It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Content Shield

How to Deploy the Barracuda Content Shield Suite via GPO

  • Last updated on

This article provides sample scripts that can be used for successful deployment of Barracuda Content Shield (BCS) using GPO. The article is not intended to provide comprehensive instruction in the use of Microsoft GPO, and all samples are provided without assurances or guarantees.

An example Powershell script is provided here to demonstrate fully automating an installation. Using a command line batch file enables the administrator to remotely configure and control the Powershell script. The Group Policy Manager (GPO) is used to distribute these resources to the intended domain-attached computers. The sample script, ExampleBCSConfig.ps1,  can be found at Example Powershell Script for GPO Deployment of BCS Suite for Windows. Note that you can do either a complete installation, or install just the Web Filtering Component, or just the Malware Protection component of the suite.

Note that this script is ONLY an example and is offered without assurances or guarantees. Make sure to run the script with elevated permissions.

The domain name “dc1.myco.com” is used to represent the domain controller throughout this example. Be sure to make appropriate substitutions for your environment.

Procedure and Sample Deployment Script

Required and Example Files
  • The current BarracudaContentShieldSetup-#.#.#.#.exe file, which is available from the DOWNLOADS page of your BCS account.
  • The bcs.key file, which is also available on the DOWNLOADS page  (see Account Configuration File).
  • The sample batch file (ConfigureBCSPlus.bat) is included below. This .bat file must be edited to reflect the settings (file paths, operational mode, target installer .exe, file version, etc.) in your particular environment. Additionally, if you choose to use this procedure to perform future upgrades of the BCS software, this file will need to be edited to reflect the new version of the installer .exe file.

Performing upgrades also requires downloading the new installer .exe file and saving it in the shared folder (e.g. \\dc1\BCS-Files\), and the GPO Files settings also need to be modified. 

Procedure for GPO Deployment

ACTION STEPSEXAMPLE VALUECOMMENTS

1. Select or Create an Active Directory Organizational Unit

BCSPlus

You may want to create a new OU to limit the scope of the machines affected by the GPO.

CAUTION: If you want to retain the option to remove this OU in the future, be sure to de-selected the default “Protect container from accidental deletion” setting before creation.

2. Using AD, move the computers that are to be the targets of this deployment to the OU identified in Step 1 (e.g. BCSplus).

WIN10-SMITH-PC

None

3. Create a shared folder on the Domain Controller, and populate with the files* that need to be deployed.

\\dc1\BCS-Files

  • BarracudaContentShieldSetup-#.#.#.#.exe
  • bcs.key
  • ExampleBCSConfig.ps1
  • ConfigureBCSPlus.bat

Important: Folder permissions:

  • Sharing > Advanced Sharing > Permissions;
    • “Authenticated Users” need Read access
    • “Everyone” should have Full Control
  • Security;
    • “Authenticated Users” need default permissions (read & execute, list folder contents, read)
    • “Everyone” should have default permissions
4. Open Group Policy Manager and select the appropriate OU (e.g. BCSplus), and then create a GPO.BCS DeploymentNone

5. Edit the GPO - Define Folders to be used/created on endpoint computers:

Computer Configuration > Preferences > Windows Settings > Folders

C:\gpo-bcs-files

This folder will be created and administered, on the endpoint computer(s), by this GPO

6. Edit the GPO - Map Files to be deployed to endpoint computers:

Computer Configuration > Preferences > Windows Settings > Files

Use Action: Replace
Source file(s): \\dc1\BCS-Files\ConfigureBCSPlus.bat

Destination file: C:\gpo-bcs-files\ConfigureBCSPlus.bat

Repeat for all files

(See step 3 for all example resource filenames)

IMPORTANT:

  • Be sure to edit the Source file name to use the UNC format,
    (e.g. \\dc1\BCS-Files\ConfigureBCSPlus.bat )
  • The file Destination is the (new) target folder on the client computer(s)
  • If browsing for the source file fails, type the full path manually

7. Edit the GPO - Create a Scheduled Task:

Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks

New Scheduled Task (At least Windows 7)

BCS Manager

  • General tab
    • Run using (NT AUTHORITY)\System account
    • Run whether user is logged on or not
    • Run with highest privileges
  • Triggers tab
    • One time – 2/29/2019 at 06:00
  • Actions tab
    • Start a program
    • Program/Script = C:\gpo-bcs-files\ConfigureBCSPlus.bat
    • Start in = C:\gpo-bcs-files
  • Conditions tab
    • Be sure Start only if the following network connection is available: Any connection is selected
  • Settings tab (defaults used)
  • Common tab (defaults used)

This example uses a one-time execution.

