To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

How to deploy workstations product in WAN with FSPM & FSPM Proxy

Options
Brice
Brice W/ Alumni Posts: 3 Security Scout
in Business Suite

Hello,

 

I deployed a multi-site infrastructure with local Windows Servers, 6 in total.

One of my Windows Servers, called "Head" runs F-Secure Policy Manager 11.30. I've successfully deployed F-Secure for Workstations 11.50 on Head's local computers with FSPM Server.

 

I've deployed FSPM Proxy on my 5 others Windows Servers with an FSPMP export, and they connect perfectly with my remote Head FSPM.

 

Now, i need to deploy FS Workstations on "remote sites" computers.

 

I can't deploy from my Head FSPM by the WAN, because it takes too much time and i've got a "Time out" error in FSPM.

I tried to install FSPM Console on remote servers for a "LAN deploy", but it doesn't connect to my Head FSPM Server.

 

Question, how can i deploy Workstations on the others 5 sites with FSPM / FSPMP ?

Should I use GPO with a MSI export ? But it should be transparent for users, and executed juste one time.

 

Info, absolutly no network restriction between my 6 sites, and FSPM / FSPMP ports are default.

 

Thanks.

 

 

Comments

  • Vad
    Vad W/ Alumni Posts: 1,069 Cybercrime Crusader
    Options

    Hello Brice,

     

    > Should I use GPO with a MSI export ?

    Yes, this is the best scenario for your case.

     

    Best regards,

    Vad

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master
    Options

    Hello,

     

    > >  Should I use GPO with a MSI export ?

    > Yes, this is the best scenario for your case.

     

    Problem is, the MSI file which FSPMC for Windows creates, is an imitation MSI file. In other words, it is just a JAR file wrapped in a thin MSI layer.

     

    As far as I heard, this makes it impossible to use GPO to install FSAVCS on endpoints truly without ANY end user clicks. The elevation of UAC and the first window in the wizard still requires someone sit in front of the monitor to click Start and have enough logged-in privileges to do so...

     

    It would be nice if F-Secure enhanced the PM console to export native MSI packages that can be installed via GPO using totally silent switches!

     

    Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.

  • Vad
    Vad W/ Alumni Posts: 1,069 Cybercrime Crusader
    Options

    Hello Tamas,

     

    Your information about MSI installation and required local user actions is correct for the scenario if local user launches MSI package himself. In that case a user has to deal with elevation of UAC, first window in the wizard, etc...

    But you can configure a GPO scenario, which doesn't require user actions. The installation starts automatically after reboot, and will be completed before user login screen appears.

     

    Best regards,

    Vad

  • Brice
    Brice W/ Alumni Posts: 3 Security Scout
    Options

    Hello,

     

    Thank you for your replies. F-Secure on workstations was successfully deployed using MSI export & GPO.

    It didn't ask anything to users, and clients get updated with FSPM Proxys.

     

    But I have an issue with "head FSPM", remote clients with FSPM Proxy don't appear on it, why ?

    Clients get well updated from FSPM Proxy, FSPM Proxy appear on FSPM and are updated from it, but clients are not imported on FSPM. Is it normal ?

     

     

    FSPM 11.30

    FSPM Proxy 2.11

    F-Secure Workstation 11.50

  • Vad
    Vad W/ Alumni Posts: 1,069 Cybercrime Crusader
    Options

    Hello Brice,

     

    PM Proxy can only deliver AUA updates to clients. It can't help with distributing changed policies to clients, and with delivering alerts/statistics from clients back to PM. If you don't need this features, you can leave the situation as it is now. If you need them, you should provide a possibility for clients to communicate with PM directly, at least periodically.

     

    Best regards,

    Vad

  • Brice
    Brice W/ Alumni Posts: 3 Security Scout
    Options

    Hello,

     

    Thank you for this information. If i understand, FSPM Proxy can't transmit policies from FSPM to clients, so they don't appear on FSPM ?

     

    What about this figure in FSPM Proxy documentation ? Is it only true for updates, and not for policies ?

     FSPMP.jpg

     

    If yes, can you tell me how configure clients for taking policies directly from FSPM, and updates from their FSPM Proxies ?

     

    You shall see that i'am a little bit disappointed by this missing option. I though that FSPM Proxy was a full FSPM-relay.

     

    Thank you for your help

  • Vad
    Vad W/ Alumni Posts: 1,069 Cybercrime Crusader
    Options

    Hello Brice,

     

    > What about this figure in FSPM Proxy documentation ? Is it only true for updates, and not for policies ?

     

    Yes. it's true only for updates. From PMP 2.10 adminguide:

    What does F-Secure Policy Manager Proxy do?
    F-Secure Policy Manager Proxy helps deliver the virus definition databases quickly and efficiently.

     

    > If yes, can you tell me how configure clients for taking policies directly from FSPM, and updates from their FSPM Proxies ?

    Policies are taken from FSPM, specified in PM Console installation wizard, during client installation/MSI export procedure.

    For configuring PMP, please, check  "Configuring automatic updates" section in PM admin guide.

     

    Best regards,

    Vad

This discussion has been closed.

Categories