A Few Pre-Install Questions
-
Over the past few days I have been researching FOG. Though convinced of its awesomeness, there are a few questions that remain.
The situation is as follows. I am the Systems Librarian for a mid-sized regional University. We have 70 -100 public computers (Dell Optiplex 780s) currently running Windows XP. We use Windows SteadyState to lock them down and prevent unwanted changes to the machines (including everything from malware to patrons cluttering up the computers with files). Since Microsoft discontinued SteadyState the Library has been sticking to XP, but with support ending in April we can hold out no longer and are in the process of transitioning to Windows 7. At the same time we have been seeking a way to centrally manage our computers. The difficulty is that the library is not a part of the campus domain (but is on the network) and all of our computers are in a WorkGroup. We also do not have a server other than a dedicated machine for our catalog and the budget is tight. Thus there seemed to be no way to do things such as push out software to computers, image them remotely, and track usage. When imaging machines we use Clonezilla and have to go around to each one with a flash drive. FOG seems to be the answer to all of our prayers.
Except for two things. First, our campus IT people have their own server running Windows Deployment Services. They image machines via PXE boot, although I do not think their system can do Zero Touch Installation. They also control the DHCP server. If there library were to set up a FOG server, would it create any sort of conflicts? Given that the program uses MAC addresses my assumption would be no as long as it is set up correctly (that is the impression the user guide gives anyway). However networking is not my strong suit. Also our public computers are set to boot from the network first and, despite not being on the domain, are on the same subnet as other public computers around campus.
Second, what sort of security risks does having a FOG server present to the campus network? Although the machine we are planning on putting it on will not have an external IP address I am concerned all the same since Apache is require to run FOG.
-
At my place of employment, we have about 10,000 computers and had a setup very similar to yours. Let me start by answering your questions right off the bat.
-
No, it will not cause any conflicts if setup correctly. For awhile we had WDS and FOG running at the same time without any problems. We had a WDS.iso that we created that would point to the WDS server and image our Windows 7 machines that way. All we did was add that iso to the FOG boot menu. Simple :). We had our network guys setup FOG on the DHCP server (prots 66 and 67) and never had a problem.
-
The security risks are all dependent on what you choose to run. Apache itself is not a concern. You won’t have FOG sitting in the DMZ, so your employment’s firewall should block almost everything going out anyways. The concern is what version of Linux you choose to install FOG on. The more features you install, the more security risks you add. I personally am an Ubuntu guy, so I install FOG on Ubuntu server. It’s all command line, no GUI. This means that the server is fast to boot, very little to crash, and extremely robust. I ended up having to install a GUI so others could administer the server if I was not available, so LXDE core to give an absolute minimum GUI experience for others. But again, less is more when it comes to security.
Now a question I have for you. Especially with the transition to Windows 7, is there a reason that you can’t have your machines on the domain? It seems like it could be very easy to just group all of your machines into a new OU. Group policy is a very powerful tool and you can really tweak how you want your computers to work and behave. With Windows 7, you can have a whole new level of control that didn’t exist in XP, and can install templates (ADM and ADMX’s) to control programs even furhter. Granted you can’t do “frozen” profiles by default, but you can at least limit what gets installed in the first place, which is half the battle.
Unfortunately we have since discontinued FOG as people higher than me decided that we could no longer use it, in favor of another product. I do however, still have a full lab setup at home to do testing on, including WDS and SCCM, so I still get my fair share of FOG in :). I will say, FOG was, and still is BY FAR the fastest and easiest imaging solution that I have used.
-
-
[quote=“Kevin, post: 20908, member: 3”]
Now a question I have for you. Especially with the transition to Windows 7, is there a reason that you can’t have your machines on the domain? It seems like it could be very easy to just group all of your machines into a new OU. Group policy is a very powerful tool and you can really tweak how you want your computers to work and behave. With Windows 7, you can have a whole new level of control that didn’t exist in XP, and can install templates (ADM and ADMX’s) to control programs even furhter. Granted you can’t do “frozen” profiles by default, but you can at least limit what gets installed in the first place, which is half the battle.
[/quote]Kevin, the short answer is office politics. At one time the library was on the domain. We had our own subnet and a dedicated server. But then the campus IT department was outsourced to a company called Ellucian and a number of employees at the library alienated them (to put it mildly - I don’t know the full story, but this is what I’ve been told). The result was that when our server died we were kicked off the domain and lost our subnet. Since then the relationship has improved, but is still delicate. My hope is to implement FOG without having to go to them, particularly because I’ve heard they don’t want linux servers on campus (not sure why). However if push comes to shove the library administration is willing to go to bat for us.
But in regards to Windows 7, we are already utilizing local group policies. They are a huge lifesaver and have allowed us to lock our test computer to a degree I’d not though possible without a product such as Fortres 101. But there is no way to stop people from cluttering up the desktop with their files and if malware slips by our security there is no one click solution to remove it the way there is with SteadyState. While FOG doesn’t give that per se, it seems to come close. Our campus IT folks run Active Directory and have Mandatory profiles, thus eliminating the need for third party security software.
