Installation and Migration Guide for Enterpise Administration Console (AEA)

The AEA console is required when managing 200+ systems. This Enterprise console is the most powerful anti-virus management tool we have. The avast! AEA console can support tens of thousands of clients. This is achieved through support of multiple avast! Enterprise Administration Servers (AEAS). The AEAS is a mirror of an avast! update server, and each AEAS can manage up to 1000 systems. The AEA console then can manage many AEAS. However, full SQL is required for the “Replication Service” to support multiple AEAS (to support 1000+ clients) There is no migration path currently that will use the existing database from ADNM.

For user guides and FAQs please refer to:

1. avast! Endpoint Protection

Enterprise Administration Console Installation Guide - http://files.avast.com/iavs5x/setup_enterprise_eps.exe

Endpoint Protection User Guides - http://www.avast.com/download-documentation#business-products

Enterprise Administration Required Ports - http://www.avast.com/FAQ/AVKB79#idt_18

Enterprise Administration Console User Manual - http://files.avast.com/files/documentation/enterprise-administration-user-guide.pdf

Endpoint Protection FAQ - http://www.avast.com/FAQ/AVKB79

Installing and configuring Microsoft SQL Server 2008 R2 Express - http://www.avast.com/FAQ/AVKB74

Helpful Information

NOTE: You may push a deployment from the console for a domain. Workgroups will not deploy, so installs either occur from users or administrators.

Service Port Numbers

  1. Please make sure the ports listed below are opened in the network on both the client and server side (you can use the GPO to dispatch on all machines, and make sure to reboot the machines for the changes to be applied). avast! Small Office Administration uses the following ports:

Mirror 16135
Client communication port 16136
Client communication port, push requests 16139
SSL communication port console 16138
UDP information port 16133
Standard RPC, NETBIOS and SMB TCP ports for remote deployment 135, 139, 445
Standard NETBIOS UDP ports for remote deployment 137, 138

  1. When installing the Enterprise Administration Console please make sure to install a MS SQL 2008 R2 as standalone, not from the installation process, so later you can connect the EA to it (best practice)

  2. Do a discovery task to find all the machines

  3. Create a deployment package for each type of system deployment: Desktop, Server, Sharepoint, Exchange, etc.

Create a deployment package for each type of OS (Desktop, server)

File Servers

For servers, I will recommend to modify the components of the deployment package (create a light installation package for servers OS’s) which consists of the File System Shield only. This is usually the only real protection required for file servers and this is an industry standard best practice. This assumes that the File Server not being used as a workstation. NOTE: DO NOT use the Network Shield on servers. SharePoint servers should add the SharePoint shield in addition to the File System Shield. If servers are to be managed (see below), then each server type will require its own group, separate from the managed client group. If servers are NOT to be managed, then use the custom install feature to select the correct shield/shields for that server type.

Workstations

For desktop installation, I recommend to remove all the server protection modules from the deployment components, so they are not installed on the client. Note: When creating an installation package please be sure to select the server name / address in the installation package for the clients to communicate with the console after deployment.

Workstations

For desktop installation, I recommend to remove all the server protection modules from the deployment components, so they are not installed on the client. Note: When creating an installation package please be sure to select the server name / address in the installation package for the clients to communicate with the console after deployment. It is best to have the system hosting the SOA console to use a fixed IP vs. DNS name. This will eliminate DNS issues during deployment.

  1. Start to deploy by group of 10-20 machines at once, make sure to enable the “Reboot the machine” option in the deployment task settings (this is necessary to finalize the installation process). Important – Before sending out an installation please be sure the mirror is up to date which you can check by going to view tab in the console and check mirror status. Once it’s up to date then you can send out the installation. (NOTE: SOA can be installed with or without mirror)

  2. After you send out an installation you may received an error code 0×00000005 which usually means access denied. This is also due when you don’t reboot the client after the initial installation so please do so and then refresh the Console. Also be sure to use the network administrative passwords or a password with full administrative rights to push the client through the network (Domain/Administrator) NOTE: All systems MUST be rebooted after deployment, so plan accordingly.

