Summary

Post-installation tasks that may be necessary to ensure that Nomad will work correctly in your environment.

You may need to make some post-installation configurations to your environment to ensure that Nomad works effectively. There are two areas that may need attention:

Basic verification tests

For installations and upgrades:

• 1E Client software is installed
• 1E Client and Nomad Branch services both exist and running
• Default path for Nomad Branch service is C:\Program Files\1E\Client\Extensibility\NomadBranch\NomadBranch.exe
• System PATH environment variable has added C:\Program Files\1E\Client\Extensibility\NomadBranch in 
• Open a command prompt and type following commands (in bold, expected responses in normal text):

>where nomadbranch
C:\Program Files\1E\Client\Extensibility\NomadBranch\NomadBranch.exe

>nomadbranch -version
NomadBranch Version 7.0.200.XXX (ABC PQ 2019)

• Nomad registry values are as expected - using default values unless specified differently in the installer, command-line or in the MST transform file.

In addition, for upgrades from Nomad 6.3.201 or Tachyon Agent 4.0 - example is for x64 but may be for x86

• 1E NomadBranch x64 / 1E Tachyon Agent x64 products are uninstalled
• Tachyon.Agent service is removed
• System PATH environment variable has removed C:\Program Files\1E\NomadBranch\ 
• After upgrade, following Nomad registry settings are changed:
  • InstallationDirectory changed to C:\Program Files\1E\Client\Extensibility\NomadBranch
  • ProductVersion changed to 7.0.200.XXX
  • TachyonAgentVersion changed to 5.1.0.XXX

IIS request filtering

By default IIS is configured to prevent certain file types from being downloaded. You may need to configure these to allow Nomad to download all content as it does not use the Configuration Manager workaround that Microsoft had to implement to bypass its own security feature. This is done by configuring Request Filtering on each website hosting the Configuration Manager DP. The example process given below does the following:

• Removes file extensions from File Name Extensions, for example .config
• Removes folders from Hidden Segments, for example bin
• Confirms that double escaping is enabled, to allow files with special characters in their names, for example +

Microsoft introduced IIS Request Filtering in Windows Server 2008 R2 – a security feature enabling administrators to configure IIS to block requests for specific file types and URL paths that include specific folder names or special characters. By default, IIS Request Filtering blocks a number of file extensions and folder paths that may be present in normal software distribution content (packages, applications and software updates).

Although, Microsoft's documentation highlights this issue, the Configuration Manager client bypasses this security measure by using a custom method and querying for the file rather than a standard HTTP GET for it directly. Nomad does not use the same workaround but instead adheres to Microsoft's security best-practice policy of using a standard HTTP GET for the file which is filtered out by the IIS Request Filtering feature. Therefore, it is necessary to remove or configure the IIS Request Filtering feature on all distribution points to allow any file extensions, paths and special characters that may exist in your Configuration Manager content.

Identifying existing restrictions

To discover files extensions and URL paths elements that are disallowed by default:

1. Start IIS Manager.
2. Locate your IIS server in the tree view and navigate to the website, for example Default Web Site.
3. In the right pane, double-click the Request Filtering icon (grouped under IIS).
4. Click the File Name Extensions tab to view a list of all the file extensions that are blocked by default. Disallowed file extensions commonly found in Configuration Manager content are:  .resources, .mdb, .config, .java, .osdx, .skin, .cs, .vbproj. 
5. Click the Hidden Segments tab to view all the folder names that are blocked by default.
6. In the action pane, click on Edit Feature Settings...
7. In the Edit Request Filtering Settings dialog confirm that Allow Double Escaping is enabled.

