Skip to main content
Solved

IIS and HTTP Distribution Points

K
Forum|alt.badge.img+13

Does anyone have an article or instructions to setup Windows IIS 7 to cater HTTP Distribution Point?

Information I need to know information like MIME type setup, etc. as IIS doesn't list .pkg .dmg. mpkg MIME types.

I have got IIS 7 working but having issues with non-flat packages and BOM files installed via Self Service.

All the flat packages and DMG installers are working fine but non-flat ones give errors like this;

/usr/sbin/jamf is version 8.51
Executing Policy Sophos Anti-Virus...
[STEP 1 of 2]
Downloading BOM for Sophos.pkg...
This Apple Package did not have a valid index.bom file. Assuming it is a flat file package.
Downloading http://myjss.server.com:80/CasperShare/Packages//Sophos.pkg...
Installing Sophos Anti-Virus.pkg...
Installation failed. The installer reported: installer: Error the package path specified was invalid: '/Library/Application Support/JAMF/Downloads/Sophos.pkg'.
[STEP 2 of 2]
Running Recon...
Gathering Application Usage Information...
Finding Extension Attributes...

Best answer by Kumarasinghe

To enable HTTP downloads on a Windows 2008 server using IIS

Original Instructions by Taylor Wolfe, Systems Engineer @ JAMF and added more information by me.

  1. Start menu >> Administration Tools >> Server Manager >> Roles >> Add the Web Server(IIS) role (in the setup select all checkboxes for 'Security' section. everything else leave default settings)

  2. Start menu >> Administrative Tools >> Internet Information Services Manager

  3. Expand the server >> right-click on 'Sites' >> click 'Add Web Site...'

  4. Site name: 'Casper HTTP File Server' 
        Physical path: this is the folder you need to give IIS for some system files (you might need to have casperadmin or a user have full access to this folder prior you assign this - e.g. Right Click > Properties > Security > add and give the domain user casperadmin full access)

  5. Click 'Connect as..' and give the user credentials who has full access (e.g.-casperadmin) to 'Physical path' you assigned earlier > Click OK
    You can click 'test Settings' and see if it connects to the assigned folder with without any issues.

6. Expand the server >> Expand web sites >> right-click on 'Casper HTTP File Server' >> click 'Add Virtual Directory'

  1. Enter 'CasperShare' as the Virtual Directory's name and enter the physical path to the CasperShare > Click 'Connect as...'

8. Click 'Connect as..' and give the user credentials who has read-only access (e.g.-casperinstall) to 'Physical path' you assigned earlier > Click OK
    You can click 'test Settings' and see if it connects to the assigned folder with without any issues.

  1. With the CasperShare selected, double click 'Authentication'

  2. Enable Basic Authentication and put 'Your Domain' and Disable 'Anonymous Authentication'

11. With the CasperShare selected, double click 'Authorization Rules, and give casperadmin and casperinstall users rights (as Specified Users:) to the Virtual Directory
and Remove 'Allow All Users' access.

  1. Select the 'Casper HTTP File server' >> double click 'MIME Types'

  2. Click 'Add' in the right hand column and add an additional MIME type for .dmg, .pkg, .mpkg, .bom and .* file types.

  3. Set ".dmg" with a MIME type of "file/download"

  4. Set ".pkg" with a MIME type of "application/octet-stream"
  5. Set ".mpkg" with a MIME type of "application/vnd.apple.installer+xml"
  6. Set ".bom" with a MIME type of "file/download"
  7. Set ".*" with a MIME type of "file/download"
  8. Set "." with a MIME type of "application/octet-stream"

14.  With the CasperShare selected, double click 'Directory Browsing'  and Disable Directory Browsing if it is enabled for testing (Default will be Disabled) - This will disable people from seeing list of directories and files of the HTTP share (security purposes). Casper uses absolute path to the packages/scripts so directory browsing not needed. e.g.- https://my.company.com/CasperShare/Packages//Evernote.pkg

You can temporarily enable Directory Browsing for testing the HTTP share to visit the share and make sure files and folders show up after authentication (otherwise you'll get error 403 but that's fine as directory browsing is disabled) but please Disable Directory Browsing after testing!!!

