PBS & Citrix PVS (Golden Image & Portal)

NewChannel
NewChannel W/ Alumni Posts: 4 Security Scout

Since there is nothing mentioned @ the Forum about this I put what I've found together with the question.

First for golden images this link will be helpfull :https://help.f-secure.com/product.html#business/psb-portal/latest/en/task_764A7058CC4841F4A0CC222EBF917317-psb-portal-latest-en

But then we have the clones in the dashboard and functioning. Now the 1milion doller question:

How to unregister a server/client from the portal without manually delete the entry?

This is important not to run out of licenses with pvs or provisioned non-persistent (citrix) servers.

I could not find the answer yet. Has anyone the answer for this?

Answers

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 498 Moderator

    Hi NewChannel

    In the event that an image shares the same name, please verify the following:

    1. Confirm that the name was changed during sysprep
    2. Verify the GUID of the host, under the PSB portal on the Devices tab change the category view to Active Directory to view the GUID
  • NewChannel
    NewChannel W/ Alumni Posts: 4 Security Scout

    Hi Jamesch, tnx for reply.

    to clarify. the image is called like ts-gold. the rolled out machines are called like ts-01 till ts-04. They have unique guid. After reboot of the ts, it is purged and renewed from the golden image to the missing (purged) machine name with a new unique guid.

    In the portal there are soon several instances of with the same name (eg. ts-01). Of course only 1 is connected and active. the others are offline.

    The problem is to remove the old ones, or make the portal to understand the machine under the computername instead of the guid.

    As far as I understood there is no way (yet) to make this happen with a company managed subscription, but if someone got the trick done..

  • fedool
    fedool W/ Staff, W/ Article Coordinator Posts: 162 W/ Staff

    Hello,


    Proper citrix support is coming soon but does not yet available. I will explain how we will make it so you can confirm it will work for you.

    When you install CP or SP to your golden image, you will provide special parameter to installer, like --smbiosguid

    This parameter will tell CP that it needs to connect your "new" installation to previously connected machine with same smbios guid. So, if you already had before machine with smbios guid "blah" - when you renew image it will connect to same "blah" device in portal. If it has new smbios guid "blah2" - it will create new device in portal.

    So, you just need to make sure smbios guid does not change when you revert/renew plus smbios guid is unique inside your company/keycode and it will work.

    Is that ok for you?

  • NewChannel
    NewChannel W/ Alumni Posts: 4 Security Scout

    Hello Fedool,

    I'm afraid it will not work, since there is no revert, but the old vm is purged and new one is created from the golden image. Citrix PVS will make the clone from the golden image. Windows guid, mac address etc all will be new. the only thing which stays is the netbios Computername. that will be the same as the old one.

    So preferable it would be the situation that there would be a special parameter like --hostname or --netbiosname, so it would reconnect to the same license in this way.

    Other way would be that there is an option with a local executable where you can make a deregistration of the machine from the portal.

    like fsutil --deregistration

    As workaround: could this script work with psb? https://seetricks.blogspot.com/2012/09/f-secure-server-security-auf.html

  • NewChannel
    NewChannel W/ Alumni Posts: 4 Security Scout

    Hi Fedool,

    I checked with the customer. the smbios guid stays the same. so is this install option already in place?

    If so we will test it.


    output of "wmic path win32_computersystemproduct get uuid"

    before reboot


    xxx-xxx: 71A70E42-840C-61A0-4F00-0089739FC2E9 

    xxx-xxx: A9D40E42-59E0-C036-A5CE-7732C1378BEC


    after reboot


    xxx-xxx: 71A70E42-840C-61A0-4F00-0089739FC2E9

    xxx-xxx: A9D40E42-59E0-C036-A5CE-7732C1378BEC

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Dear Sirs,

    I wish F-Secure PSB had a single, truly unique endpoint identifier method, which combines SMBIOS + computer name + date and time based random generation + scottish highland wind speeds from the latest online weather forecast + momentary brightness of rapidly variable irregular stars in the Orion constellation, etc.

    In my opinion, out of the 6 or 7 thousand PSB-protected endpoints visible under our "SoP" level web account, likely several hundred devices have the same "unique ID" due to improper cloning or virtualization. Most customers use PSB with default settings in practice, so instead of a choice of SMBIOS (default) or computer name or random UID and all of them fallible, it would be better to offer a single but more foolproof unique ID method, with a more complicated generation algorithm under the hood.

    Thanks for your kind attention, Yours Sincerely: Tamas Feher, Hungary.

  • PetriKuikka
    PetriKuikka W/ Member Posts: 236 Threat Terminator

    We have just released the documentation for Citrix golden image usage with CP/SP:

    Petri

This discussion has been closed.