Custom admin.ini

Avast Business Avast Endpoint Protection
1

I’m curious about how much I can tweak %programdata%\AVAST Software\Administration Console\Mirror\Packages\admin.ini.

I have an issue where our remote employees can communicate with our SOA server but only through our VPN. While this normally wouldn’t be an issue for most, we have a sales force that is…less than technical…and because of this, most of their processes have been changed over the years so they no longer need to use the VPN. Most of them can’t even spell VPN… :wink: So, I don’t want them to not get settings after not having been on the VPN for months.

Currently, our idea is to set up a NAT so we can use a public name to communicate with SOA. My two questions are below.

  • If I change admin.ini, will the change(s) persist after a mirror job runs and replaces various files in that path?
  • In the comon.ini section of admin.ini, can you have multiple (weighted) SBCServerName entries? Example: SBCServerName1=server.domain.local and SBCServerName2=server.public.domain.com
2

Although not an answer to your question, as fellow admin i do want to point out that you need to open your firewall to the avast server. This is a high security risk, that you should not be considering in my opinion.

Depending on what you want:

  1. do you need it to get recent updates only?
  2. do you need it for point 1 but also for doing remote control like scanjobs or reporting

Do those reps come in the office often, or are they out of the office most of the time?

If they are gone and you want to have point 1 (updates only) then in the settings there is an option for the client that it will update from internet when it can not find the local update server.

If its for point 2 then you can indeed open your firewall, but thats a huge security risk in my opinion. Maybe it is worth to look at the Microsoft DirectAccess
http://www.microsoft.com/en-us/server-cloud/windows-server/directaccess.aspx
http://technet.microsoft.com/en-us/network/dd420463.aspx

This technique basicly builds the VPN sessions without the user knowing really. This way you do secure your network, but it takes more effort on your own side to set this up.

3

The users might only come into the office once or twice a year. I know they can go to the web for updates but I still want to manage settings for them. If we have issues with some of our apps, and I make exceptions to them, I want those users to be able to get the settings. Reporting would be nice too but I’m mostly worried about settings. I’m not worried so much about jobs; I can put them in a different group so they can just handle their own stuff as much as possible. As for opening the server up to the world, I’m not overly worried. It’ll no doubt only have TCP/UDP-25322 opened to it so unless the avast server has security holes in SOA, then I doubt I’ll have too many issues.

4

I am not sure about the avast5.ini entries, but if you forward/open these ports on your router/firewall the clients will be fully manageable.
You will be able to configure the clients and you will receive reports from them as well.

Why do you need both addresses in the INI file? You can change the address to the public address only and that’s it.

5

I was merely curious if the option was available. It would be nice to have both addresses so that those on the LAN can keep the traffic on the LAN and we’d therefore only have a little traffic coming in over the WAN.

6

So, I still need to know: If I change admin.ini, will the changes persist?

7

I answered my own question. NO, they do not persist.

How, do I specify a different FQDN?

8

You have two options:

[ol]- Change the address from the avast! Client i.e. avast! UI > SETTINGS > Troubleshooting > avast! Administration Console

  • Deploy the generated installation package with the /netcl_addr and /netcl_port command line switches e.g. avast_managed.exe /netcl_addr “255.255.255.255” /netcl_port “25322”[/ol]
9

I’ll go with option #2. Is there documentation on the various switches the installer has?

10

Well according to the avast.sbc.service.log these are the switches:

/netcl_addr “server address” - The address of the management console.
/netcl_port “25322”- The port of the management server
/silent - Silent installation
/sfxstorage “C:\Documents and Settings\All Users\Application Data\AVAST Software\Administration Console\Mirror\Packages”
/edition 9 - avast! Editions: 9 EPSP, 8 EPS. There could be some other editions.
/managed - ?? - probably the installer will install the avast! Net Client Service
/admin “path to admin.ini on the server”
/forceinstall - Forces reinstall of previous installation of avast!

Note: You don’t have to supply these parameters to the installation package. They are included in the package.

11

Good to know. I’ll play with this throughout the day and see how it works. I’ll report back when I know more.

12

I was trying to use the following command but it doesn’t seem to have any affect on the install. What am I missing or do these switches not help in the way I was hoping?


c:\users\testuser\desktop\avast_managed.exe /netcl_addr "avast.homenet.com"
13

ok clear about that

the groups you can make in de console can be manually defined with all the settings. For the clients outside the office, you can create a seperate group and set the public URL for the update server. Maybe its wise the change the reporting and checking interval, i believe it is 45 minutes that a client checks for changes and reporting. Could generate a lot of load on your internet line
no need to edit the admin.ini and all that

just make sure you open your firewall :slight_smile:

14

Ok, where are those settings. I was looking through the settings for the groups and I didn’t see them.

15

Under the COMPUTER CATALOG you have to make a group.
Then rightclick on that group and click properties
click on the option COMMUNICATION
the first option is EAS ADDRESS, the control is greyed out, RIGHT click the field thats greyed out and click on DEFINE VALUE.
The field becomes editable now and you can put in the address that you want.
It is said that you can use a DNS name, but if you know the IP on the outside then this could be used to

16

I think he is referring to ASOA, not AEA. ASOA does not have this feature unfortunately.

17

This feature was on AEA, can’t do this in SOA

18

Correct, I’m using SOA. We used to run ADNM here and I’m beginning to wonder if I should be running AEA in lieu of SOA. While I like the simple web-GUI of SOA, it seems to be lacking the feature(s) I need. If this cannot be done with SOA, can I install AEA over top of the current setup and “migrate” the data over easily? I merely curious at this point. Frankly, I’m not too entrenched in SOA so I could tear it down and start over if need be.

19

Ok, WPN, I’ve ripped out SOA and replaced it with AEA. I have my groups and I’m trying to get them set up so that the local PCs use the LAN address and the remote guys use the WAN address. I think I’ve found the spot but I wanted to verify that with you or anyone else who uses this feature.

In AEA, I went to Installation packages and have created two new packages. The one for local was pretty straight forward, I think. Most of the defaults were used. The one for my remote users is the one I have questions on. On the dialog box where I chose avast! Endpoint Protection, there was an Edit button next to it. That dialog gave me a mess of check boxes at the bottom and an EAS Server address box up top. On the local package’s dialog, I chose Detect and it showed the local address. However, for the remote package’s dialog, I manually typed out the WAN address I want my remote clients to use. Is this the place I specify this address??

20

I’m having more issues now. I think I’ll start a new threat as this one is getting off topic from the original question.