NEXT STEP is to create SSL certificate for this IIS 7 and allow HTTPS instead of HTTP to disable cleartext password communication.  

  1. Once you finish installing SSL certs, nest step is to allow HTTPS

  2. Expand the server >> Expand web sites >> right-click on 'Casper HTTP File Server' >> click 'Bindings' >> Add > https with port 443

You can remove HTTP bindings for this site now and allow only HTTPS.

You can test the HTTPS by going to your website from your web browser via HTTPS. Also check the authentication.

-------------------------
Update (13/02/2012): Please add "." with a MIME type of "application/octet-stream". Otherwise any pkg with postflight script will fail.
-------------------------

View original
    Did this topic help you find an answer to your question?

    28 replies

    A
    • Anonymous
    • 0 replies
    • April 18, 2012

    We ran into that as well and there were two things that needed to be done:
    - IIS had a self-signed cert installed and out-of-the-box machines didn't recognize it. So, we got a cert from a recognized CA. - IIS MIME types weren't set for Mac extensions like .bom and .pkg, so we added those.

    C
    Forum|alt.badge.img+13
    • Chris
    • Valued Contributor
    • 268 replies
    • April 18, 2012

    I had to define PKGs as application/x-newton-compatible-pkg on my Windows IIS hosted Reposado to make it work

    D
    Forum|alt.badge.img+18
    • david_yenzer
    • Valued Contributor
    • 159 replies
    • June 28, 2012

    This seems like the most recent package/BOM installation issue, so I'll post my experience here.

    We had successfully installed Firefox and Chrome browsers via Self-Service and package trigger deliveries to several tested iMacs last week, and were working on creating a package for Numbers/Pages/Keynote. This week, all packages using all methods of delivery started failing with a message similar to the one mentioned above:
    (1) This Package did not have a valid index.bom file. Assuming it is a flat file package.
    (2) Could not find the package
    (3) Fail

    We verified that the package existed on the Casper Share.
    We reuploaded the package into Composer and recreated the package, using both dmg and pkg. Still failed.
    We specified the distribution point. Still failed.

    We tried several other things, but the solution we have discovered at this point is:

    Login to Casper Admin:
    Click Management > Policies > click Edit Policy on an existing Policy > expand the General tab option to Override Default Policy Settings > check the option to Force Distribution Points to use AFP/SMB instead of HTTP

    ------------------------
    Obviously there is some sort of issue with Http which wasn't there before, so I hesitate to say this is a perfect fix without giving it more time to test distribution or having some sort of rational explanation for why it conked out on us. But it's working for us now so we'll roll with the "one-check-box-and-it's-fixed".

    L
    Forum|alt.badge.img+15
    • Lhsachs
    • Contributor
    • 88 replies
    • June 28, 2012

    I had a similar issue on one of my distribution points on a windows vm. I resolved it by going to the CasperShare directory in IIS manager, clicking edit permissions, that brings up CasperShare properties, going to the sharing pane, click share, and adding 'Everyone' with read rights. That's added on to Administrators, IUSR, my acct, and the casperinstall and casperadmin service accounts

    K
    Forum|alt.badge.img+13
    • Kumarasinghe
    • Author
    • Contributor
    • 400 replies
    • June 28, 2012

    I've got mine working long ago. No problems since then. Taylor Wolfe, Systems Engineer @ JAMF helped me by sending the instructions.

    I'll post the full instructions which includes some valuable additions to the original.

    K
    Forum|alt.badge.img+13
    • Kumarasinghe
    • Author
    • Contributor
    • 400 replies
    • Answer
    • June 29, 2012

    To enable HTTP downloads on a Windows 2008 server using IIS

    Original Instructions by Taylor Wolfe, Systems Engineer @ JAMF and added more information by me.

