Now that you know how cool it is, let’s install and try out the product. This post will cover the initial install and configuration of Secunia. Part 2 will cover network scanning and actually publishing a patch.
- Download and Install the CSI Console
- Connect the CSI Console to your SCCM Server
- Install a CSI Network Appliance Agent
- Run a network scan
- Create a package
- Publish the package to SCCM
- A workstation to run CSI Console.
- A server to run CSI in Network Appliance mode.
- A SCCM Server with the SUP role configured.
- A user account for the Network Appliance service that has admin rights on all target\client computers.
Download and Install the CSI Console
- Download the Secunia CSI Console from the following web page (after login).
- Double-click the setup file “CSISetup.exe” to begin installation.
- On the ‘Welcome to the CSI Setup’ screen, click “Next”.
- On the ‘License Agreement’ screen check the box and click Next.
- On the ‘Readme Information’ screen click “Next”.
- On the ‘Choose Install Location’ screen click “Next”.
- On the ‘Completing the CSI Setup’ screen click “Finish”.
- When prompted to launch Secunia CSI, click “Yes”.
- Login to the CSI Console using your Customer Credentials.
- Secunia will load if your internet connection is active.
- Congrats! The software is installed and launched.
Connecting CSI Console to the SCCM Server
- Click Start -> Run, then type “inetcpl.cpl” to load “Internet Options”
- On the “Security” tab, click “Trusted Sites” then click the “Sites” button.
- Add the following site to the trusted sites list then click “Close”:
- On the Internet Options window, click “OK”.
- In Secunia CSI navigate to Patch -> WSUS Configuration, then click “Configure Upsteam Servers”.
- If using SCCM, enter the SCCM server hostname and port, then click “Use SSL”, then click “Connect”. The default SCCM WSUS Port number for SSL is 8531.
- Next, Secunia asks you to configure the certificate. If you already have a WSUS Signing Certificate, for example from using System Center Updates Publisher, then close the wizard because parts 2 and 3 are not necessary. If you are sure that you do not have a WSUS Signing Certificate, click “Automatically create and install certificate”.
- I can’t show the wizard step 3, because importing a new signing certificate would break my WSUS server. However, step 3 just creates a group policy object for the distribution of the certificate to your active directory clients. The process can be seen manually in my previous blog post “Pushing the SCUP Certificate to Clients“.
Install a Network Appliance Agent
- Navigate to Scanning -> Remote Scanning Via Agents -> Download Network Agent, then click “csia.exe” to download the agent.
- Log into the server designated for the NAA agent as the user with which you’d like to run the service. The user must be an administrator on the host and any clients that will be scanned. I did not have success with the NAA when installing the service using runas, or by configuring the service properties in services.msc. The service would start, but would not report back to the CSI Server.
- Once logged into the server, run the following command:
- Now, copy csia.exe into %programfiles%\secunia
- Now, run the command prompt, run the following commands to install the agent service:
CD /D %programfiles%\Secunia csia.exe -A -i --skip-wait
- In CSI Console, navigate to Scanning -> Remote Scanning Via Agents -> Network Appliance Agents. After 4-5 minutes, you should now see the NAA server appear in this list.
Congrats! You are now ready to start scanning and patching your network clients! Look to part 2 for configuring a Network Appliance Group, initiating a scan, and publishing a patch.