There are a few customers that are unable to download patches from time to time.  Sometimes it is an older Server OS hitting a new website (TLS / Cipher Suite issues), URL is not whitelisted through the Proxy, etc.   There is a way to download the patch through another method, and then import the patch into the SMP.  As an example of this situation, we will use Wireshark.

Error seen in the Console:

failed to download Software Update Package

Download failed for:  SampleURL.com  The remote server returned an error (403) Forbidden.

Wireshark Patches using the SMP Console.  Customer checked with firewall team if any port is blocking the download from the Altiris Console but everything looks fine from their end. They are able to access the download link via browser from our computers and the SMP (The Download link is found in the SMP Logs - open LogViewer to review the logs). 

Patch Management 8.x

If you have a Proxy: The remote server returned an error (403) Forbidden 

From the SMP Logs we found that the download failed for: https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.2.10.exe

Error message: The request was aborted: Could not create SSL/TLS secure channel.

We also see these download links, and their intended destination:

Start download [from:'https://2.na.dl.wireshark.org/win32/Wireshark-win32-3.4.6.exe' to:':\Program Files\..\Updates\WIRES34-210603\{82584f57-1ff4-4042-8866-04971aa0c13b}\Wireshark-win32-3.4.6.exe' task:Download Software Update Package]
Finished download [from:'https://2.na.dl.wireshark.org/win32/Wireshark-win32-3.4.6.exe' to:':\Program Files..\..\Updates\WIRES34-210603\{82584f57-1ff4-4042-8866-04971aa0c13b}\Wireshark-win32-3.4.6.exe'

Resolution

Resolution #1: Use Wireshark to determine the Cipher Suite that the Website requires, and then use IISCrypto (download from Nartac.com) to 'add' this Cipher Suite to the OS of the SMP Server (click Best Practices in IISCrypto usually works).  See KB How to Get the Cipher Suite List Presented in Wireshark.

Resolution #2: If you're getting the (403) Forbidden error,  then you may have a Proxy and this new URL may need to be Whitelisted on the Proxy.  See the Error logs for the exact URL to add to the Whitelist.

Workarounds

Workaround #1. Create a Software Package by Importing the Bulletin files as a new Software Package; then create a Managed Software Policy to deploy the Software Package, and finally create a Target of vulnerable systems.

Steps to complete the Workaround #1 using MANAGED SOFTWARE DELIVERY POLICY:

1. Download the Update files to any computer
   1. The specific URL can be found in the SMP Logs for the patch you are trying to download. Alternatively, Google may be helpful
2. Copy the file over to the SMP
3. Use the Import Method to create a new Software Package
   1. See Page 39 of KB Software Management Best Practices and Troubleshooting 8.5/8.6/8.7 for additional information and instructions
4. Create a Managed Software Delivery Policy to deploy the package to targeted systems.
   1. See Page 77 of KB Software Management Best Practices and Troubleshooting 8.5/8.6/8.7 for additional instructions
5. Create a Target of systems to deploy
   1. Pages 78 and 71 of KB Software Management Best Practices and Troubleshooting 8.5/8.6/8.7

Workaround #2 brings the Update into PATCH MANAGEMENT by recreating the expected File Structure as if the files were downloaded by another SMP, and then import those files into the current SMP.

In Part 1 we will manually create the staging paths to import from (the Desktop works), and then in Part 2 we will do the Import from the Desktop into Patch Management.  As an Example of how this works, we will use Wireshark and Chrome updates.

Part 1 - manually create the staging paths and files:

1. Open up the Altiris LogViewer(Start > Symantec > Altiris LogViewer)
2. Find the Failed download messages.  If needed, use the Find: to search for "Wireshark"
3. There will be 2 error messages like this for each .exe:
   1. [1 / 4] Downloading Software Update Package [Wireshark-win64-X.X.XX.exe for WIRES34-XXXXX]
   2. Start download [from:'https://2.na.dl.wireshark.org/win64/Wireshark-win64-X.X.X.exe' to:'X:..\...\Updates\WIRES34-XXXX\{<XXXXXXX-some-GUID>}\Wireshark-win64-X.X.X.exe' task:Download Software Update Package]
4. These Log messages tell us:
   1. How many Files there are
   2. the Name of the Bulletin we are downloading
      
   3. the GUID for that Bulletin
      
   4. the URL / Download location for each file
5. Create a folder named Updates on the Desktop, or another location of your choice
6. Using the information from the Log file, create the expected Name \ {<GUID>} path in the Updates folder on the Desktop of the SMP
   
   1. NOTE: The name of each bulletin and GUID will be different with each release. 
7. Find file [1 / X], Locate its URL and Download the File using the browser of your choice.
8. Put the downloaded file in the following Path on the SMP: ..\Desktop\Updates\NameOfBulletin\{GUIDofBulletin}\File.exe
9. Repeat steps 6 - 8 with the next file until all files have been downloaded and put in the correct {GUIDofBulletin} folder.  Make sure to add the { } around the GUID as part of the path.
10. On the Desktop, you will now have created the needed File Structure to Import the files into the SMP, continue to Part 2.

If you downloaded a Wireshark bulletin named Wireshark-YYMMDD in Part 1 above, You would have created the following file / folder structure:

Part 2 - Importing the Staged files into the SMP

1. Open the SMP Console and go to Settings > All Settings > Software > Patch Management > Core Services
2. In Core Services, we are going to redirect the download to come from our Desktop or another location
3. Check the box next to Download from staging location: and enter the location of the files we created, i.e. C:\Users\MyUser\Desktop\Updates, and click save changes
4. Make sure the Application ID has rights to the location, and Use Application Credentials.  Alternatively, enter the user credentials needed.
5. In the SMP Console - find the Wireshark Bulletin you want to roll out in the Patch Remediation Center and click "Download Packages"
   1. The Files should be downloaded from your Desktop\Updates folder or another location
6. When the files download are complete, go back to Core Services, and uncheck the option "Download from staging location", and save changes
7. Check your Download Location in Core Services for the packages (i.e. ..\Program Files\Altiris\Patch Management\Packages\Updates)
   1. They should be there just like they were created: Bulletin Name \ {GUID folder} \ .exe
8. At this point you should be able to use the Patch Remediation Center to create a Patch Policy and distribute the files to targeted systems.

This is similar to using Patch Management without an Internet Connection: KB Configuring Patch Management 8.x to operate without an internet connection.  We're just creating the Import file structure instead of using another SMP to stage the downloads which would also create the same file structure.

For troubleshooting Cipher Suite issues, it is also possible to use Wireshark to tell us what Cipher Suites the Client and Server support.  See KB How to Get the Cipher Suite List Presented in Wireshark.  If you can make changes to the OS Cipher Suites, this may be helpful.