Do you use PXE/DHCP Booting at work?

[Matt-Page]

Hi,

I've been tasked with coming up with a solution to implement PXE as a method of re-imaging devices.

Currently, we use bootable floppy/USB disks with Norton ghost but this is such an unreliable media type. I work for a retail company with 160 outlets, of which will have between 12 to 100 devices per outlet.

I'd like to know how other people do this? I understand the basics of how it works (Booting using DHCP) but would like to know what client you use on the server, how you configure it, etc.

 

[Matt-Page]

I'll look into those. I want it to work so that you boot a device up, choose the onboard NIC as the boot device, device then downloads the boot disk and prompts for username/password. Device then downloads and extracts image.

The server with the DHCP/PXE service is Windows 2008. The devices requiring the image are Windows XP POS Ready.

It seems with the above mentioned WDS that you can push an image out to a device. Do you need the machine booted and on the network to do this? Can it do it via MAC address?

 

[Matt-Page]

Ah it seems you need all of the servers hosting the image to be in a AD domain. We haven't and wont be able to do that. Shame, looked like a nice product.

Any other reccommendations?

 

[Matt-Page]

I'm tearing my hair out with this, I found a good solution using Freeware and products we already have:

DualServer for the DHCP server service which is nice and simple to configure using the ini file (http://sourceforge.net/projects/dhcp-dns-server/)

Then using either 3COM Symantec Gost for the PXE TFTP (http://www.symantec.com/business/support/index?page=content&id=TECH107441&key=52020&actp=LIST) or part of our Computer Aassociates DSM suite which has imagine /PXE capabilites.

The kick in the face I've just received is PCI Complience issues. Namely using TFTP and not SFTP, etc.

Does anyone else work in a PCI Compliant (Payment Card Industry) enviroment? It literally just deflates any ideas you have and says NO!

 

[Matt-Page]

That shouldn't be a compliance issue in an isolated factory area anyway however to please the compliance nazis... It's a non-secure protocol but the stuff being transferred isn't controlled data. It's just chunks of the imaging software and OS kernel needed to boot the PC, which are freely available outside of your organisation anyway.
In terms of the actual hard drive image which could contains controlled data, this can be encrypted when you create it and will only be decrypted on the client PC as it's imaging.
So you could argue that the stream is encrypted at the application level rather than the protocol level.

Our enviroment is in retail stores, and the devices being imaged are POS devices. The O/S is standard (XP POS Ready), but the application is company specific.
Is it possible to encrypt .gho images, and then use the ghost.exe to decrypt it once it's downloaded it to the device? I've had a quick google of this and not found much.

I don't use anything which is in a full always active setup but I have software on my laptop I used to PXE boot machines for cloning. Basically:

1) Laptop into network at the site i'm at
2) software setup to boot a bootable CD image I've created (which contains ghost and my server mappings for the .gho images etc)
3) set device (i.e. tabletPC with no cdrom etc) to book from PXE, it finds PXE server running on my laptop, boots to PXE and loads the bootable CD image. Then I just select the image I want from the drive mappings and away it goes.

Not a great system but works well when faced with a bunch of tabletPC's with no CD.

Normally day to day, I just use a bootable CD with the drivers on I need, running Ghostcast Server on a Server 2008 box which hosts the images.

Yes, we use something similar for when our technitions are onsite. Unfortunately it is not them that re-image the devices, it is normally store staff who are not IT trained or savvy. Our current solution:

- Staff call to make bootable floppy disk
- Staff takes disk to device, and reboots it
- Disk loads DOS, network driver, net, etc and maps a drive to a server hosting the image
- ghost.exe is then called to grab the image, pull it down, extract it and reboot the device
- Device is then configured (IP, device name, company specific config, etc) using a bespoke configuration tool

The problem is, floppy disks are a tiresome unreliable media which can be lost, changed, etc. I spend far too much time supporting that and I want to move on to using DHCP.

The problem is challenges I've received regarding security and PCI regulations:

- TFTP is not secure (So I'd need another method of downloading the boot disk image, can you use SFTP for this?)
- DHCP is not a supported/secure protocol (I've got around this by saying it will only be running when a device is being imaged and then stopped)

I'm stuggling to find an alternative to TFTP or PXE in general. Any suggestions?