Configuring Patch Management 8.x to operate without an internet connection.

book

Article ID: 180645

calendar_today

Updated On:

Products

Patch Management Solution for Windows Patch Management Solution

Issue/Introduction

What are the required steps to configure Patch Management Solution to run without an Internet connection?

Resolution

Two servers are required to Patch Management Solution for Windows on a server with no internet access. The first needs to be internet facing to be able to download the Metadata (PMImport) and updates files (.exe, .msp, .msi etc) from the vendors.

Follow the steps below to configure the two servers. Allowing a server with limited to no internet access to successfully patch clients.

Internet-facing server steps

-          Download the Meta Data used by Patch Management Solution for Windows to associate Bulletins, Vendors, Software, and Updates etc together as well as other information.

o   In the Symantec Management Console go to Home> Patch Management

o   Select Windows> Settings> Meta Data Import Task.

o   In the right-hand pane open Vendors and Software

o   Click ‘Update’ and wait for the process to complete. Typically a couple of minutes.

o   Once the initial import has completed, select the desired Vendors and Languages

o   Save Changes and click the ‘Update’ button again after saving

o    Under the ‘Task Status’ section create a New Schedule. Save changes then do an additional schedule to run ‘Now’.
Note: The status can be monitored by right-clicking the running task under the Task Status section.

-          Download the updates to be deployed on the Internet-facing server.

o   In the Symantec Management Console go to Home> Patch Management

o   Select Windows> Compliance and Remediation> Remediation Center

o   Select the desired Vendor from the drop-down list and use the Search field to the right to select the desired bulletins\updates to download. Shift + click and CTRL + click work to select multiple bulletins\updates

o   Right-click the selected Bulletin’s\Update’s and select ‘Download Packages’

-          Copy the following folders to a location that can be accessed by the Non Internet-facing server (UNC, DVD, etc)

o   <Install Dir>:\Program Files\Altiris\Patch Management\Downloads (Entire directory)

o   <Install Dir>:\Program Files\Altiris\Patch Management\Packages\Updates (Entire directory)

Non-internet facing server steps

-          Copy the files from the Internet-facing server to a location that can be accessed by the Non Internet-facing server

-          Modify the location the server will download and import the Meta Data from

o   In the Symantec Management Console go to Home> Patch Management

o   Select Windows> Settings> Meta Data Import Task

o   Under the General section 'Alternative Location:’ field, enter the UNC path to the pmimport.cab file contained in the location where the ‘Downloads’ folder was copied (This is UNC as it is a local store, but a redirect could be implemented through HTTP in the environment if necessary).


 

o   In the right-hand pane open ‘Vendors and Software’

o   Click ‘Update’ and wait for the process to complete. Typically a couple of minutes.

o   Once the initial import has completed, select the desired Vendors and Languages

o   Save Changes and click the ‘Update’ button again after saving

o    Under the ‘Task Status’ section create a new schedule. Save changes then do an additional schedule to run ‘Now’.

o   Once this Import has completed move to the next step. The status can be monitored by right-clicking the running task under the Task Status section.

-          Define an Alternate download location

o   In the Symantec Management Console go to Settings> Settings> Software> Patch Management> Core Services

o   Select ‘Download from staging location:’ and enter the location the Updates folder was copied to
Note: The staging location is where the non-internet facing server will retrieve the packages that were downloaded from the internet facing server. Therefore, any packages downloaded from the internet facing server will need to be copied to the specified staging location. 

o   Save Changes

 

Example:

-          Deploy the updates on the Non Internet-facing server.

o   In the Symantec Management Console go to Home> Patch Management

o   Select Windows> Compliance and Remediation> Remediation Center

o   Select the desired Vendor from the drop-down list and use the Search field to the right to select the desired bulletins\updates to deploy.

o   Right-click the selected Bulletin’s\Update’s and select ‘Distribute Packages’

Example:

Note: Bulletins/files that you are downloading on an offline server have to be downloaded prior on an online server. Without prior downloading bulletin/files on an online server and sharing them, or moving them to the offline server, you will not be able to create a given bulletin on an offline server.

 

Patch Management 7.5 Advisory: If the Site Servers / Clients are in a Cloud Enabled Management (CEM); they will not be able to access the SMP that is held behind the non-internet facing environment, so they will not get the Patch Packages, nor the needed Patch Policies, to run the Software Update Cycle. As long as the Clients & Site Servers are able to communicate with the SMP full time within the DMZ (non-internet environment); the Patch/Core processes shouldn't have problems functioning with this configuration.

Note:  New file location for the file pmimport.cab should include the file name.

The following process can be implemented in a Hierarchy for the same type of environment as follows:

  1. Hierarchical environments with no internet for all Symantec Management Platforms (SMP): Work through the following:

    • Configure the Parent SMP as detailed above

      • Internet-facing server steps

      • Non-Internet facing server steps

    • Configure the Child SMP 'Core Services' > 'Download from staging location' to target the Parent SMP's 'To Location:'

      • Found on the Child SMP Console > Settings > All Settings > Software > Patch Management > Core Settings > 'Download from staging location'

      • Note: This location needs to target the Parent SMP's folder structure that holds the Update Packages download by the Parent SMP from the vendor site; however, if that location is not reachable; those packages need to be moved to a location that the Child SMP is able to access, and modify the 'Download from staging location' accordingly.

    • Attach the Child SMP to the Hierarchy and run replications on schedule

  2. Hierarchical environments with no internet for Child SMP(s) only: Work through the following prior to implementing the Hierarchy on each affected Child Symantec Management Platform (SMP):

    • Run the attached SQL scripts to remove the 'Replicable' status of the Patch 'Core Services'

      • Caution: Always ensure recent backup of the database is in place before running any updated SQL scripts

    • Configure the Child SMP 'Core Services' > 'Download from staging location' to target the Parent SMP's 'To Location:'

      • Found on the Child SMP Console > Settings > All Settings > Software > Patch Management > Core Settings > 'Download from staging location'

      • Note: This location needs to target the Parent SMP's folder structure that holds the Update Packages download by the Parent SMP from the vendor site; however, if that location is not reachable; those packages need to be moved to a location that the Child SMP is able to access, and modify the 'Download from staging location' accordingly.

    • Attach the Child SMP to the Hierarchy and run replications on schedule

      • Please review KM: HOWTO83929 for further details regarding the scheduling process in Hierarchy.

 

Due to operating system limitations; this process cannot support Linux, Unix nor Mac Software Updates. This process is only available for Patch Management Solution for Windows.

Additional Information

REFERENCE ID : : Script comments detail which to run on Parent SMP and which to run on Child SMP databases. Always ensure recent backup of the database is in place before running any updated SQL scripts/n DESCRIPTION :

Jira EM-26778

Attachments

SQL Script - Remove Replicable - Patch 'Core Services'.txt get_app