  3. If you find that when you deploy some of your clients license change or remain in the trial mode please check to be sure you’re not over your license count in which case you will have a “KEY” icon over the PC. Please note the total sum of your license count is Computers with Agent + Computers without Agent = License Count. So if you have old clients in the Active Directory that will not receive the installation package, please delete them from your lists and this should resolve your issue.

  4. If you find that you will be over your estimated license count or current license please contact us for remedy.

  5. If you need to install or update to a 2008 R2 SQL please click on the link below.
    http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1286&nav=0,1,23,727

  6. The DEFAULT PASSWORD for the EA Console is ADMIN. This of course can be changed after installing.

NOTE: When you are deploying, Enable the Admin Shares. Windows XP systems should have File/Printer sharing DISABLED. Windows 7/Vista systems should have File/Printer sharing ENABLED

WORKGROUP VS ACTIVE DIRECTORY

You may push a deployment from the console for a domain. Workgroups will not deploy, so installs either occur from users or Administrators.

ACTIVE DIRECTORY

If using Active Directory you can easily create an installation package to push the client remotely through the network with Network Administrator password and in the Deploying Group. The Endpoint client will remove existing installation of avast! 4 only. Any other avast! version or other anti-virus should be un-installed prior to Endpoint deployment.

WORKGROUP

If using a Workgroup you can only DEPLOY remotely (no push deployments from your console) We recommend to create the installation package manually and send it via email to each client or install it separately via USB Flash disk to manually install it on each client. Once the client has been installed only then will it be detected in the Console. The Endpoint client will remove existing installation of avast! 4 only. Any other avast! version or other anti-virus should be un-installed prior to Endpoint deployment.

NOTE: Windows File and Printer Sharing must be enabled so avast! can create the necessary directories! ALSO, all systems need to be rebooted after installation, so plan accordingly!

Migration from 4.8

For those of you that have previously used ADNM (previous version 4 of the Enterprise console with blue icon), you already know 90% of AEA, as it is the same reliable code from ADNM. There are very few differences, such as the combining of Computer Catalog and Task Management modules into the same location. During installation, you are prompted for choice of SQL 2008 R2 Express (to be installed with AEA), or use an existing installation of SQL. If you have either SQL 2005 or SQL 2008, you then can use same SQL instance, but a NEW database will be required (SQL 2008 is preferred). Both ADNM and AEA can coexist simultaneously. During a push Deployment, the Endpoint client installation will uninstall existing avast net clients from avast! version 4 ONLY. If any other version of avast! or other anti-virus is present, then these products will need to be removed prior to an avast! deployment. The Endpoint client will require a reboot after installation, so be prepared for this.

A. From avast! ADNM v4.8 to avast! AEA v7

In this scenario, as the AEA v7 is NOT using the same database NOR the same installation folder as the ADNM v4.8, you just need to:

  • ** Most Important, prior to installing the AEA you need to run a uninstall task with the current ADNM and remove 4.8 from the clients
  • Install the AEA v7 Console on the same machine or on another one.
  • Do a discovery task to find the machines which are already running the v 4.8 managed clients
  • Do a remote deployment on these machines *(Basically the deployment will detect the old 4.8 version and remove it automatically before installing the new version 7)
  • Finally remove the ADNM v 4.8 and its database

This AEA Installation guide was created by myself internal Avast Specialist and Platinum Reseller J.R. Gunthrie of Advantage Micro Corporation. The intent of this forum page is to help those during the installation of version 7 Endpoint Protection in their environment.)

Sincerely,

J.R. Guthrie
Advantage Micro Corporation

Che Johnson
avast! Moderator

Thanks for this nice guide.

one correction i want to suggest:

10. The DEFAULT PASSWORD for the EA Console is ADMIN. This of course [b]can[/b] be changed after installing.
I would advise to change the word CAN into SHOULD. (or make the software forcing to change it)

I followed this guide and when I bring up the Avast Enterprise Administration and put my server in with the default password I get “No Connection could be made because the target machine actively refused it.”. There is no firewall turned on. In the ‘Services’, the “Avast Enterprise Administration Server” will not start and it gives me a Error 4200 0xa410. I was discussing this with someone at support.avast.com but today that website says that there nobody with my email registered at that site. I have 63 licenses and it is licensed for 3 years so something is not right.

