SMAConnectAgent - admin permissions needed
BWC
Cybersecurity Overlord ✭✭✭
Hi,
how do you handle that the SMAConnectAgent needs administrative rights to be installed?
Having Device Management enabled on the SMA needs the SMAConnectAgent to be deployed, but it's usual that on employer-provided systems the user does not have any admin permissions.
With the firmware update from 10.2.0.0 to 10.2.0.1 the user got prompted to install a newer version, but can't install because of the missing rights. The prompt can be canceled, but causes confusion on the user side. The endpoints (Notebooks) are located in Home-Offices and will probably not return into the HQ for a while to get refueled via GPO etc. The Home-Offices just connect to the browser-based VirtualOffice, no VPN.
Any help highly appreciated.
--Michael@BWC
Category: Secure Mobile Access Appliances
Tagged:
0
Answers
Hi,
once connect agent is installed and when they upgrade to 10.2.0.1 but it should work fine, if GPO is not causing here..
Admin rights are needed for NX for first time and subsequent upgrades not needed.
Vijay Kumar KV
Enterprise Tech Support Consultant | SME
Hi @Vijay_Kumar_KV
if I get you right, you're saying admin rights are not needed for upgrades? This does not seem to be the case, after logging into the SMA I'am greeted with an option to upgrade the SMAConnectAgent because there is a newer version available, when I'am hitting yes to upgrade I'am asked for Admin credentials.
That was the point of my initial question, is this a bug and admin rights shouldn't be needed for upgrades like you elaborated?
--Michael@BWC
@BWC .
Admin rights needed while we install SMAConnectAgent is required to upgrade, admin permission will be required again because we need to update registry settings each installation. so admin is needed for every time..
Vijay Kumar KV
Enterprise Tech Support Consultant | SME
admin permission is needed for every time..
Vijay Kumar KV
Enterprise Tech Support Consultant | SME
I need to come back about this, actually in retrospect, my question isn't answered. The question was: "How do you handle that the SMAConnectAgent needs administrative rights to be installed?"
What I mean here, how should we upgrade the SMAConnectAgent in the field on machines where the enduser does not have administrative rights? Should the SMAConnectAgent pre-deployed with some form of software-distribution (GPO, etc.) prior to an upgrade of the SMA to avoid this confusing upgrade messages, which cannot be fullfilled without the admin rights anyhow?
Whats a common way?
--Michael@BWC
I got it, but since this needs to registered in Registry so admin nights are needed, I agree with your points for subsequent upgrades I don't think we need admin rights..we'll check with engineering and if possible to do without rights.
We can file an RFE?
Vijay Kumar KV
Enterprise Tech Support Consultant | SME
Hi @Vijay_Kumar_KV
the problem could be solved if upgrades would not need admin rights, but I'am not sure if this is technically possible.
For some "HTML Portal-only" deployments I don't even have a chance to deploy the newer Agent manually, because of the lack of a VPN connection. The whole process needs to be as simple as possible, because there a mainly no IT-people sitting in the Home-Offices at the moment.
--Michael@BWC
@BWC I got it, we'll check on ourside how to fix this going forward.
Vijay Kumar KV
Enterprise Tech Support Consultant | SME
@BWC @Arthur @Vijay_Kumar_KV
got this issue that the EPC should be updated after the Patch 10.2.0.6-32sv. Clicked download in the Window and then it failed with an notification in the Browserwindow.
I tried to download the agent from the download section under the User Icon in the upper right corner. But there is no EPC agent available. (Netextender is available.)
Checked this on other SMAs and finally found one where I could download the agent from. No change to find it in MYSWL.
Installed it on the client and login was ok for now.
Did you see this "lost" agent in your instances too?
--Thomas
Hi @ThK
I checked on my SMA 500v and I was able to download them via VirtualOffice.
You having problems on SMA 2x0/4x0 or 500v? On hardware appliance there seems to be a case a while back:
--Michael@BWC
@BWC all are 500v. the post exatly describes what i have.
and it does not depend on user. so same as admin or user and LocalDomain or Portal
I double checked, SMA 500v deployed from 10.2.0.5 OVA and SMA 500v updated to 10.2.0.5 via .sig both having the Files downloadable via VirtualOffice.
Is it a VMware or Hyper-V deployment, maybe thats the difference? Mine are on ESXi.
--Michael@BWC
@BWC yes on ESXi.
Mon Mar 1 20:45:57 2021 target file(/usr/src/EasyAccess/www/htdocs/NXSetupU.exe) doesn't exist
-Mon Mar 1 20:45:57 2021 backup file(/usr/src/EasyAccess/var/clients/NXSetupU-10.2.309.exe) doesn't exist
Local admin rights are still required to update SMA Connect Agent, EPC/NAC Agent, etc. This is a nightmare for most environments as users don’t have local admin rights. At the very least, SMA Connect Agent and EPC/NAC Agent need to be made available for download on MySonicwall.com to allow apps to be deployed/updated via RMM or other means prior to upgrading SMA firmware. EPC/NAC Agent cannot be downloaded manually on SMA as well, only SMA Connect Agent and NetExtender.
I too have been unable to find anywhere to download the EPC Agent so even though we were able to download the SMA agent and push it out via Labtech as soon as the EPC check tries to run the first time they are prompted for admin creds. Nothing like going live with 5 SMAs and waking up to 90 end user tickets. I opened a ticket with Sonicwall to see about getting a MSI that we can push.
I have the same issue. I want to deploy the SMAConnect using the MSI which works by using our Batchpatch software but the NACAgent still needs admin rights the first time it makes changes to the system.
Hi @Arthur
Thanks for following up. I'll will look into this and get back to you.
An error occurs in the installation process.
Another version of SonicWall Netextender has been detected on your system, please uninstall it before running this installation.
Years later, and still not fixed - any SonicWall folk care to explain? @Arthur have you heard anything on the status of this from your ticket?
We don't give users admin rights, and we have folks connect at all hours of the day/night, so our process following a SMAConnect update that a user has to log a ticket in our helpdesk, who contacts the user to arrange for them to be online so we can use a third party tool to control their machine to login (with assistance from the user to complete mfa login), and finally get SMAConnect updated. Our helpdesk team rather hates SMA updates because of this issue.
Has anyone found a solution to push SMAConnect updates to clients out of band? I know no product is perfect, but it seems keeping a sonicwall SMA running smoothly requires a set of auxiliary tools and effort (something we'll keep in mind as we face some SMA EOL and replacements within a year).
I know this is an old thread but it still comes up near the top in search engines. It's fairly obvious and documented above that you can get the SMA Agent from within the portal's download section. I just wanted to add that, at least on current versions, you can download the NAC/EPC agent from the appliance. There are a couple Sonicwall support articles that reference https://x.x.x.x/NACAgent.exe. They don't really tell you this but x.x.x.x is the IP or URL of your appliance. The filename is also case sensitive. So if you want to distribute these out of band you can.
For other's reference, in trying to get this issue resolved I logged a support case (44403487) and was directed to contact sonicwall sales, since the solution here is not an implemented feature, and apparently sales handles all feature requests. I followed up with an email to sales requesting this "feature" be added. I'll try to update here if anything noteworthy happens.
@JesseN thanks for taking the bullet and putting the RFE in for something that obvious. I don't have much hope that it'll get implemented before the SMA (100 Series) goes out of service, which is somewhere in 2027.
—Michael@BWC