    1. Start menu >> Administration Tools >> Server Manager >> Roles >> Add the Web Server(IIS) role (in the setup select all checkboxes for 'Security' section. everything else leave default settings)

    2. Start menu >> Administrative Tools >> Internet Information Services Manager

    3. Expand the server >> right-click on 'Sites' >> click 'Add Web Site...'

    4. Site name: 'Casper HTTP File Server' 
          Physical path: this is the folder you need to give IIS for some system files (you might need to have casperadmin or a user have full access to this folder prior you assign this - e.g. Right Click > Properties > Security > add and give the domain user casperadmin full access)

    5. Click 'Connect as..' and give the user credentials who has full access (e.g.-casperadmin) to 'Physical path' you assigned earlier > Click OK
      You can click 'test Settings' and see if it connects to the assigned folder with without any issues.

    6. Expand the server >> Expand web sites >> right-click on 'Casper HTTP File Server' >> click 'Add Virtual Directory'

    1. Enter 'CasperShare' as the Virtual Directory's name and enter the physical path to the CasperShare > Click 'Connect as...'

    8. Click 'Connect as..' and give the user credentials who has read-only access (e.g.-casperinstall) to 'Physical path' you assigned earlier > Click OK
        You can click 'test Settings' and see if it connects to the assigned folder with without any issues.

    1. With the CasperShare selected, double click 'Authentication'

    2. Enable Basic Authentication and put 'Your Domain' and Disable 'Anonymous Authentication'

    11. With the CasperShare selected, double click 'Authorization Rules, and give casperadmin and casperinstall users rights (as Specified Users:) to the Virtual Directory
    and Remove 'Allow All Users' access.

    1. Select the 'Casper HTTP File server' >> double click 'MIME Types'

    2. Click 'Add' in the right hand column and add an additional MIME type for .dmg, .pkg, .mpkg, .bom and .* file types.

    3. Set ".dmg" with a MIME type of "file/download"

    4. Set ".pkg" with a MIME type of "application/octet-stream"
    5. Set ".mpkg" with a MIME type of "application/vnd.apple.installer+xml"
    6. Set ".bom" with a MIME type of "file/download"
    7. Set ".*" with a MIME type of "file/download"
    8. Set "." with a MIME type of "application/octet-stream"

    14.  With the CasperShare selected, double click 'Directory Browsing'  and Disable Directory Browsing if it is enabled for testing (Default will be Disabled) - This will disable people from seeing list of directories and files of the HTTP share (security purposes). Casper uses absolute path to the packages/scripts so directory browsing not needed. e.g.- https://my.company.com/CasperShare/Packages//Evernote.pkg

    You can temporarily enable Directory Browsing for testing the HTTP share to visit the share and make sure files and folders show up after authentication (otherwise you'll get error 403 but that's fine as directory browsing is disabled) but please Disable Directory Browsing after testing!!!

    NEXT STEP is to create SSL certificate for this IIS 7 and allow HTTPS instead of HTTP to disable cleartext password communication.  

    1. Once you finish installing SSL certs, nest step is to allow HTTPS

    2. Expand the server >> Expand web sites >> right-click on 'Casper HTTP File Server' >> click 'Bindings' >> Add > https with port 443

    You can remove HTTP bindings for this site now and allow only HTTPS.

    You can test the HTTPS by going to your website from your web browser via HTTPS. Also check the authentication.

    -------------------------
    Update (13/02/2012): Please add "." with a MIME type of "application/octet-stream". Otherwise any pkg with postflight script will fail.
    -------------------------

    mhasman
    A
    2 people like this
    • mhasman
      mhasman
    • A
      adolfsson
    J
    Forum|alt.badge.img+24
    • jarednichols
    • Valued Contributor
    • 1892 replies
    • July 2, 2012

    +1 to Kumarasinghe

    I needed to tweak my MIME types to get .pkgs working correctly (e.g. Flash installer). Thanks for this.

