IIS and HTTP Distribution Points

Kumarasinghe
Valued Contributor

Does anyone have an article or instructions to setup Windows IIS 7 to cater HTTP Distribution Point?

Information I need to know information like MIME type setup, etc. as IIS doesn't list .pkg .dmg. mpkg MIME types.

I have got IIS 7 working but having issues with non-flat packages and BOM files installed via Self Service.

All the flat packages and DMG installers are working fine but non-flat ones give errors like this;

/usr/sbin/jamf is version 8.51
Executing Policy Sophos Anti-Virus...
[STEP 1 of 2]
Downloading BOM for Sophos.pkg...
This Apple Package did not have a valid index.bom file. Assuming it is a flat file package.
Downloading http://myjss.server.com:80/CasperShare/Packages//Sophos.pkg...
Installing Sophos Anti-Virus.pkg...
Installation failed. The installer reported: installer: Error the package path specified was invalid: '/Library/Application Support/JAMF/Downloads/Sophos.pkg'.
[STEP 2 of 2]
Running Recon...
Gathering Application Usage Information...
Finding Extension Attributes...
1 ACCEPTED SOLUTION

Kumarasinghe
Valued Contributor

To enable HTTP downloads on a Windows 2008 server using IIS

Original Instructions by Taylor Wolfe, Systems Engineer @ JAMF and added more information by me.

  1. Start menu >> Administration Tools >> Server Manager >> Roles >> Add the Web Server(IIS) role (in the setup select all checkboxes for 'Security' section. everything else leave default settings)

  2. Start menu >> Administrative Tools >> Internet Information Services Manager

  3. Expand the server >> right-click on 'Sites' >> click 'Add Web Site...'

  4. Site name: 'Casper HTTP File Server' 
        Physical path: this is the folder you need to give IIS for some system files (you might need to have casperadmin or a user have full access to this folder prior you assign this - e.g. Right Click > Properties > Security > add and give the domain user casperadmin full access)

  5. Click 'Connect as..' and give the user credentials who has full access (e.g.-casperadmin) to 'Physical path' you assigned earlier > Click OK
    You can click 'test Settings' and see if it connects to the assigned folder with without any issues.

6. Expand the server >> Expand web sites >> right-click on 'Casper HTTP File Server' >> click 'Add Virtual Directory'

  1. Enter 'CasperShare' as the Virtual Directory's name and enter the physical path to the CasperShare > Click 'Connect as...'

8. Click 'Connect as..' and give the user credentials who has read-only access (e.g.-casperinstall) to 'Physical path' you assigned earlier > Click OK
    You can click 'test Settings' and see if it connects to the assigned folder with without any issues.

  1. With the CasperShare selected, double click 'Authentication'

  2. Enable Basic Authentication and put 'Your Domain' and Disable 'Anonymous Authentication'

11. With the CasperShare selected, double click 'Authorization Rules, and give casperadmin and casperinstall users rights (as Specified Users:) to the Virtual Directory
and Remove 'Allow All Users' access.

  1. Select the 'Casper HTTP File server' >> double click 'MIME Types'

  2. Click 'Add' in the right hand column and add an additional MIME type for .dmg, .pkg, .mpkg, .bom and .* file types.

  3. Set ".dmg" with a MIME type of "file/download"

  4. Set ".pkg" with a MIME type of "application/octet-stream"
  5. Set ".mpkg" with a MIME type of "application/vnd.apple.installer+xml"
  6. Set ".bom" with a MIME type of "file/download"
  7. Set ".*" with a MIME type of "file/download"
  8. Set "." with a MIME type of "application/octet-stream"

14.  With the CasperShare selected, double click 'Directory Browsing'  and Disable Directory Browsing if it is enabled for testing (Default will be Disabled) - This will disable people from seeing list of directories and files of the HTTP share (security purposes). Casper uses absolute path to the packages/scripts so directory browsing not needed. e.g.- https://my.company.com/CasperShare/Packages//Evernote.pkg

You can temporarily enable Directory Browsing for testing the HTTP share to visit the share and make sure files and folders show up after authentication (otherwise you'll get error 403 but that's fine as directory browsing is disabled) but please Disable Directory Browsing after testing!!!

NEXT STEP is to create SSL certificate for this IIS 7 and allow HTTPS instead of HTTP to disable cleartext password communication.  

  1. Once you finish installing SSL certs, nest step is to allow HTTPS

  2. Expand the server >> Expand web sites >> right-click on 'Casper HTTP File Server' >> click 'Bindings' >> Add > https with port 443

You can remove HTTP bindings for this site now and allow only HTTPS.