-
I was doing some searching and found 2 things you might be interested in:
- [url]http://blogs.technet.com/b/panosm/archive/2011/07/07/windows-7-steadystate-solution-simplified.aspx[/url]
- [url]http://www.steadierstate.com/[/url]
Looks like both utilize being able to boot VHD’s. May be worth looking into.
-
We have already looked into both of the options you suggested, Kevin. The issue is that they require too much hands on management. In particular they cannot take into account any Windows or McAfee updates. Those would have to be done manually. With 70 - 100 computers that is not feasible especially since the Systems Department (which consists of myself and a colleague) has other responsibilities such as web development, maintaining the Integrated Library System (the catalog), and troubleshooting computer issues. Also the requirement to choose the correct option upon start up may lead to problems as some of our employees are not comfortable with technology.
My personal favorite, in regards to software, is Drive Vaccine made by Horizon Data Systems. It works like Windows Disk Protection, but is easier to manage and has a central management console. One of my goals is to centralize control of our computers. Sadly it costs money.
[QUOTE]The security risks are all dependent on what you choose to run. Apache itself is not a concern. You won’t have FOG sitting in the DMZ, so your employment’s firewall should block almost everything going out anyways. The concern is what version of Linux you choose to install FOG on. The more features you install, the more security risks you add. I personally am an Ubuntu guy, so I install FOG on Ubuntu server. It’s all command line, no GUI. This means that the server is fast to boot, very little to crash, and extremely robust. I ended up having to install a GUI so others could administer the server if I was not available, so LXDE core to give an absolute minimum GUI experience for others. But again, less is more when it comes to security.[/QUOTE]
Thank you for putting my mind at ease. The library has not had many problems, but the one we did have came from an unsecure FTP port on our catalog server. It is a Windows machine and IIS was not set the way it should. But that computer has an external IP address and is used to host our Online Public Access Catalog.
Should I install FOG, my plan is to use Debian as that is what I am most familiar with (other than Mint, but it seems meant for desktops rather than servers). It has a reputation for stability and security. The latter can be enhanced by taking steps such as installing Fail2Ban, a firewall, disabling root access over SSH, etc. Having a GUI does help so I’d install LXDE.
-
What about testing? The user guide seems to suggest that this can be done by plugging the ethernet cable into a router and creating a mini-network. Is that a correct assessment? And what about non-intrusive mode? Is that a viable way of imaging machines in a production environment?
-
We use a few products from Faronics: Deep Freeze and Anti-Virus. Deep Freeze locks a machine into a state and resets that machine on every reboot. Wipes out all changes to the machine, kind of like throwing away a change disk on a VM. I don’t think it yet protects the MBR if you get a super nasty virus, but with FOG, you can just re-image. The Faronics AV integrates with Deep Freeze and allows definition and engine updates, as well as virus quarantine/removal even while frozen.
As far as setting up FOG for your workgroup without interfering with the existing WDS and DHCP, you have some options. Can you explain how your library computers are connected back the main network or internet (Layer 2/Layer 3 switch, router, etc). How is your network addressing divided? Are the library computers on their own subnet?
Even if the network admins don’t want to reconfigure DHCP to work with FOG, you can still get FOG to listen to and answer requests from PXE boot clients in your local subnet.
-
Networking is not my specialty. However there are racks of Cisco Catalyst 3500 series network switches in various locations around the library. Presumably these are for the wired portion of our network. There are also wireless routers on the second floor although none of our public machines connect to the network that way. Currently the library computers are not on their own subnet. This would tend to be an issue since PXE boot requests are presumably set to be forwarded to the existing WDS machine. However the network administrators have expressed a willingness to put the machines we want to control on their own subnet and give it a separate DHCP scope once we go into production. Presumably it will then be possible to specify PXE and TFTP requests to go to our FOG server. That should eliminate the need for running the program in non-intrusive mode.
Right now we are in the testing phase. As the University closes for the Winter Break after tomorrow there won’t be any progress before 2014. Currently the plan is to use a router to hook the FOG server up to a reference computer and two targets to be re-imaged. In order to avoid conflicts with the campus DHCP server our mini-network will not be hooked up to the main campus network. That way we do not have to make any changes to network infrastructure until FOG is thoroughly tested.
Thank you for your help. You have put my fears to rest. FOG seems to be the perfect solution for us since it requires neither a significant outlay of money nor the purchase and setup of a Windows Domain controller with all the bells and whistles.
Right now my only questions pertain the the OS for our server. I am most familiar with Debian and plan to use version 7 to host FOG. Has anyone experienced any problems with using FOG and Debian together? And is there a particular distro that the former runs best on?
-
Mike,
As FOG is being installed, it uses the apt-get methods from Ubuntu, which I’d imagine to be the same as on Debian. Tomorrow, while I’m at work, I’ll boot my Debian System(s) up and attempt an install. The first install will be with the version I’ve been working with, and the second with be with 0.32 which I would recommend for your particular setup at this point in time. I hope to give you some insight and wish the best.
-
Thank you in advance Tom. I look forward to reading of your results. Ubuntu is based off of Debian so my assumption is that there would be few issues. But you never know.