Citrix PVS provisioning service

[trayn 0]

hi guys,

i'm looking for a best practice how-to for our citrix-terminal-server PVS system.

pvs-citrix system PXE-Boot with streaming HDD from a golden image.

the servers booting every day from the image.

we installed eset + agent in this image, get the policies from ERA and booting a few times.

but before we close this image we uninstalled the agent (see problem 1)

Problems:

agent with same ID from the image

workaround: before we close the image, we uninstall the agent. there is an local windows task (5min after booting) to install the agent every day again. so it's a "new" server after every boot.

groups & policies

we use dynamic groups for policies (name with "pvs") and a task to delete the "old" servers (no connection since 1day)

activation problem

workaround: we use a servertask to use the offline-licence with a trigger (activate every time a new server is incoming to the group)

 

is there a better way to do this? maybe a "best practice how-to"?

 

best regards

trayn

[NicholasBird 0]

thanks for the pointers. Im new to PVS and just building my first image, have you got any further yourself with a best practise for Eset on PVS?.

we have the same pxe streamed environment; the tenants have a persistent "D drive" but my reading of the eset manuals suggest this is no use (eset can only store its 'IDs' on the system drive?)

 

[NicholasBird 0]

ESET Technical support Showed me the way. This is working well for me.

My Environment

• Citrix and PVS 7.15 LTSR
• PVS machines reboot and rebuild nightly from base image
• Windows 2016
• Eset ERA 6.5

 

Solution

• Install ESET File Security into PVS image directly
• Deploy ESET Remote Administrator Agent via Computer GPO Software Installation (x64+ini)
• Create ESET Task to Synchronise Active Directory regularly (Ensure Tenants are in correct ESET groups)
• Create ESET Task to "delete computers not connected" for 24hours and deactivate (targeted at PVS tenant OUs)
• Create ESET Task to update modules / virus definitions soon after boot on PVS tenant OUs

 

Outcome

• PVS Tenants reboot and build at 5am, GPO install agent.
• ESET AD sync task ensures new tenants are in their expected OUs/ESET Groups
• Every reboot a new duplicate  object for the tenant appear in the ESET Group for Tenants
• ESET "delete computer task" removes these duplicate objects.
• ESET Task to update modules ensures the virus signature are up to date as quickly as possible.

 

Concerns/Room for improvement.

• Was concerned that the Agent Install GPO would not fire 100% on 1st boot, so far it has been 100% reliable.
• undesirable that the write cache is being used up by agent install and signature updates, ideally the agent IDs and signatures would be redirect-able to a fixed drive in a future version? (Not possible for now?)
• Need to keep the gold image updated so as to minimise the delta between boot version of definitions and latest version of virus definitions during the first few minutes. maybe an update can be forced as the products starts or the agent installs?