    N
    Forum|alt.badge.img+19
    • nkalister
    • Contributor
    • 437 replies
    • October 25, 2012

    Need some more help with this . . . .I've set up the mime types and site settings as shown here. DMG, flat pkg's, and old-school pkg's without scripts work fine. Any mpkg or pkg with a postflight script fails. I've checked into it a bit- it appears that any file embedded in the packages without a file extension does not download correctly- instead of the real contents of those files, they contain an http 404 error message. This is strange, since I have set up the mime types on the server as outlined in this thread. It seems like the .* mime type is not having the expected effect.
    So, any tips for resolving this issue with files that have no file extension?

    K
    Forum|alt.badge.img+13
    • Kumarasinghe
    • Author
    • Contributor
    • 400 replies
    • October 25, 2012

    @nkalister

    Are you on IIS6?
    http://support.microsoft.com/kb/326965

    Set "*" with a MIME type of "application/octet-stream"
    or
    Set "." with a MIME type of "application/octet-stream"

    N
    Forum|alt.badge.img+19
    • nkalister
    • Contributor
    • 437 replies
    • October 26, 2012

    IIS 7 . . .
    but, I tried your suggestion anyway and it worked! I had already done the "." alone- it wouldn't work until I did both "." and "*" as well.
    thanks, Kumarasinghe!

    C
    Forum|alt.badge.img+17
    • Cem
    • Contributor
    • 352 replies
    • May 20, 2013

    http works using Self Service Policy but if I switch to https it doesn't. I think it is to do with the SSL Cert. I am trying to use the self signed cert for testing. I can download the package if I copy and paste the link. But that fails through Self Service Policy. Any ideas?

    S
    Forum|alt.badge.img+12
    • Sonic84
    • Valued Contributor
    • 139 replies
    • May 20, 2013

    I'm in the same boat as Cem, however I'm not using a self-signed cert. I followed Taylor Wolfe's directions to get IIS working with ssl. However I get package not found error when I attempt to use Casper remote. If I copy/paste the link from the Casper Remote debug log into a browser I can download the package without issue after I enter the casperinstall credentials.

    I added a dummy index.html in [server]/CasperShare/index.html as a test, I can view the page with https.

    Any Ideas? I am fairly new to IIS :(

    <result400>
Checking for policy ID 38247...
Gathering Policy Information from https://casperdev.dev.com:8443//...
Executing Policy 2013-05-20 at 2:55 PM | master | 1 Computer...
    Downloading BOM for Adobe Flash Player 11.7.700.202.pkg...
    This Apple Package did not have a valid index.bom file. Assuming it is a flat file package.
    Downloading https://jssapp1dev.dev.com:443/CasperShare/Packages//Adobe Flash Player 11.7.700.202.pkg...
    Error: The package (Adobe Flash Player 11.7.700.202.pkg) could not be found.
    Submitting log to https://casperdev.dev.com:8443//...
</result400>
    antoinekinch11
    Forum|alt.badge.img+9

    Has anybody seen when a script goes to run and it gives the following error:

    Script result: /private/tmp/KillForAdobeUpdate.sh: line 1: !DOCTYPE: No such file or directory
    /private/tmp/KillForAdobeUpdate.sh: line 2: html: No such file or directory
    /private/tmp/KillForAdobeUpdate.sh: line 3: head: No such file or directory
    /private/tmp/KillForAdobeUpdate.sh: line 4: meta: No such file or directory
    /private/tmp/KillForAdobeUpdate.sh: line 5: title: No such file or directory
    /private/tmp/KillForAdobeUpdate.sh: line 6: style: No such file or directory
    /private/tmp/KillForAdobeUpdate.sh: line 7: !--
    : No such file or directory
    /private/tmp/KillForAdobeUpdate.sh: line 8: body{margin:0: command not found
    /private/tmp/KillForAdobeUpdate.sh: line 8: font-size:.7em: command not found
    /private/tmp/KillForAdobeUpdate.sh: line 8: font-family:Verdana,: command not found
    /private/tmp/KillForAdobeUpdate.sh: line 8: background:#EEEEEE: command not found
    /private/tmp/KillForAdobeUpdate.sh: line 8: }
    : command not found
    /private/tmp/KillForAdobeUpdate.sh: line 9: syntax error near unexpected token `}'
    /private/tmp/KillForAdobeUpdate.sh: line 9: `fieldset{padding:0 15px 10px 15px;} '
    Does this have to do with the mime type? This is JSS 8.7.1 on IIS 7. I upgraded from 8.6.1 to 8.7.1 and now my scripts are failing.

