging About centralized management Symantec pcAnywhere includes the pcAnywhere Host Administrator tool, which lets you remotely manage multiple pcAnywhere hosts on a network.
Performing centralized management Managing pcAnywhere hosts remotely ■ Remotely start, stop, and connect to pcAnywhere hosts on the network ■ Create configuration groups to remotely manage and configure multiple workstations on the network ■ Simultaneously distribute pcAnywhere configuration files, including host, remote, and caller files, to multiple workstations on the network Installing the pcAnywhere Host Administrator tool The pcAnywhere Host Administrator tool is available as a custom setup
Performing centralized management Managing pcAnywhere hosts remotely 11 Click Install. 12 Follow the on-screen instructions to continue the installation process. When the installation is complete, click Finish. If your computer requires updates to system files, you will be prompted to restart your computer. The restart is necessary to ensure proper functionality.
Performing centralized management Managing pcAnywhere hosts remotely If you are using MMC, the pcAnywhere Host Administrator console is listed under Console Root. For more information, see the documentation for MMC. To create a configuration group 1 In the console window, in the left pane, under pcAnywhere Host Administrator, right-click Configuration Groups, and then click New > Configuration Group. 2 Type a name for this group. 3 Click OK.
Performing centralized management Managing pcAnywhere hosts remotely Admin.bhf Host template for the host computers that you want to remotely manage To use this template to start a host session, you must configure the caller information. Symantec pcAnywhere requires a user name and password for all host sessions. For more information, see the Symantec pcAnywhere User's Guide. Admin11.
Performing centralized management Managing pcAnywhere hosts remotely 6 In the pcAnywhere Manager window, in the right pane, under Remotes, right-click the remote connection item that you just created, and then click Rename. 7 Type a name. For example: Admin11 Creating a new administrator host item The administrator host connection contains the connection and security information needed to allow a remote administrator to connect from the pcAnywhere Host Administrator console.
Performing centralized management Managing pcAnywhere hosts remotely 8 In the pcAnywhere Manager window, in the right pane, under Hosts, right-click the host connection item that you just created, and then click Rename. 9 Type a name. For example: Admin Configuring a host item in pcAnywhere Host Administrator The pcAnywhere Host Administrator tool lets you create a host item that you can distribute to the host computers in your configuration group.
Performing centralized management Managing pcAnywhere hosts remotely 3 In the Distribute pcAnywhere Files dialog box, select the computers to which you want to distribute the file. 4 Select the file that you want to distribute. 5 Click OK. Managing hosts in a configuration group Once you have configured the computers in your configuration group, use the pcAnywhere Host Administrator console to start, stop, or connect to any managed host in the group.
Performing centralized management Integrating with Microsoft Systems Management Server Integrating with Microsoft Systems Management Server Symantec pcAnywhere supports integration with the Microsoft Systems Management Server (SMS). SMS is a scalable change and configuration management system for Microsoft Windows-based computers and servers. Symantec pcAnywhere provides the support files needed to integrate with SMS. These files are offered only on the Symantec pcAnywhere CD.
Performing centralized management About the Microsoft Distributed Component Object Model (DCOM) DCOM runs on a variety of network protocols and, by default, attempts to make connections on all installed protocols. After connecting to the network, DCOM uses Windows NT authentication to verify the necessary access rights. For example, an administrator with the appropriate access rights can perform management tasks on a locked pcAnywhere host from any location.
Performing centralized management About the Microsoft Distributed Component Object Model (DCOM) For more information, consult the dcomcnfg.exe online documentation. To modify DCOM settings ◆ In Windows 2000/2003/2008 Server/XP/Vista, open the \WinNT\System32 folder, and then run dcomcnfg.exe. About AwShim AwShim is the management component that bridges pcAnywhere and the centralized management integration. The pcAnywhere Host Administrator tool uses AwShim to start and stop host and remote sessions.
Performing centralized management About centralized logging About centralized logging Security, accountability, and logging are important concerns in a distributed computing environment. Symantec pcAnywhere provides an extended logging utility that supports centralized event logging. An administrator can collect logging information from every pcAnywhere host on the network and store this information on a secure, centralized server.
