When i run a security scan, it fails to run certain installers.
Last status: Done
Wed, 01 Feb 2012 16:36:35 Performing TCP connection with a timeout of -1 milliseconds
Wed, 01 Feb 2012 16:36:37 Performing TCP connection with a timeout of -1 milliseconds
Wed, 01 Feb 2012 16:36:39 Performing TCP connection with a timeout of -1 milliseconds
Wed, 01 Feb 2012 16:36:41 Performing TCP connection with a timeout of -1 milliseconds
Wed, 01 Feb 2012 16:36:42 Performing TCP connection with a timeout of -1 milliseconds
Downloading http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe
Failed to download http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe. Error code 1
Last status: Failed
Download Failure: Error 80004005 downloading http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe
Last status: Failed: Could not download http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe
Sending status to core
In SendRequest: Action = SOAPAction: "http://tempuri.org/SetPatchInstallStatus"
Wed, 01 Feb 2012 16:36:44 SendRequest: SOAPAction: "http://tempuri.org/SetPatchInstallStatus"
However other updates run, such as adobe reader x or firefox 9.0.1 correctly downloads and installs. All the install files are in the same patch repository. I don't understand why it would update firefox from 8.0.1 to 9.0.1 but not to 10.0.
Put the following URL in IE on the client to see if you get the message asking if you want to run or save the file:
http://CORESERVER/LDLogon/patch/Firefox Setup 10.0_ENU.exe
Make sure that you remove the proxy settings from IE when you try this. If it fails you need to troubleshoot why the clients cannot access the URL.
Our company blocks access to Skype and we have this issue... but we do not forbid our laptop users from using Skype when on travel, etc, so we need to patch it. I have to either work with our security guys to get around the sitewide proxy server, or download it off site and get it at work another way.
You might be having the same issue... If ZMAN's way does not work, see if you can go to skype.com and manually download a file from there or not.. note, the download you will be offered there is different than the one LANDesk uses and will not work, but worth trying to download to see what your issue is.
putting in that url gives me a credentials prompt. After entering my credentials, it gives a HTTP Error 404 - File or directory not found. I'm assuming anonymous authentication in IIS isn't working correctly because it's asking for credentials.
I did change the password for the IIS anonymous authentication account, however i changed it in the IIS setting as well, so i'm not sure why it would not be working.
Sorry, first off, it was not ZMAN that had posted before.. just so used to him being among the first...s
Also, I assumed the url that I saw was to the Skype file from Skype, the patch core.
Let's start over....
This patch requires you to manually download the file from Skype, if you open the properties of the patch the default tab will state to get it from here:
Unzip and follow these directions:
We recommend that everyone upgrades to the newly released build.
In order to remediate this vulnerability/install the application you must manually download the zip file from http://community.skype.com/t5/Windows/New-Release-5-6-0-110/m-p/214046.
Once the file is downloaded, Unzip and copy the file to the \patch folder on the LANDesk core server,
\Program Files\LANDesk\ManagementSuite\ldlogon\patch. Rename the patch name to skypesetupfull184.108.40.206.exe,The vulnerability/application install can now be remediated through the normal LANDesk Patch Manager process.
already done that. The skype patch used to work. However, in an effort to try and get these security scans to download patches over the gateway, i might have broken something with permissions in IIS. I changed the password to the anonymous authentication account and changed it in the IIS settings. Since then, i've been having problems with patches that used to work, because now some of them are not downloading correctly.
2nd problem (which caused me to mess with IIS) is that none of the remote machines that we have are able to download patches over the gateway. ALL .exe patches fail to download. Which is what led me to believe there was something wrong with IIS.
I really need to get this resolved. The system admin and I are both somewhat new to this company and we were thrown into a situation where we have no documentation relating to how landesk works in our organization. We have no password lists or anything. So i'm kind of in a bind. Creating cases via self service portal does not give a fast enough response. My supervisor is already seriously thinking of dumping landesk.
So i specifically need to know where the IUSR_computername account is used in aside from IIS anonymous authetication and what permissions that account needs to make it work with security scans locally on our domain AND over the gateway.
Thanks all for any insight you might be able to give me.
The following document may be of some use to you:
This document details the various NTFS and IIS permissions necessary for the various directories used in the Vulnerability Scan process.
In addition here is some information regarding the IUSR password.
The LANDesk clients need to be able to access the patch repository in order to download patches.
The permissions in the first document above should spell out the specific permissions for the directories, both at the NTFS level and at the IIS virtual directory level.
Some information about the key directories:
As the client is scanning the following directories are accessed:
Default patch storage directory: LDLOGON\Patch
This is where the patches are stored that the clients download and install through Patch Manager.
This can be changed if necessary: http://forum.landesk.com/support/docs/DOC-2133
LDLogon\VulnerabilityData directory: (This is where the .XML data is stored that tells the vulnerability scanner what to scan for)
As the client only needs to be able to access and and download these XML and XMLZ (compressed XML) files, Read and Directory browsing is suffiicient for IUSR in this instance.
LDLogon\VulscanResults: As the vulnerability scanner is scanning, the information regarding what has been scanned (Scan history) is sent back to the core server, is placed in the Vulscan results folder as a .VRZ file (Compressed vulscan results) and is then processed into the database.
Due to the fact that the client needs to write the .VRZ files into this directory, the anonymous (IUSR) account needs Full control to this directory.
LDLogon\IncomingData: The PostCGI.EXE file within this directory needs to be able to be accessed by the IUSR account in order for the core to process the incoming Vulscan Results files from the client.
Once these permissions have been set and verified as functioning properly, it is recommended to make a backup of the IIS configuration.
In the end with this issue we discovered that it was an issue with Proxyhost.exe that has been resolved in Service Pack 3.
In looking at your IIS logs Error: 404.2 - Web service extension lockdown policy prevents this request.
1) On the core server go to Start | All Programs | Administrative Tools | Internet Information Services (IIS) Manager
2) Go to Web Sites | Default Web Site
3) Right click on the new web share that has been created and click Properties
4) On the General tab look for Execute Permissions
5) Set Execute Permissions to "Scripts Only"
6) Click OK and close IIS
7) Go to Start | Run: iisreset
I am getting exactly the same problem, LANDesk 9 service pack 3 installed.
I have changed patch manager download from http to UNC … same problem
Thanks in advance