I uninstalled Avast Enterprise Console and Microsoft SQL 2008 R2 and reinstalled using the links listed below except the second time I tried "Microsoft SQL Server 2008 Express with Tools. The results are exactly the same.

https://support3.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1286
https://support3.avast.com/index.php?languageid=1&group=eng&_m=knowledgebase&_a=viewarticle&kbarticleid=1289

I haven’t been able to get into the ADMN console for three weeks because it refuses to see a valid certificate even though one is installed. I was advised at support.avast.com to migrate to the new version. The server appears to be still putting out definitions to my workstations as they are not complaining of old virus signatures and I am really hesitant to completely erase the old version before the new one is installed because that would leave me vulnerable if I can’t get this new one to work. It’s give me such grief that I am about ready to migrate to different product.

Any Ideas?

I think this error relates to: you must install SQL 1st, before AEA (I think that is your issue) I need to rewrite these documents, as that is now the safe way to do it! With only 63 clients, I would use SOA console!

Sincerely,

J.R. “AutoSandbox Guy” Guthrie

“At this point in time, the Internet should be regarded as an Enemy Weapons System!”

Hi JR, How exactly do you create a deployment package for each type of system deployment?: Desktop, ver, Sharepoint, Exchange, for type of OS (Desktop, server).

We use SOA and would very much like to do this to cater for old XP boxes. We have tried simply unticking the relevant components then wait for ‘update definitions’. then we simply download the “avast_managed.exe” package from the internal link and then tried to deploy the package on the relevant boxes.

However this doesn’t seem to work. the package “avast_manage.exe” seems to be the same size everytime. Also we see strange issues- the firewall component is unchecked, yet when installed the firewall component is ‘magically’ installed on some (not all) installations. This is even if the pc is in a managed group with the firewall shield disabled and unmonitored. On these installs, uninstalling avast, then running aswclear.exe, then redeploying avast- and presto the dreaded firewall components are reinstalled. A check of running services on these boxes confirms that the asfw* processes are all running. This is quite mysterious- firewall component is unchecked, firewall shield is disabled and unmonitored, yet the PC appears in the console with a ‘green tick’.

Any ideas how/why the firewall component is installed if it is thus disabled (and unchecked in components)?

Also what are the steps to build a custom deployment package with specific components removed?

MOD: Please move this to the SOA guide thread (posted in error to AEA guide thread)

hello,

I have a small question:
with the new version of AEA in security policies to be applied to a group, I can tick the “AutoSandbox Client” box AND “AutoSandbox SERVER”.
What is the technical difference? advantages and disadvantages? because you can very well check the 2 together?
the documentation does not mention these two different parameters
thank you

hello,

I take this post with the subject “migration and deployment with AEA” to see if anyone had the process step by step to set up the following path:

when a machine integrated domain “example”, it automatically enters the avast group “example”, and if the machine is not equipped with avast, it automatically deploys the client in silent avast?

if I can link several spots, I do not know how to run a discovery task of all the network every 30 minutes, and it forces a deployment …
I want the automatic deployment is done only on non-equiped positions and demand silent installation does not occur on machines already installed, avast runs well even though that if you throw the spot depoiement on a machine already installed it will do nothing.

thank you to you

"The avast! AEA console can support tens of thousands of clients. "

But none of them can be running Windows 10! When will Windows 10 be supported by the Endpoint version of your product? We want a date!

https://forum.avast.com/index.php?topic=180249.0

Hello,

Could you please publish note or documentation about how to install and configure AEA to multiple site network by using 2nd Level Mirrors. I could not find anything about what procedures we go through when we need to use a second level mirror for updates and deployment installation packages. For example 2nd level mirrors are for update purposes only or is it possible to use a 2nd level mirror to create a deployment package at a remote site…

Best Regards,
Alper OZBEK

Hello,

I have 2003 server with the role “avast Server AEA server and console” named “SRV-AV-2003” in EPS version.
I renew the licence for 3 years on EPSP (Endpoint protection Suite plus) version.

I Just prepare a new 2012 server named "SRV-AV-2012), and install the setup consoleepsp.msi on new database and new certificate.

Now, what the best practice for migration from old server to new server, without change the client configuration and without change the nameserver?

I opened a ticket at AVAST but I would like the opinion of the users of chat if they were facing the same problem as me?
Be careful, the version is different EPS to EPSP

thank you