Performing centralized management About centralized logging 6 Select the events that you want to log. For more information, see the Symantec pcAnywhere User's Guide. 7 Click OK. About the pcAnywhere MIB file The pcAnywhere MIB file outlines the SNMP traps that pcAnywhere can generate. Use the pcAnywhere MIB file as a tool to help build automated responses to pcAnywhere events that occur on the network. The pcAnywhere MIB file is located in the following directory: \Program Files\Symantec\pcAnywhere\CMS
Performing centralized management About centralized logging
Chapter 5 Integrating pcAnywhere with directory services This chapter includes the following topics: ■ About directory services ■ Using directory services with pcAnywhere ■ Configuring the directory servers ■ Configuring pcAnywhere to use directory services About directory services The directory services capability in pcAnywhere is an example of a Lightweight Directory Access Protocol (LDAP) client application, which stores and retrieves information about users.
Integrating pcAnywhere with directory services Configuring the directory servers When the remote starts, a new application, the directory services browser, launches and connects to an LDAP server. The directory services browser queries all entries that satisfy its filter criteria and displays the entries in a list view. You can then select the host to which you want to connect from this list.
Integrating pcAnywhere with directory services Configuring the directory servers Adding the snap-in Follow this procedure to add the snap-in to the Microsoft Management Console (MMC). To add the snap-in 1 On the Windows taskbar, click Start > Run. 2 Type mmc 3 Click OK. 4 On the Console1 toolbar, click Console > Add/Remove Snap-in. 5 In the Add/Remove Snap-in dialog box, click Add. 6 Click Active Directory Schema, and then click Add. 7 Close the Add standalone snap-in dialog box.
Integrating pcAnywhere with directory services Configuring the directory servers 8 Click OK. 9 In the left pane, right-click the Classes folder, and then click Create Class . Continue through the warning message. Creating the pcaHost object Follow this procedure to create the pcaHost object. To create the pcaHost object 1 In the Common Name entry field, type pcaHost This is case-sensitive.
Integrating pcAnywhere with directory services Configuring the directory servers 7 Click OK. 8 In the left pane, right-click Active Directory Schema. 9 Click Reload the Schema. Setting the rights for the pcAnywhere user To set up the rights for the pcAnywhere user, you must first set up view rights, and then set up edit rights. To set up view rights for the user 1 On the Windows taskbar, click Start > Programs > Administrative Tools > Active Directory Users and Computers.
Integrating pcAnywhere with directory services Configuring pcAnywhere to use directory services 4 Click OK. 5 In the Allow column, select Write. 6 Click Advanced. 7 Select the Self group that you just added, and then click View/Edit. 8 On the Object tab, in the Apply onto list, click Child objects only. 9 Click OK until you close the Security property page.
Integrating pcAnywhere with directory services Configuring pcAnywhere to use directory services 7 Click Advanced to configure the port number and the search base of the directory tree. You should always configure this information. The Port number controls the port that the directory server uses to accept queries from the client. The default port is 389. Search Base is the root of the directory structure that begins the query search. 8 Click OK.
Integrating pcAnywhere with directory services Configuring pcAnywhere to use directory services Setting up the remote computer to use directory services When you set up a remote connection to use directory services, the remote looks on the directory server for waiting host connections. Configure the directory server entries before beginning this procedure. To set up the remote computer to use directory services 1 In the pcAnywhere Manager window, click Remotes.
Chapter 6 Managing security in Symantec pcAnywhere This chapter includes the following topics: ■ Controlling access to pcAnywhere hosts ■ Protecting session security ■ Maintaining audit trails ■ Implementing policy-based administration Controlling access to pcAnywhere hosts The first step in securing a computer environment is controlling remote access to the network. Administrators should limit the number of external entry points into their networking infrastructure.
Managing security in Symantec pcAnywhere Controlling access to pcAnywhere hosts ■ Implement an authentication method. Symantec pcAnywhere supports a number of centralized authentication types, including Active Directory, Smart Card, NT, and RSA SecurID, giving you the flexibility of using the authentication measures already in place on your network. See “Leveraging centralized authentication in pcAnywhere” on page 85. ■ Limit logon attempts per call.
Managing security in Symantec pcAnywhere Controlling access to pcAnywhere hosts 4 Repeat 2 and 3 for each computer name or IP address from which you want to allow connections. 5 Click OK. Leveraging centralized authentication in pcAnywhere Symantec pcAnywhere requires you to create a caller logon account for each remote user or user group who connects to the host computer and to select an authentication method for verifying the user's identity.
