Summary

Post-installation tasks that may be necessary to ensure that Nomad will work correctly in your environment.

You may need to make some post-installation configurations to your environment to ensure that Nomad works effectively. There are two areas that may need attention:

IIS request filtering

By default, IIS is configured to prevent certain file types from being downloaded. Configuration Manager uses a workaround that Microsoft had to implement to bypass its own security feature. Nomad does not use this workaround therefore you may need to configure IIS request filtering to allow Nomad to download all content. This is done by configuring Request Filtering on each website hosting on all Distribution Points. The example process given below does the following:

  • Removes file extensions from File Name Extensions, for example .config
  • Removes folders from Hidden Segments, for example bin
  • Confirms that double escaping is enabled, to allow files with special characters in their names, for example +

Microsoft introduced IIS Request Filtering in Windows Server 2008 R2 – a security feature enabling administrators to configure IIS to block requests for specific file types and URL paths that include specific folder names or special characters. By default, IIS Request Filtering blocks a number of file extensions and folder paths that may be present in normal software distribution content (packages, applications and software updates).

Although, Microsoft's documentation highlights this issue, the Configuration Manager client bypasses this security measure by using a custom method and querying for the file rather than a standard HTTP GET for it directly. Nomad does not use the same workaround but instead adheres to Microsoft's security best-practice policy of using a standard HTTP GET for the file which is filtered out by the IIS Request Filtering feature. Therefore, it is necessary to remove or configure the IIS Request Filtering feature on all Distribution Points to allow any file extensions, paths and special characters that may exist in your Configuration Manager content.

On this page:

The following examples apply to the Default Web Site. You should only configure Request Filtering at a site level or below, not at the server level.

The commands also assume the Default Web Site is configured with default settings as Allow unlisted file name extensions and Allow unlisted verbs both enabled, as shown in the picture opposite.

Identifying existing restrictions

To discover files extensions and URL paths elements that are disallowed by default:

  1. Start IIS Manager.
  2. Locate your IIS server in the tree view and navigate to the website, for example Default Web Site.
  3. In the right pane, double-click the Request Filtering icon (grouped under IIS).
  4. Click the File Name Extensions tab to view a list of all the file extensions that are blocked by default. Disallowed file extensions commonly found in Configuration Manager content are:  .resources.mdb.config.java.osdx.skin.cs.vbproj
  5. Click the Hidden Segments tab to view all the folder names that are blocked by default.
  6. In the action pane, click on Edit Feature Settings...
  7. In the Edit Request Filtering Settings dialog confirm that Allow Double Escaping is enabled.
  8. You can review the NomadBranch.log on clients to see details of any file types that are blocked in your download, for example: 

    Error Reading. "path\bin\file name" - DP Path not found
    TransferFiles::CopyError: "path\bin\file name" - DP Path not found
    NomadBranch finished with exit code 0x205d     Job_Content_Package ID
    Source : "Inaccessible DP path" Job_Content_package ID
    
    Error Reading. "path\filename.config" - DP Path not found
    TransferFiles::CopyError: "path\filename.config" - DP Path not found
    NomadBranch finished with exit code 0x205d     Job_Content_Package ID
    Source : "Inaccessible DP path" Job_Content_package ID
    
    Error Reading. "path\filename++.exe" - DP Path not found
    TransferFiles::CopyError: " path\filename++.exe" - DP Path not found
    NomadBranch finished with exit code 0x205d     Job_Content_Package ID
    Source : "Inaccessible DP path" Job_Content_package ID

    whilst the IIS logs for the Configuration Manager distribution points serving the Nomad download requests details the blocked files types, for example a 404.7 error:

    Blocked file types in the IIS log

    Please see http://support.microsoft.com/kb/943891 for more details about HTTP status codes. For example:

    • 404.7 - File extension denied
    • 404.8 - Hidden namespace
    • 404.11 - Request contains double escape sequence