The task needs to be run with elevated privileges in order to be able to install the software.

 

8. Configure Firewall on endpoint computer(s) If you plan to push GPO updates, you may find it necessary to enable some inbound firewall settings on the endpoint computers.

Sample Batch File

This batch file, as described above, calls the example powershell script 'ExampleBCSConfig.ps1'.

ConfigureBCSPlus.bat

@echo off
setlocal enableextensions
:: NOTES =============================================================================
:: The following commands are sample CLI commands to invoke the powershell script.
:: There are separate commands for three types of Installations (Complete, Web Filtering only, or Malware Prevention only), Upgrade, and Uninstall.
:: Make sure to adjust the comment characters (::) and parameter contents for the command being called. Only one command line should be enabled at a time.
:: Parameter Descriptions:
:: curdir = %~dp0 << This default will resolve to the location from which the batch file launches on the endpoint. Optionally, the individual command call can be edited to use a static path in place of the %curdir% substitution (usually the same as -workDir). 
:: -workDir << This should be the full path to the location of the installer and bcs.key files on the endpoint.
:: -keyName << This should match the name of your bcs.key file.
:: -userPass << For the Uninstall command: The Agent Password from your Account Settings page.
:: -feature << For custom Install: Options are WebFiltering or MalwarePrevention
:: IMPORTANT - Take care to ensure that the version of the executable is updated to reference the executable to be used. (e.g. ...Setup-1.1.1.1 might need to change to ...Setup-1.9.9.9, etc.)
:: Deploy via GPO: Create a per-machine GPO that executes a Startup Script (make sure it runs with elevated permissions) that invokes the powershell script (or any other script that you created) to install or remove the BCS agent (executable).
:: Return codes:
:: 3010 - Uninstall successful. Reboot pending: On uninstall, a reboot is required before reinstalling the agent.
:: 0 - Installation successful. (Also on a "remove" action, if the agent is not installed).
:: 1601 - Install aborted. SETUP.EXE not found.
:: 1602 - Install aborted. Check KEYPATH value.
:: 1603 - Uninstall canceled. Most likely because either the Tamper Proof reature is disabled or the wrong password was provided.
:: For any of the 16xx return codes, also check the component MSI logs which can be found in the %temp% folder of the process owner.
:: ===================================================================================
set curdir = %~dp0
::INSTALL COMPLETE
powershell.exe -NoProfile -executionpolicy bypass -file "%curdir%ExampleBCSConfig.ps1" -action "install" -workDir "C:\Barracuda" -setupName "BarracudaContentShieldSetup-1.1.1.1.exe" -keyName "bcs.key"
::INSTALL ONLY WebFiltering 
::powershell.exe -NoProfile -executionpolicy bypass -file "%curdir%ExampleBCSConfig.ps1" -action "install" -workDir "C:\Barracuda" -setupName "BarracudaContentShieldSetup-1.1.1.1.exe" -keyName "bcs.key" -feature "WebFiltering"
::INSTALL ONLY MalwarePrevention 
::powershell.exe -NoProfile -executionpolicy bypass -file "%curdir%ExampleBCSConfig.ps1" -action "install" -workDir "C:\Barracuda" -setupName "BarracudaContentShieldSetup-1.1.1.1.exe" -keyName "bcs.key" -feature "MalwarePrevention"
::UPGRADE existing installation (features are auto-detected and only installed will be updated)
::powershell.exe -NoProfile -executionpolicy bypass -file "%curdir%ExampleBCSConfig.ps1" -action "install" -workDir "C:\Barracuda" -setupName "BarracudaContentShieldSetup-1.1.1.1.exe" -keyName "bcs.key"
::UNINSTALL
::powershell.exe -NoProfile -executionpolicy bypass -file "%curdir%ExampleBCSConfig.ps1" -action "remove" -workDir "C:\Barracuda" -setupName "BarracudaContentShieldSetup-1.1.1.1.exe" -userPass "my_password"
endlocal
Last updated on