8. You can review the NomadBranch.log on clients to see details of any file types that are blocked in your download, for example: 

   Error Reading. "path\bin\file name" - DP Path not found
   TransferFiles::CopyError: "path\bin\file name" - DP Path not found
   NomadBranch finished with exit code 0x205d     Job_Content_Package ID
   Source : "Inaccessible DP path" Job_Content_package ID
   
   Error Reading. "path\filename.config" - DP Path not found
   TransferFiles::CopyError: "path\filename.config" - DP Path not found
   NomadBranch finished with exit code 0x205d     Job_Content_Package ID
   Source : "Inaccessible DP path" Job_Content_package ID
   
   Error Reading. "path\filename++.exe" - DP Path not found
   TransferFiles::CopyError: " path\filename++.exe" - DP Path not found
   NomadBranch finished with exit code 0x205d     Job_Content_Package ID
   Source : "Inaccessible DP path" Job_Content_package ID

   whilst the IIS logs for the Configuration Manager distribution points serving the Nomad download requests details the blocked files types, for example a 404.7 error:

   

   Please see http://support.microsoft.com/kb/943891 for more details about HTTP status codes. For example:

   • 404.7 - File extension denied
   • 404.8 - Hidden namespace
   • 404.11 - Request contains double escape sequence

Updating the restricted list

Now that you have discovered what file types and folders are blocked by default, you can reconfigure the filtering to allow specific the file types and folders to be used by Nomad. To update the filtering:

1. Start a command prompt (run as administrator).
2. Change directory to C:\Windows\System32\inetsrv

3. To remove a restricted file type, run:

   appcmd set config "Default Web Site" /section:requestfiltering /-fileExtensions.[fileextension='.config']

   To remove all file restrictions, run:

   appcmd set config "Default Web Site" /section:requestfiltering /-fileExtensions

   To change a file extension from restricted to allowed (change Allowed from false to true), run: 

   appcmd set config "Default Web Site" /section:requestFiltering /fileExtensions.[fileExtension='.config'].allowed:true

   There is more information on restricted file types at: http://technet.microsoft.com/en-us/library/cc431377.aspx#Config_RequestFiltering

     

4. To remove a restricted folder, run:

   appcmd set config "Default Web Site" /section:requestfiltering /-hiddensegments.[segment='bin']

   To remove all folder restrictions, run:

   appcmd set config "Default Web Site" /section:requestfiltering /-hiddensegments

   There is more information on restricted folders at: http://technet.microsoft.com/en-us/library/hh831621.aspx#HiddenSeg

   
   

5. By default, any path or filename that includes special escape characters are blocked. To allow filenames or paths with special characters (double escaping) to be downloaded, run:

   appcmd set config "Default Web Site" /section:requestfiltering /allowdoubleescaping:true

   There is more information on double escaping at: http://support.microsoft.com/kb/942076 
    

6. Repeat the steps in Identifying existing restrictions to ensure that:
   
   • .config is not listed under File Name Extensions
   • bin is not listed under Hidden Segments

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering allowDoubleEscaping="true">
                <fileExtensions>
                    <remove fileExtension=".config" />
                </fileExtensions>
                <hiddenSegments>
                    <remove segment="bin" />
                </hiddenSegments>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Antivirus exceptions

Nomad functionality may be impaired by antivirus programs so you may also want to configure any antivirus systems running on your network to make exceptions for the Nomad executables and support files. Although we generally advise that no malware exclusions are used, it is justifiable in certain cases to isolate specific locations and files that are used by specific software. Here is a list of exclusions that could be added for Nomad but ensure that these are compatible with any exclusions already defined for Configuration Manager before you implement them.

Nomad installed on a DP

• %SystemDrive%\ProgramData\1E\NomadBranch\*.LSZ
• %SystemDrive%\ProgramData\1E\NomadBranch\LogFiles\NomadBranch.log
• %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\NomadBranch.exe
• HKLM\Software\1E\NomadBranch

Nomad installed on a Configuration Manager client

• %SystemDrive%\ProgramData\1E\NomadBranch\*_Cache\* (if the Configuration Manager cache is not excluded, do not exclude this)
• %SystemDrive%\ProgramData\1E\NomadBranch\*.LSZ
• %SystemDrive%\ProgramData\1E\NomadBranch\LogFiles\NomadBranch.log & *.lo_
• %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\CacheCleaner.exe
• %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\IEMNomad.exe
  
• %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\NBCacheActions.exe
• %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\NomadBranch.exe
• %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\NomadPackageLocator.exe
• %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\PackageStatusRequest.exe
• %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\SMSNomad.exe
• %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\SMSTSNomad.exe
  
• %SystemDrive%\Program Files\1E\Client\Extensibility\NomadBranch\TSEnv2.exe
• .pdb files for each executable
• HKLM\Software\1E\NomadBranch