How the "Prevent Downloads" option works under the Targeted Site Settings
search cancel

How the "Prevent Downloads" option works under the Targeted Site Settings

book

Article ID: 204355

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

This "targeted site settings" policy feature (under SMP Console>Settings>Notification Server>Site Server Settings>Site Server Settings) is available starting from IT Management Suite version 8.5 RU2.

The "targeted site settings" policy lets you configure and apply download settings to the sites. By default, it is turned off. 
Configuring the targeted site settings policy for each site is not required. If you do not configure the policy for a site, its outbound data transfer settings remain unlimited and the agents can download packages from any source.
 
Under the "targeted site settings" policy, there is an option called "Prevent Downloads". How does it work?

Environment

ITMS 8.5 RU2 and later

Resolution

For more details on how to configure Site Settings and other options under this functionality, please refer to our Online documentation.

General information about "site settings":
The Site Settings are settings that are applied to the agents on the site. Those are NOT related to "Site Server settings", they are related to the "Site settings". So all the settings in the particular "Site Settings" policy are assigned to the agent which falls under this site subnet or manually assigned to this site.
The agent could be assigned to several sites. In this case, it will use settings from the first site policy.
When an agent with active "site settings" policy starts to download something, the new term appears as "outbound" download/connection. This means that the connection is made to the machine which is not falling under the same sites as the agent.
 
Note:
These "Prevent Downloads" options are available starting from IT Management Suite version 8.5 RU3.
 
The "Prevent Downloads" options let you limit the sources from which the agents are allowed to download packages. For example, you can prevent package downloads directly from the Symantec Management Platform (aka Notification Server (NS)). These options should help with Site Policy restrictions: Never Download from NS or remote Package Server (PS).

There is a possibility to prevent SMA from downloading packages from the Notification Server directly or/and from Package Servers that do not belong to the same site as the agent.

This functionality is available from "Site Settings Policy" and regulated by two check-boxes:

  • Prevent downloads from Notification Server
  • Prevent downloads from Package Servers that do not belong to the same site(s) as the agent
The "Prevent Download" checkboxes in the "site settings" policy mean:
  • "From Notification Server":
    The NS will not give back its codebases to the agent (agent won't receive the NS codebases when it asks for GetPackageInfo.aspx)
  • "From Package Servers that do not belong to the same site(s) as the agent":
    The agent will receive codebases as usual (as NS returns) but then the agent will ignore codebases that are referencing Package Servers located not in the sites the agent resides.
For example:
Site-A has NS-A, PS-A, Agent-A.
Site-B has PS-B, Agent-B.
If Agent-B asks NS for codebases, it will receive (for example) PS-A and PS-B codebases and could choose from where to download and it could happen that it will choose PS-A and successfully download from it. When you check the second check-box "From Package Servers that do not belong to the same site...", then Agent-B will ignore PS-A and choose from the remaining list, which is PS-B in our example.
Here we should remember that if Agent-B receives only PS-A and the second check-box is checked, then it still will ignore PS-A and as a result will have "No codebases" and fail to download (go to retry, increasing the "unsuccessful" timespan value).

 

The SMA receive those values in Site Settings Policy as case insensitive comma-separated string of "deny" node:

<deny>Ns, ExtPs</deny>.

The node expected on the same level as <maxTransfers> node, just below <outbound> node.

While package downloading the Package Manager passes those values to the GetPackageInfo.aspx request. This could be seen in SMA informational level message log:

"Download package sources from: http://<SiteServer>:80/Altiris/NS/Agent/GetPackageInfo.aspx?xml=<request resource="{A535796A-A600-4633-A05E-B618772F4241}" version="1" type="codebases" compress="1" deny="Ns, ExtPs" totalTime="0" totalFailureTime="0">"

For now, the restriction of downloading from Notification Server is handled purely on the Notification Server and SMA takes no action regarding NS codebases returned in response to such GetPackageInfo.aspx Request.

The Package Server codebases returned in GetPackageInfo.aspx now could be ignored (filtered out).

The filtering will happen if all conditions below are fulfilled:

  1. SMA was able to detect the main site from policy and has "deny=ExtPs" value set.
  2. P2P policy is:
    • OFF
    • ON and we didn't find any Package Server codebase which matches the "Don't use peer-to-peer downloading: " selection, neither any peers.
  3. The Package Server IP is not resolvable or is resolved and does not fall in any subnet in the main site policy (used in point 1 above).

In other words: the setting is taken from the first site the SMA will find in the policy and this value will be used while a single downloading attempt (for all codebases which will be tried while this attempt). Also if P2P settings are configured, and SMA will find the Package Server in the P2P subnet, then the "Prevent" option from the site policy will have no effect.

 

The Office 365 peculiarity:
For packages with Office 365 Updates the "Site Settings Policy" restrictions are also respected with all the above-mentioned rules. The only peculiarity is that Package Servers filtering is not done on each range request (number of which could be quite big in a short amount of time) but rather done once per connection and the result is cached in the connection cache. The cache could be reset if policy values or the site is changed.

 

ULM specific:

Starting from 8.5 RU release, when Agent try to download package, on GetPackageInfo.aspx request it adds field deny with default value - "None".

<request resource='{5A46EBFE-C50B-4A68-AA9C-8C09A8DAFBE2}' version='1' totalTime='0' type='codebases' compress='0' deny='None' requestNSCodebases='false' >

If Agent got Site Settings Policy, field deny will set with value from top site settings:

<request resource='{A82EAD13-2212-4B63-9C8A-1C9FB38011B6}' version='1' totalTime='208' type='codebases' compress='0' deny='ExtPs' requestNSCodebases='false' >

 

 

Site Settings Policy example:

<Policy guid="{4CC5B582-4A7D-424C-8629-62457B3D48FA}" name="Non-Internet Site Settings" version="8.5.4246.0" hash="CFCA437B7BA3319AF77F1A69309211F0" userPolicy="">
                <ClientPolicy agentClsid="Altiris.SiteSettings">
                                <site guid="{7cff1736-3a16-4178-892a-e37e1abef494}" name="NS Home" order="0">
                                                <outbound>
                                                                <maxTransfers>10</maxTransfers>
                                                                <maxSpeed>50</maxSpeed>
                                                                <deny>Ns, ExtPs</deny>
                                                </outbound>
                                                <subnets>
                                                                <subnet match="0">10.0.8.0/21</subnet>
                                                </subnets>
                                </site>
                </ClientPolicy>
</Policy>

 

 
Powered by Wolken Software