You can test the HTTPS by going to your website from your web browser via HTTPS. Also check the authentication.

-------------------------
Update (13/02/2012): Please add "." with a MIME type of "application/octet-stream". Otherwise any pkg with postflight script will fail.
-------------------------

View solution in original post

28 REPLIES 28

Not applicable

We ran into that as well and there were two things that needed to be done:
- IIS had a self-signed cert installed and out-of-the-box machines didn't recognize it. So, we got a cert from a recognized CA. - IIS MIME types weren't set for Mac extensions like .bom and .pkg, so we added those.

Chris
Valued Contributor

I had to define PKGs as application/x-newton-compatible-pkg on my Windows IIS hosted Reposado to make it work

david_yenzer
Contributor II

This seems like the most recent package/BOM installation issue, so I'll post my experience here.

We had successfully installed Firefox and Chrome browsers via Self-Service and package trigger deliveries to several tested iMacs last week, and were working on creating a package for Numbers/Pages/Keynote. This week, all packages using all methods of delivery started failing with a message similar to the one mentioned above:
(1) This Package did not have a valid index.bom file. Assuming it is a flat file package.
(2) Could not find the package
(3) Fail

We verified that the package existed on the Casper Share.
We reuploaded the package into Composer and recreated the package, using both dmg and pkg. Still failed.
We specified the distribution point. Still failed.

We tried several other things, but the solution we have discovered at this point is:

Login to Casper Admin:
Click Management > Policies > click Edit Policy on an existing Policy > expand the General tab option to Override Default Policy Settings > check the option to Force Distribution Points to use AFP/SMB instead of HTTP

------------------------
Obviously there is some sort of issue with Http which wasn't there before, so I hesitate to say this is a perfect fix without giving it more time to test distribution or having some sort of rational explanation for why it conked out on us. But it's working for us now so we'll roll with the "one-check-box-and-it's-fixed".

Lhsachs
Contributor II

I had a similar issue on one of my distribution points on a windows vm. I resolved it by going to the CasperShare directory in IIS manager, clicking edit permissions, that brings up CasperShare properties, going to the sharing pane, click share, and adding 'Everyone' with read rights. That's added on to Administrators, IUSR, my acct, and the casperinstall and casperadmin service accounts

Kumarasinghe
Valued Contributor

I've got mine working long ago. No problems since then. Taylor Wolfe, Systems Engineer @ JAMF helped me by sending the instructions.

I'll post the full instructions which includes some valuable additions to the original.

Kumarasinghe
Valued Contributor

To enable HTTP downloads on a Windows 2008 server using IIS

Original Instructions by Taylor Wolfe, Systems Engineer @ JAMF and added more information by me.

  1. Start menu >> Administration Tools >> Server Manager >> Roles >> Add the Web Server(IIS) role (in the setup select all checkboxes for 'Security' section. everything else leave default settings)

  2. Start menu >> Administrative Tools >> Internet Information Services Manager

  3. Expand the server >> right-click on 'Sites' >> click 'Add Web Site...'

  4. Site name: 'Casper HTTP File Server' 
        Physical path: this is the folder you need to give IIS for some system files (you might need to have casperadmin or a user have full access to this folder prior you assign this - e.g. Right Click > Properties > Security > add and give the domain user casperadmin full access)

  5. Click 'Connect as..' and give the user credentials who has full access (e.g.-casperadmin) to 'Physical path' you assigned earlier > Click OK
    You can click 'test Settings' and see if it connects to the assigned folder with without any issues.

6. Expand the server >> Expand web sites >> right-click on 'Casper HTTP File Server' >> click 'Add Virtual Directory'

  1. Enter 'CasperShare' as the Virtual Directory's name and enter the physical path to the CasperShare > Click 'Connect as...'

8. Click 'Connect as..' and give the user credentials who has read-only access (e.g.-casperinstall) to 'Physical path' you assigned earlier > Click OK
    You can click 'test Settings' and see if it connects to the assigned folder with without any issues.

  1. With the CasperShare selected, double click 'Authentication'

  2. Enable Basic Authentication and put 'Your Domain' and Disable 'Anonymous Authentication'

11. With the CasperShare selected, double click 'Authorization Rules, and give casperadmin and casperinstall users rights (as Specified Users:) to the Virtual Directory
and Remove 'Allow All Users' access.