Managing security in Symantec pcAnywhere Controlling access to pcAnywhere hosts Note: To use RSA SecurID authentication, the host and remote computers must be running Symantec pcAnywhere 11.0.x or later. Using Microsoft Windows-based authentication types Table 6-1 includes information about the authentication types available for Microsoft Windows-based platforms.
Managing security in Symantec pcAnywhere Controlling access to pcAnywhere hosts To set up Windows NT authentication for global users 1 In the pcAnywhere Manager window, on the left navigation bar, click Hosts. 2 Do one of the following: ■ To add a new connection item, on the File menu, click New Item > Advanced. ■ To modify an existing connection item, in the right pane, under Host, right-click a connection item, and then click Properties.
Managing security in Symantec pcAnywhere Protecting session security Table 6-2 Web-based authentication types (continued) Web-based authentication Explanation methods Implementation in pcAnywhere HTTPS Caller Authentication Lets a host that is running on Users must specify a server an HTTPS Web server name and a valid user name. validate a user by checking a list associated with an HTTPS service.
Managing security in Symantec pcAnywhere Protecting session security Table 6-3 Session security options Option Description Strong encryption Protect the data stream, including the authorization process, from eavesdropping and hacker attacks by using strong encryption. Symantec pcAnywhere supports public-key and symmetric types of strong encryption. When connecting with a host or remote that is running pcAnywhere 11.0.
Managing security in Symantec pcAnywhere Protecting session security Table 6-3 Session security options (continued) Option Description Time limits for individual users or Protect the host from a malicious user's intent on user groups disrupting service, as well as from innocent users who inadvertently forget to end a session, by setting time limits for sessions and configuring the host to automatically end the session after a specified length of inactivity.
Managing security in Symantec pcAnywhere Maintaining audit trails Maintaining audit trails Event logging helps you monitor session activities and track information for auditing purposes. You can track who connected to a host and session duration, as well as important security information such as authentication or logon failures.
Managing security in Symantec pcAnywhere Implementing policy-based administration Importing the pcAnywhere administrative template Symantec pcAnywhere provides administrative templates for Windows 2000/2003/2008 Server/XP/Vista to support registry-based policy management. The pcAnywhere.adm files define the policy settings for certain components in pcAnywhere. These settings include registry keys and values, the location in which the registry settings will be written, and other descriptive information.
Managing security in Symantec pcAnywhere Implementing policy-based administration Table 6-4 Location of pcAnywhere policy settings Folder Description Actions Contains policy settings to prohibit users from doing the following: Launching the pcAnywhere Manager window, which is the main user interface for pcAnywhere ■ Launching host objects, thereby starting a host session ■ Launching remote objects, thereby connecting to a host computer ■ Cancelling a host computer that is running ■ Using the keyboard
Managing security in Symantec pcAnywhere Implementing policy-based administration Table 6-4 Location of pcAnywhere policy settings (continued) Folder Description UI Changes\Remote Objects Contains policy settings to prohibit users from doing the following: UI Changes\Option Sets ■ Editing remote objects ■ Creating remote objects ■ Changing the directory location of remote objects ■ Viewing or editing specific property pages Contains policy settings to prohibit users from doing the follow
Managing security in Symantec pcAnywhere Implementing policy-based administration 4 Under User Configuration, click the plus sign next to Administrative Templates to expand the list. 5 Click the plus sign next to Symantec pcAnywhere to expand the list. 6 Open the folder that contains the policy settings that you want to edit. See “Managing user policies” on page 92. 7 In the right pane, under Policy, double-click the policy setting that you want to edit.
Managing security in Symantec pcAnywhere Implementing policy-based administration
Index Symbols .bhf files 22, 66 .chf files 22, 65 .cif files 22, 66 .cqf files 22 .sid files 25 A ACE/Agent. See SecurID ACE/Server. See SecurID Active Directory Services 76 Admin.bhf 65 Admin11.chf 65 administrative template 92 alias 52 authentication centralized types 85 global users 86 Microsoft Windows-based methods 86 two-factor 85 Web-based methods 88 awshim.exe 71 C caller files 22 centralized server logging events on 72 command configuration files.
Index F M Files.ini file 48–49 management shims 71 MIB 73 Microsoft Management Console.
Index packages (continued) product dependencies 20 product settings host templates 31 installation directory 30 preserving 33 product updates 33 remote templates 32 serializing 25 setting global options 27 testing 38 pcAnywhere Tools Host Administrator 61 pcAnywhere.
