First and foremost it’s very important to read the UAC manual concerning start and end scripts and confirm that your configuration complies with it. Although the information has been supplied below, make a point to check the instructions on your Infranet Controller (IC) by going to “Help” and search for “Configuring User Roles” since this feature may change between releases.Run session start and end scripts
You can specify scripts to run on Windows endpoints for users assigned to a role after Odyssey Access Client (OAC) connects or disconnects with the Infranet Controller. For example, you can specify a script that maps network drives on an endpoint to share protected resources as a session start script, and you can specify a another script that disconnects the mapped network drives as session end script.
- Under Session Scripts, specify the location of the session start and end scripts you want to run on Windows endpoints after Odyssey Access Client connects or disconnects with the Infranet Controller.
- You can specify a fully qualified path.
- Scripts can be accessed locally or remotely by means of file share or other permanently-available local network resource.
- You can also use environment variables, such as
%USERNAME% in the script path name. For example:
- Click Save Changes.
When Odyssey Access Client connects to the Infranet Controller, the Infranet Controller copies the session start and end scripts to a temporary directory on the endpoint (defined by the
environment variable). When Odyssey Access Client disconnects, the Infranet Controller deletes the copied scripts from the temporary directory.
Enable Verbose OAC Debug Logging
- Windows only supports scripts with the .bat, .cmd, or .exe extension. To run a .vbs script, the user must have a batch file to call the .vbs script.
- Any files referenced in a script are not copied to the endpoint; only the script itself is copied. Any references to files in scripts must take the temporary directory on the endpoint location into account.
- After connecting to the Infranet Controller, Odyssey Access Client copies the session end script from a network drive to a temporary directory on the endpoint so that the end script can run if the network connection fails.
- The session scripts are run in the user’s context.
- If a user qualifies for multiple roles, all scripts for all roles are run. You cannot configure the order in which to run the scripts when multiple roles are assigned to a user.
If your configuration appears to be sound enable verbose OAC debug logging
by going to Tools > Logs > Settings
and set the debug level to 5 then make a L2 or L3 connection. If you are using a L2 connection make sure that the “Infranet Controller” session is established before disconnecting. Use the information below to determine the point of failure.
A “start script” will not be processed until the NCP connection is established which requires EAP-JUAC to be configured. If you look at the log output below once the NCP connection is established both a start and end script batch file was copied from a network share and downloaded to the client end point. The start script was placed into a temp directory and executed
'odService' IC Connection State = NCP_CONNECTED
'jpaService' CAgentManager::onSessionScripts(): Copying : \\172.28.81.60\sysvol\start.bat
'jpaService' CAgentManager::onSessionScripts(): Copying : \\172.28.81.60\sysvol\stop.bat
'jpaService' CAgentManager::onSessionScripts(): Executing : C:\Windows\TEMP\2072.tmp.bat
This snippet of log is an example of the end script being processed. Regardless of if the end script was processed successfully both scripts will be deleted from the temporary directories.
Problems and Suggestions:Problem:
IC Connection State = NCP_CLOSING
CAgentManager.cpp:796 CAgentManager::onSessionScripts(): Executing : C:\Windows\TEMP\2286.tmp.bat
odICTarget.cpp:345 Wait for script returned - 0
CAgentManager.cpp:829 CAgentManager::deleteScripts(): Deleted script : C:\Windows\TEMP\2072.tmp.bat
CAgentManager.cpp:829 CAgentManager::deleteScripts(): Deleted script : C:\Windows\TEMP\2286.tmp.bat
The script fails to download.Suggestion:
Confirm that an authenticated user has access to the network share and can manually see and execute the script. If you cannot, you may have a permissions or access issue.Problem:
The script is downloaded successfully but fails to run, or if your script is designed to launch a local
file that file fails to run.Suggestion:
Confirm that the scripts temporary directory or the location of the file you want to launch locally is in the systems “path” environment variable.
To verify this enter the “
” command into a command prompt. Review the output and confirm that the locations of the temporary directories or local files are present. See sample output below.
C:\Documents and Settings\Username>echo %path%
c:\windows;c:\windows\system32;c:\windows\system32\wbem;c:\perl\bin;c:\program files\ati technologies\ati.ace\; c:\program files\common files\emc;C:\Program Files\QuickTime\QTSystem\;C:\WINDOWS\system32;C
:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\Intel\Wireless\Bin\
If the files are not in the correct location you may modify the path with the instructions below.
- From the desktop, right-click My Computer and click properties.
- In the System Properties window, click on the Advanced tab.
- In the Advanced section, click the Environment Variables button.
- Finally, in the Environment Variables window, highlight the path variable in the Systems Variable section and click edit. Add or modify the path lines with the paths you wish the computer to access. Each different directory is separated with a semicolon.