This document is a step by step guide on how to configure authenticated SMB Distribution Servers. in Shavlik Protect 9.x.
Why use a distribution server ?
Distribution servers can be used in a number of different scenarios:
- Distribution servers can be used to store patches that you wish to deploy. Distribution servers can be physically located near each group of machines you are managing. The console can copy patches to the distribution servers only, rather than to each individual machine. Each machine can then download the patches it needs from the nearest distribution server. This can greatly reduce network traffic in a distributed environment and be of huge benefit in wide-area networks. This is true in both agentless environments and agent-based environments. In agentless environments, using distribution servers means the console does not need to push patches to individual machines and individual machines do not need to download patches from patch vendor. In an agent-based environment, it can keep each machine from downloading the patches it needs from the patch vendor over the Internet.
- Distribution servers can be used to store the most up-to-date engines and XML files that are available. In a multi-console or agent-based environment, this can reduce the number of machines that need to download updated files over the Internet. If you will be configuring an agent policy that contains a threat task it is strongly recommended that you use a distribution server. The threat definition file is rather large and using a distribution server to store the file will greatly improve the download performance for your agents.
- Distribution servers allow consoles and agents to operate in environments where they do not have Internet access but still need access to the most up-to-date engines and XML files. See What is a Disconnected Console Configuration for more information.
- Distribution Servers can be used to store any custom patches you may have defined. This is particularly important for agent-based environments. See Preparing to Use Agents for more information.
Do You Need a Distribution Server ?
To determine if you should use one or more distribution servers with Shavlik Protect, apply the following formula:
- If # of machines * 10Kb > available bandwidth, then you need at least one distribution server.
Assume available bandwidth = 500 Kb:
- 100 machines: 100 machines * 10Kb = 1000Kb > 500Kb (need distribution server)
- 20 machines: 20 machines * 10Kb = 200Kb < 500Kb (do not need distribution server)
If You Need Distribution Servers, How Many ?
If (using the formula above) you determine you need one or more distribution servers, you still need to determine exactly how many distribution servers are needed. Determining the number of distribution servers that are needed is very simple. The general rule is:
- Use one distribution server for every 2500 machines
For example, if you have 7500 machines you should plan on using three distribution servers.
- Windows Server 2012
- Shavlik Protect 9.x
Create a shared folder on Windows Server
In order to create a shared folder open the Server Manager
On the up right corner Manage > Add Roles and Features
Follow the wizard.
Check the box File Server in File and Storage Services > File and iSCSI Services > File Server
Continue without adding new features.
You should have something like the following screenshot. And Install
After adding the File Server role, on the Server Manager's Dashboard click on File and Storage Services
Go in the Shares tab and create a new share.
Choose SMB Share
Select where you want to create the share folder.
Name the share.
Click on Customize permissions...
In the Permissions tab we will need 2 accounts :
- One for the Console which will need a read/write to add and delete the patchs.
- One for the Agents which will need only to read and download the patchs.
It is possible to use the Console credentials for the Agents but it is not recommended for security issue as these credentials will be copied on all Agents.
In the Share tab Edit the permissions for Everyone
And select Full Control
And create the share.
Add a new distribution server in Shavlik
In order to add a new distribution server in Shavlik go in Tools > Operations
Select the tab Distribution Servers
On the top panel "Distribution Servers" click New
Give a name to the Distribution Server and fill the path and credentials.
The upper panel is for the Agents connexion so we will give the read only credentials.
The lower panel for the Console so we will give the read/write credentials.
Select the created Distribution Server, choose All engines, definitions, and patch downloads from the scroll down and click Add scheduled sync:
Schedule when you want to sync the Distribution Server with the files on Internet.
We recommend to sync on Wednesday and Friday as our patch release are on Tuesday and Thursday.
To force sync click Run now for each selected tasks.
There should be files in the shared folder.
If not follow this document :
Using the Distribution Server in Agent Policy
In order to use the Distribution Server we need to create a new Agent Policy or modify an exesting one.
To create an Agent Policy go in New > Agent Policy
To modify an existing Agent Policy click on the button just under Home and Agent Policies
In the popup window select Distribution Server and select your previously created Distribution Server.
Deploy or update the policy on the Agents and files will now be downloaded from the agents.