Updating the restricted list

Now that you have discovered what file types and folders are blocked by default, you can reconfigure the filtering to allow specific the file types and folders to be used by Nomad. To update the filtering:

  1. Start a command prompt (run as administrator).
  2. Change directory to C:\Windows\System32\inetsrv
  3. To remove a restricted file type, run:

    appcmd set config "Default Web Site" /section:requestfiltering /-fileExtensions.[fileextension='.config']

    To remove all file restrictions, run:

    appcmd set config "Default Web Site" /section:requestfiltering /-fileExtensions

    To change a file extension from restricted to allowed (change Allowed from false to true), run: 

    appcmd set config "Default Web Site" /section:requestFiltering /fileExtensions.[fileExtension='.config'].allowed:true

    There is more information on restricted file types at: http://technet.microsoft.com/en-us/library/cc431377.aspx#Config_RequestFiltering

      

  4. To remove a restricted folder, run:

    appcmd set config "Default Web Site" /section:requestfiltering /-hiddensegments.[segment='bin']

    To remove all folder restrictions, run:

    appcmd set config "Default Web Site" /section:requestfiltering /-hiddensegments

    There is more information on restricted folders at: http://technet.microsoft.com/en-us/library/hh831621.aspx#HiddenSeg


  5. By default, any path or filename that includes special escape characters are blocked. To allow filenames or paths with special characters (double escaping) to be downloaded, run:

    appcmd set config "Default Web Site" /section:requestfiltering /allowdoubleescaping:true

    There is more information on double escaping at: http://support.microsoft.com/kb/942076 
     

  6. Repeat the steps in Identifying existing restrictions to ensure that:
    • .config is not listed under File Name Extensions
    • bin is not listed under Hidden Segments


It is likely that you may have to refresh the screen if IIS Manager is already open on the Request Filtering page.

Alternatively, you can manually edit the web.config file for the Default Web Site normally found in C:\inetpub\wwwroot. It will contain only the differences between the Default Web Site and the Server configuration. IIS requires a restart for manual edits to take effect.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering allowDoubleEscaping="true">
                <fileExtensions>
                    <remove fileExtension=".config" />
                </fileExtensions>
                <hiddenSegments>
                    <remove segment="bin" />
                </hiddenSegments>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

The server configuration is stored in %windir%\System32\inetsrv\config\applicationHost.config.


Antivirus exceptions

Nomad functionality may be impaired by antivirus programs so you may also want to configure any antivirus systems running on your network to make exceptions for the Nomad executables and support files. Although we generally advise that no malware exclusions are used, it is justifiable in certain cases to isolate specific locations and files that are used by specific software. Here is a list of exclusions that could be added for Nomad but ensure that these are compatible with any exclusions already defined for Configuration Manager before you implement them.

Nomad installed on a DP

  • %SystemDrive%\ProgramData\1E\NomadBranch\*.LSZ
  • %SystemDrive%\ProgramData\1E\NomadBranch\LogFiles\NomadBranch.log
  • %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\NomadBranch.exe
  • HKLM\Software\1E\NomadBranch

Nomad installed on a Configuration Manager client

  • %SystemDrive%\ProgramData\1E\NomadBranch\*_Cache\* (if the Configuration Manager cache is not excluded, do not exclude this)
  • %SystemDrive%\ProgramData\1E\NomadBranch\*.LSZ
  • %SystemDrive%\ProgramData\1E\NomadBranch\LogFiles\NomadBranch.log & *.lo_
  • %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\CacheCleaner.exe
  • %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\IEMNomad.exe
  • %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\NBAPSItfPs.dll
  • %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\NBCacheActions.exe
  • %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\NomadBranch.exe
  • %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\NomadPackageLocator.exe
  • %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\PackageStatusRequest.exe
  • %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\SMSNomad.exe
  • %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\SMSTSNomad.exe
  • %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\SnoItfPs.dll
  • %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\TSEnv2.exe
  • .pdb files for each of the above executables
  • HKLM\Software\1E\NomadBranch