#376 closed defect (fixed)
Installer dependancy on firewall breaks DCs
| Reported by: | gfilion | Owned by: | MickeM |
|---|---|---|---|
| Priority: | 1 | Milestone: | 0.3.7 |
| Component: | Core | Version: | 0.3.7 |
| Severity: | Bugs | Keywords: | |
| Cc: |
Description
Although similar to #314, I didn't wan to hijack this other ticket because I think the nature of the problem is different.
Currently, the .msi installer for NSClient++ requires the firewall to be active during the installation so that rules can be added. If the firewall is not running, it starts it automatically for a short period.
This period, however short it is, is enough to crash a domain controller: domain controllers must never have a firewall activated, else they loose sync with the other DCs and all services get confused, causing a serious crash.
The problem is I'd still like to monitor the DC, but I can't have nscp install silently when I need to push an update.
having an option to be able to prevent the installer from starting the firewall would be great.
Attachments (1)
Change History (11)
comment:1 Changed 3 years ago by mickem
comment:2 Changed 3 years ago by gfilion
indeed, the problem resides in the msi packaging.
I thought the packaging was done by people on this site, since .msi installers are available in the download section.
If it's not the case, then this issue was opened in the wrong place and I'll need to find how to contact the package maintainer directly..
comment:3 Changed 3 years ago by mickem
They are done by me, but you can disable the firewall exception in the MSI (which is what you want right?)
Michael Medin
Changed 3 years ago by mickem
comment:4 Changed 3 years ago by mickem
See this screenshot: 
comment:5 Changed 3 years ago by gfilion
interesting. so it is possible to go around it.
my concern however is with the unattended install of the package (e.g. without using the GUI). is it possible to specify the same thing as per the screenshot as a commmand line option to the unattended upgrade?
comment:6 Changed 3 years ago by gfilion
would it be possible to add a command-line arguement to the installer to skip firewall expcetions? the functionality is already implemented in the installer for the GUI.
comment:7 Changed 3 years ago by mickem
I am no expert on MSI packaging, but I assumed the point of the "components" was they were configurable (regardless of if the UI is used or not?)?
See this for instance: http://support.microsoft.com/kb/230781
Michael Medin
comment:8 Changed 3 years ago by gfilion
hello, well your last comment sent me on the right path. To run the installer in unattended mode without installing the firewall exception, one can use the following command:
msiexec /i "NSClient++-0.3.7-Win32.msi" /quiet /norestart ADDLOCAL=ALL REMOVE="FireWallException"
I've run the install w/ and w/o the exception but in both situations, I don't have any trace of the firewall being started.. that means in the VM I tested it, I can't confirm that I won't break a domain controller with the installation. But, it is a step in the right way: now I can use a setup that is somewhat nearer to the reality to see if it's successful.
It would be great to add information about this command in the documentation (wiki, README or a help file somewhere).
comment:9 Changed 3 years ago by mickem
- Resolution set to fixed
- Status changed from new to closed
Ok.
I am very unsure of how to work with MSI (as I have never really done silent unattended installs but I assume it "should work" since I use standard tools. So it is good that you can at least to some degree verify this for me :P
Anyways,
I have started the Installation page where you (and other) are free to add any new things you can come up with.
Michael Medin
comment:10 Changed 3 years ago by mickem
- Milestone set to 0.3.7
The firewall is a component which presumably can be disabled by your MSI packaging (or by hand in the wizard).
Or am I missing something?
Michael Medin