    C
    Forum|alt.badge.img+17
    • Cem
    • Contributor
    • 352 replies
    • July 2, 2013

    @bajankinch, i think it happens because of permissions.
    try running this command after mounting the DP on a Mac:
    sudo chmod -R 755 /Path/to/the/package

    OR make sure you have correct local and ACL groups have read/write access in DP Win Server.

    antoinekinch11
    Forum|alt.badge.img+9

    It turns out that after upgrading the server the symlink between the CasperShare and the web server root was broken. It had to be reset!

    https://jamfnation.jamfsoftware.com/article.html?id=116

    Z
    Forum|alt.badge.img+7
    • zskidmor
    • Contributor
    • 40 replies
    • March 3, 2015

    we have an IIS 8 web server setup the same way as outlined in this discussion, but when I try to download an individual pkg off of it, I get a forbidden message from the web server. I can connect to the share directly using the same credentials. If I enable directory browsing I can get to the pkg and download files. When Casper apps try to use it, the downloads process hangs saying "connection interrupted" any thoughts?

    J
    Forum|alt.badge.img+8
    • jimmy-swings
    • Valued Contributor
    • 109 replies
    • July 1, 2015

    Did you have any luck with your problem? Was it that you were using a self signed cert?

    N
    Forum|alt.badge.img
    • niravbhavsar
    • New Contributor
    • 1 reply
    • July 29, 2016

    Hi all,
    How can i restrict user to download some files directly to download if login does not exist in web application. ?

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Legendary Contributor
    • 4331 replies
    • August 20, 2016

    @niravbhavsar You'll need to enable basic auth on IIS & update the JSS to use those details.

    bradtchapman
    Forum|alt.badge.img+20
    • bradtchapman
    • Valued Contributor
    • 588 replies
    • October 14, 2016

    We're considering a similar set up with Windows Server 2012 R2 and IIS.

    Is the solution presented in this article still valid and relevant for today? Or is there a better way to do it? And what about replication? We are planning to do something like this with possibly up to 10 servers globally.

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Legendary Contributor
    • 4331 replies
    • October 15, 2016

    @bradtchapman I recently setup a DP on windows 2012 for HTTP.. I pretty much just followed what JAMF have posted, I think.

    TBH, it was quite painless so I don't remember.

    For the DP's... i'd probably look at a scheduled sync via robocopy or something like that.

    N
    Forum|alt.badge.img+19
    • nkalister
    • Contributor
    • 437 replies
    • October 15, 2016

    i'd echo @bentoms on the synching- I managed a fleet of DP's running on windows fileshares at one point, and running robocopy as a scheduled task worked very well. Set and forget, basically, once I wrapped my head around robocopy's peculiar way of doing throttling.

    donmontalvo
    Forum|alt.badge.img+36
    • donmontalvo
    • Legendary Contributor
    • 4293 replies
    • October 15, 2016

    +1 for robocopy if your DPs are on Windows. :)

    --https://donmontalvo.com
    bradtchapman
    Forum|alt.badge.img+20
    • bradtchapman
    • Valued Contributor
    • 588 replies
    • October 15, 2016

    Do you recommend creating multiple robocopy tasks on the master DP, one to push to each remote DP, or a single robocopy job on each remote DP to pull from the master?

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Legendary Contributor
    • 4331 replies
    • October 16, 2016

    @bradtchapman pull from master, well that's what I used to do with rsync jobs.

    That was you can also change the time for the replica, to maybe a time that better suits their site for bandwidth.

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings