Answer

This article shows you how to:

• Change the package location
• Secure the package location

Changing the Package Location

It can be beneficial to select a different location on your Package Servers to save disk space. When the storage location for a package is changed to a custom location, the Package Server: 

• Moves the files from the old location to the new location
• Deletes the old location
• Checks what is to be downloaded

When files are removed from a package, the Package Server deletes them when it refreshes the package. However, removed files are not deleted if the package has a custom location as it cannot determine if the files are part of the package. Example: several packages with the same destination or the custom location contains user files.

Also, as the Package Server is installed on the same drive as the Altiris Agent you can select a different drive when installing the Agent.

This option is on a per package basis. What that means is that each existing package and all new packages would be configured this way. There currently is not a way to globally change the default location of the packages stored on the package server. All packages will continue to have the default location of "%ProgramFiles%\Altiris\Altiris Agent\Package Delivery". The only way to change this location is by removing the Altiris Agent completely, implying the removal of all subagents, then reinstall the agent on the desired drive.

1. In the Altiris Console, click the Configuration tab.
2. Example:
   To change the Altiris Agent package location, in the left pane select Altiris Agent > Altiris Agent Rollout > Altiris Agent Package. In the right pane, click the Package Servers tab, select Package Destination Location on Package Servers and enter a location in the field provided.
3. In the location field, specify a directory path or use system environment variables found on the Package Server. The following are valid paths:
   c:\share\<packagefoldername>
   f:\<packagefoldername>
   \\%COMPUTERNAME%\share\<packagefoldername>
   \\%COMPUTERNAME%\eXpress\<packagefoldername>
   /var/packages/<packagefoldername>

Warning: Ensure you specify a subfolder that is unique to each package in the Package Destination Location on Package Servers field!

If you do not specify a sub-folder, or use the same folder for more than one package, this can create a dangerous situation that could remove the entire destination folder and its contents. It is absolutely imperative that you configure an appropriate sub-folder when performing this task; otherwise the contents of your entire share could be deleted when the package is deleted!

When a package is removed (either by it becoming invalid or by manually clearing the Package Destination Location on Package Servers field) then the entire folder that the package resides in will be deleted, including any other files originally located there that were not part of the package.

Remember, ensure you specify a folder for each package in the Package Destination Location on Package Servers field!

Securing the Package Location

This section shows you how to:

• Secure the package location
• Allow anonymous access to package locations
• Disable location security

The Agent Connectivity Credentials (ACC), in the Global Altiris Agent Settings page, are used by the Package Server to add file-based security to download package files, if so configured.

Note: The Agent Connectivity Credentials used must be a known account on the Notification Server and every Package Server.

To secure files in packages on the Notification Server and Package Servers configure Windows NTFS file permissions. If the user account can’t be validated on a Package Server (for example, non-trusting domain or computer account from another computer), Altiris agents won’t download files from this Package Server.

Using a domain account as the ACC will work if the Altiris agents, Package Servers, and Notification Server exist in the same domain, or a trust exists between the multiple domains in your environment.

If your environment contains multiple domains and no trust exists between these domains, when you specify an ACC, enter a local user account name and not a domain account user name and password. The format for entering the local user account name as the ACC is one of the following:

• .\localuser
• localuser (where localuser is the name of the local computer account)

If you specify a local account as the ACC, we recommend you enable the Create the Agent Connectivity Credential on Package Servers option on the Settings tab of the Package Server page (provided the ACC is not a Domain Account). This ensures a local account will be created and applied to the downloaded package files on all Package Servers, if it doesn’t already exist on all Package Server computers, on all trusted and non-trusted domains.

The Altiris Agents can use this local account to connect to Package Servers across nontrusted domains when downloading files.

If you specify a local account and the Create the Agent Connectivity Credential on Package Servers (provided the ACC is not a Domain Account), the local account needs to already exist on every Package Server. If not, the Package Server can’t apply security to downloaded packages and will not publish codebases as ready to the Notification Server.

Creating the Agent Connectivity Credential on Package Servers

1. In the Altiris Console, select the Configuration tab.
2. In the left pane, navigate to Configuration > Server Settings > Notification Server Infrastructure > Package Servers.
3. In the right pane, click the Settings tab.
4. Select Create the Agent Connectivity Credential on Package Servers (provided the ACC is not a domain account). Selecting this option allows you to enable the following:
   • Re-enable the created local account if it has been locked out.
   • Create the ACC even if the Package Server is also a Domain Controller.

Allow anonymous access to package locations

You can enable all packages downloaded to Package Servers to have anonymous access applied to the directories containing the package files. Anonymous access will also be enabled for the directory security inside IIS for the hosted Package Server packages.

If this feature is disabled the Agent Connectivity Credentials on the Global Altiris Agent Settings page will be used when applying security to the Package Server files. Any HTTP virtual directories mapped to packages on the Package Server will then have Integrated Windows authentication enabled.

All authenticated users are allowed to download through UNC when anonymous access is enabled. For example, if a Package Server in a non-trusted domain has anonymous access enabled on its files and the ACC account the Altiris Agent uses to connect anonymously to the UNC source cannot be authenticated, access with be denied and no download will occur. However, you can download through HTTP from a Package Server, in a non-trusted domain, using anonymous access because the ACC account doesn’t need to be authenticated.

Disable Package Location Security

You can configure a registry key to disable security on a Package Location. For information, see Section 3.3 of Altiris Knowledgebase article 17613.