Troubleshooting remote installation on MS Windows

Table of contents

The Panorama9 debug tool

Getting the Panorama9 agent to all machines in your network can be tricky, since you may have e.g. knowingly or not a locally installed firewall that prevents remote access. In this case the install attempt would fail with an “access denied”.

You can use the Panorama9 Deployment Debug Tool to troubleshoot and instantly get feedback about what is going on. Download the tool and run it from a computer that you believe should be able to remote install, e.g. the server where you enabled the Panorama9 agent's deployment service. 

p9_deploymet_debug_tool.png

You can also use the rpcping tool if you suspect RPC connections are blocked (available with Microsoft Windows 7 or newer);

rpcping -s HOSTNAME -u 9 -a connect -I "USERNAME,DOMAIN,PASSWORD"

If the rpcping check fails the deployment system will also fail. You will therefore need to solve the connectivity issue before you can expect the deployment system to successfully remote install the P9 agent. The typical underlying issue is a client side firewall that blocks incoming RPC requests.

Remote configure the MS Windows Firewall to allow RPC traffic

You can use a Group Policy Object (GPO) to configure the built-in Microsoft Windows Firewall to trust remote access from the deployment machines. This way you don't have to visit and manually configure each machine, but simply apply the configuration to the devices throughout your network using Microsoft ActiveDirectory (AD). Should you use a 3rd party firewall, please see relevant documentation from the vendor for information about granting access to a trusted device.

Open the "Group Policy Management" editor found under "Administrative Tools" and edit existing policy or add a new. Navigate to "Computer Configuration" -> "Polices" -> "Administrative Templates" -> "Network" -> "Network Connections" -> "Windows Firewall" -> "Domain Profile" and edit properties for "Windows Firewall: Allow remote administration exception".
 

4.png


Enter "IP address" of the machine with the deployment service enabled into "Allow unsolicited incoming messages from the IP addresses".
 

gpo_firewall_settings.png


Once configured allow ample time for the machines in your network to inherit the GPO. The deployment system will at regular intervals try to remote install the agent until access is finally granted.

Broken DCOM settings

Some machines may still fail to have the agent installed due to broken DCOM setting that prevents the deployment service from initiating RPC calls on the remote computer. The solution is to ensure DCOM is enabled under "Default Properties" and reset "COM Security" to default settings or you may apply the needed configuration to all devices in your network through a GPO or a logon script.

Create a new (or add to existing) GPO or .vbs file and copy the following: 

Set WshShell = CreateObject("WScript.Shell")
WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM","Y","REG_SZ"
WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel",2,"REG_DWORD"
WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel",3,"REG_DWORD"

If you're applying the above using a .vbs file then save it to a folder that your machines have access to (it's recommended to save it to the folder with the login scripts) and ensure that machines run the .vbs script when logging in by adding the .vbs filename to the login script.

Extended info about why remote install failed

You can observe the remote install progress through the Panorama9 dashboard, just navigate to "Manage" -> "Deployment". Should a machine fail to install the P9 agent a failure state will be displayed in the "Agent status" column. 

Listed below is extended information about failure states and how you can correct the underlying issue.

Domain not available

The Panorama9 service on the deploying machine must run under the domain administrator account and be connected to the domain server.

Network lookup failed

The device could not be found on the network at last try. If this problem persists, please check if the machine is reachable from your deployment server with the Windows 'ping' utility.

WMI/RPC failure

This is a complex failure source. Please see the section "Debugging remote connection issues" for more details.

WMI Credentials failure

The service account did not have access rights to run processes on the target device through WMI (Windows Management Instrumentation).

Low disk space

The target device has less than 1GB of free space available.  The Panorama9 Agent itself requires little disk space but we may need to install .NET 3.5sp1 as well, as well as reserve up to 50 MB of working space.

P9 not accessible

Prior to installing the agent, we check if the Panorama9 Cloud is reachable from the device. See "Firewall requirements" for more details. 

Agent installed, in failure state

The agent was installed but was either disabled or unable to start. If you see that the agent is in fact not able to start up, please contact Panorama9 for further assistance. 

Timeout

The target device was reachable and accepted our requests, but took too long to respond. If this problem persists, please contact Panorama9 for resolution. 

Inconclusive result

On some occasions, we have encountered Windows machines that are configured so that we can neither access the administrative share on the machine, nor read an installer exit code from it. In this case, the agent probably installed correctly but we were unable to verify it. If you see this message, the machine may show soon after (allow one hour) and this message should clear up automatically. Otherwise contact Panorama9 for assistance.

Agent installed, could not communicate with P9

The agent was installed and started correctly, but failed to reach the Panorama9 cloud services. Verify that tower.panorama9.com is reachable on port 443 from the machine in question. 

Existing installation in progress - retrying

An existing installation process is active, or the system needs to be rebooted. We will try again later.

Error executing the installer

This indicates that the target device was in a state we did not expect and account for. Please contact Panorama9 for assistance.

Last updated:

Comments

  • Avatar
    Stefan Rasmussen

    The Registry changes can also easily be set with Group Policies without having to rund a VB Script.