These days I have been struggling to configure Trend ServerProtect 5.8 for Netapp. I have encountered many problems due to the fact that installing Trend on a Windows 2008 R2 does not make the antivirus immediately ready to work with the filers.
In fact, even if we configure the access to the NetApp using an account who belongs to the ‘Account Operators’ group on the NetApp, the NetApp won’t be able to access the named pipe NTAPVSRQ which has been setup on the Windows 2008 R2 Scan Server. This is due to a problem with the way the filer tries to authenticate to the Windows 2008 R2 Scan Server.
Let’s first see the workflow which is used by the Antivirus to check for files stored on the NetApp. Then it will be easier to understand the problem.
- A user asks for a file (such as a word document or an excel spreadsheet)
- The NetApp anonymously opens a named pipe over SMB toward one of the defined Trend Scan Servers. The action is: SMB: C; Nt Create Andx, FileName = \ntapvsrq
- Once the named pipe has been setup, the NetApp filer sends a MSRPC request to the Scan Server containing the path to the file to scan. The path structures is : \\x.x.x.x\ONTAP_ADMIN$\volume\vol1\qtree\testfile.xls
- At this time the Scan Server knows the path to the file to scan, so it starts a spntsvc.exe process that connects to the filer, retrieves the part of the file to be scanned and sends back a response the filer telling the outcome of the scan operation.
The problem is that in Windows 2008 R2 the security has been widely improved, and anonymous access to named pipes and shares is forbidden unless explicitly declared in the Local Security Policy.
So the NetApp filer will continuously report that the Trend Scan Server has disconnected from the filer. Usually this error is logged every 6 minutes in the filer's syslog (/etc/messages), or anytime the filer attempts to scan a file for a user. Soon after the disconnect warning, the filer will report in the log that the Scan Server has successfully registered again.
The errors in the messages log on the NetApp are:
Tue Feb 15 17:19:58 CET [netapp: cifs.pipe.errorMsg:error]: CIFS: Error on named pipe with trendserver: Error connecting to server, open pipe failed
Tue Feb 15 17:19:58 CET [netapp: cifs.server.infoMsg:info]: CIFS: Warning for server \\trendserver: Connection terminated.
Tue Feb 15 17:19:58 CET [netapp: vscan.server.connectError:error]: CIFS: An attempt to connect to vscan server \\trendserver failed [0xc0000022].
Tue Feb 15 17:19:58 CET [netapp: vscan.dropped.connection:warning]: CIFS: Virus scan server \\trendserver (x.x.x.x) has disconnected from the filer.
Tue Feb 15 17:20:18 CET [netapp: vscan.server.connecting.successful:info]: CIFS: Vscan server \\trendserver registered with the filer successfully.
What is funny is that nothing, I mean no warnings, no errors, no pop-ups, no blinking exclamation marks, nothing appears in the Trend Management Console nor in its logfiles. The only symptom (before looking in /etc/messages on the NetApp filer) is a pop-up message to the users trying to open NAS stored documents that say: ‘Access denied. Contact your administrator.’
The solution consists of four modifications to the Local Security Policy in order to allow unrestricted access to the NetApp nemaed pipe. On your Windows 2008 R2 Scan Server, click Administrative tools then Local Security Policy then Local Policies then Security options and change following settings:
- Network access: Named Pipes that can be accessed anonymously – Add NTAPVSRQ to the list. Note that this key should already be present, as well as TMRPC\SPNTSVC and TMRPC\StWatchDog. These three keys are added to the Local Security Policy when you first configure your Scan Server form the Trend Management Console.
- Network access: Let Everyone permissions apply to anonymous users – Set it to ‘Enabled’
- Network access: Do not allow anonymous enumeration of SAM accounts – Set it to ‘Disabled’
- Network access: Restrict anonymous access to Named Pipes and Shares – Set it to ‘Disabled’
The problem will be solved as soon as you reboot the Trend Scan Server to confirm the modifications you have made. Yes, Windows 2008 R2 hasn’t changed. It stays always as stupid as it was ten years ago: every modification you will make will need one full reboot! That’s why testing this solution took me so much time. Not to mention that nothing is found on this problem on Trend’s website. If I only think that people at Trend cry out loud that ServerProtect for NetApp 5.8 supports Windows 2008 R2 servers... Microsoft and Trend left me lost for words once more.
A last note for Windows admins - Here’s a list of tools you might find useful to diagnosticate this kind of issues:
- Learn to use Network Monitor 3.4 for Windows 2008 R2 (remember to activate the parser for Windows events) and you have a view form inside on the traffic generated and received by your Windows box;
- Learn to use Procmon, because this tool will give the best insight of the activity of you Windows system;
- Be friend with your Network Administrator, he and only he will be able to show you whatever is happening between your NetApp filer and your Antivirus Scan Servers;
- Get an account on kb.netapp.com, because kb articles concerning NetApp filers are closed to unregistered users!