  1. Select the 'Casper HTTP File server' >> double click 'MIME Types'

  2. Click 'Add' in the right hand column and add an additional MIME type for .dmg, .pkg, .mpkg, .bom and .* file types.

  3. Set ".dmg" with a MIME type of "file/download"

  4. Set ".pkg" with a MIME type of "application/octet-stream"
  5. Set ".mpkg" with a MIME type of "application/vnd.apple.installer+xml"
  6. Set ".bom" with a MIME type of "file/download"
  7. Set ".*" with a MIME type of "file/download"
  8. Set "." with a MIME type of "application/octet-stream"

14.  With the CasperShare selected, double click 'Directory Browsing'  and Disable Directory Browsing if it is enabled for testing (Default will be Disabled) - This will disable people from seeing list of directories and files of the HTTP share (security purposes). Casper uses absolute path to the packages/scripts so directory browsing not needed. e.g.- https://my.company.com/CasperShare/Packages//Evernote.pkg

You can temporarily enable Directory Browsing for testing the HTTP share to visit the share and make sure files and folders show up after authentication (otherwise you'll get error 403 but that's fine as directory browsing is disabled) but please Disable Directory Browsing after testing!!!

NEXT STEP is to create SSL certificate for this IIS 7 and allow HTTPS instead of HTTP to disable cleartext password communication.  

  1. Once you finish installing SSL certs, nest step is to allow HTTPS

  2. Expand the server >> Expand web sites >> right-click on 'Casper HTTP File Server' >> click 'Bindings' >> Add > https with port 443

You can remove HTTP bindings for this site now and allow only HTTPS.

You can test the HTTPS by going to your website from your web browser via HTTPS. Also check the authentication.

-------------------------
Update (13/02/2012): Please add "." with a MIME type of "application/octet-stream". Otherwise any pkg with postflight script will fail.
-------------------------

jarednichols
Honored Contributor

+1 to Kumarasinghe

I needed to tweak my MIME types to get .pkgs working correctly (e.g. Flash installer). Thanks for this.

nkalister
Valued Contributor

Need some more help with this . . . .I've set up the mime types and site settings as shown here. DMG, flat pkg's, and old-school pkg's without scripts work fine. Any mpkg or pkg with a postflight script fails. I've checked into it a bit- it appears that any file embedded in the packages without a file extension does not download correctly- instead of the real contents of those files, they contain an http 404 error message. This is strange, since I have set up the mime types on the server as outlined in this thread. It seems like the .* mime type is not having the expected effect.
So, any tips for resolving this issue with files that have no file extension?

Kumarasinghe
Valued Contributor

@nkalister

Are you on IIS6?
http://support.microsoft.com/kb/326965

Set "*" with a MIME type of "application/octet-stream"
or
Set "." with a MIME type of "application/octet-stream"

nkalister
Valued Contributor

IIS 7 . . .
but, I tried your suggestion anyway and it worked! I had already done the "." alone- it wouldn't work until I did both "." and "*" as well.
thanks, Kumarasinghe!

Cem
Valued Contributor

http works using Self Service Policy but if I switch to https it doesn't. I think it is to do with the SSL Cert. I am trying to use the self signed cert for testing. I can download the package if I copy and paste the link. But that fails through Self Service Policy. Any ideas?

Sonic84
Contributor III

I'm in the same boat as Cem, however I'm not using a self-signed cert. I followed Taylor Wolfe's directions to get IIS working with ssl. However I get package not found error when I attempt to use Casper remote. If I copy/paste the link from the Casper Remote debug log into a browser I can download the package without issue after I enter the casperinstall credentials.

I added a dummy index.html in [server]/CasperShare/index.html as a test, I can view the page with https.

Any Ideas? I am fairly new to IIS :(

<result400>
Checking for policy ID 38247...
Gathering Policy Information from https://casperdev.dev.com:8443//...
Executing Policy 2013-05-20 at 2:55 PM | master | 1 Computer...
    Downloading BOM for Adobe Flash Player 11.7.700.202.pkg...
    This Apple Package did not have a valid index.bom file. Assuming it is a flat file package.
    Downloading https://jssapp1dev.dev.com:443/CasperShare/Packages//Adobe Flash Player 11.7.700.202.pkg...
    Error: The package (Adobe Flash Player 11.7.700.202.pkg) could not be found.
    Submitting log to https://casperdev.dev.com:8443//...
</result400>

antoinekinch
New Contributor III

Has anybody seen when a script goes to run and it gives the following error:

Script result: /private/tmp/KillForAdobeUpdate.sh: line 1: !DOCTYPE: No such file or directory
/private/tmp/KillForAdobeUpdate.sh: line 2: html: No such file or directory
/private/tmp/KillForAdobeUpdate.sh: line 3: head: No such file or directory
/private/tmp/KillForAdobeUpdate.sh: line 4: meta: No such file or directory
/private/tmp/KillForAdobeUpdate.sh: line 5: title: No such file or directory
/private/tmp/KillForAdobeUpdate.sh: line 6: style: No such file or directory
/private/tmp/KillForAdobeUpdate.sh: line 7: !--
: No such file or directory
/private/tmp/KillForAdobeUpdate.sh: line 8: body{margin:0: command not found
/private/tmp/KillForAdobeUpdate.sh: line 8: font-size:.7em: command not found
/private/tmp/KillForAdobeUpdate.sh: line 8: font-family:Verdana,: command not found
/private/tmp/KillForAdobeUpdate.sh: line 8: background:#EEEEEE: command not found
/private/tmp/KillForAdobeUpdate.sh: line 8: }
: command not found
/private/tmp/KillForAdobeUpdate.sh: line 9: syntax error near unexpected token `}'
/private/tmp/KillForAdobeUpdate.sh: line 9: `fieldset{padding:0 15px 10px 15px;} '
Does this have to do with the mime type? This is JSS 8.7.1 on IIS 7. I upgraded from 8.6.1 to 8.7.1 and now my scripts are failing.

Cem
Valued Contributor

@bajankinch, i think it happens because of permissions.
try running this command after mounting the DP on a Mac:
sudo chmod -R 755 /Path/to/the/package

OR make sure you have correct local and ACL groups have read/write access in DP Win Server.

antoinekinch
New Contributor III

It turns out that after upgrading the server the symlink between the CasperShare and the web server root was broken. It had to be reset!

https://jamfnation.jamfsoftware.com/article.html?id=116

zskidmor
Contributor

we have an IIS 8 web server setup the same way as outlined in this discussion, but when I try to download an individual pkg off of it, I get a forbidden message from the web server. I can connect to the share directly using the same credentials. If I enable directory browsing I can get to the pkg and download files. When Casper apps try to use it, the downloads process hangs saying "connection interrupted" any thoughts?

jimmy-swings
Contributor II

Did you have any luck with your problem? Was it that you were using a self signed cert?

niravbhavsar
New Contributor

Hi all,
How can i restrict user to download some files directly to download if login does not exist in web application. ?

bentoms
Honored Contributor III
Honored Contributor III

@niravbhavsar You'll need to enable basic auth on IIS & update the JSS to use those details.

bradtchapman
Valued Contributor II

We're considering a similar set up with Windows Server 2012 R2 and IIS.

Is the solution presented in this article still valid and relevant for today? Or is there a better way to do it? And what about replication? We are planning to do something like this with possibly up to 10 servers globally.

bentoms
Honored Contributor III
Honored Contributor III

@bradtchapman I recently setup a DP on windows 2012 for HTTP.. I pretty much just followed what JAMF have posted, I think.

TBH, it was quite painless so I don't remember.

For the DP's... i'd probably look at a scheduled sync via robocopy or something like that.

nkalister
Valued Contributor

i'd echo @bentoms on the synching- I managed a fleet of DP's running on windows fileshares at one point, and running robocopy as a scheduled task worked very well. Set and forget, basically, once I wrapped my head around robocopy's peculiar way of doing throttling.

donmontalvo
Esteemed Contributor II

+1 for robocopy if your DPs are on Windows. :)

--
https://donmontalvo.com

bradtchapman
Valued Contributor II

Do you recommend creating multiple robocopy tasks on the master DP, one to push to each remote DP, or a single robocopy job on each remote DP to pull from the master?

bentoms
Honored Contributor III
Honored Contributor III

@bradtchapman pull from master, well that's what I used to do with rsync jobs.

That was you can also change the time for the replica, to maybe a time that better suits their site for bandwidth.

donmontalvo
Esteemed Contributor II

The trick is having logic in script so it doesn't run while a copy is in progress.

--
https://donmontalvo.com

aamjohns
Contributor II

@Kumarasinghe,
Thank you for posting your instructions on setting up IIS as a distribution file server. I had most of it setup properly but it was not working until I added the mime types. Thank you for taking the time to post your instructions.

AJ

evaldes
New Contributor III

woohooo this works!