There are a few customers that are unable to download patches from time to time. Sometimes it is an older Server OS hitting a new website (TLS / Cipher Suite issues), URL is not whitelisted through the Proxy, etc. There is a way to download the patch through another method, and then import the patch into the SMP. As an example of this situation, we will use Wireshark.
Error seen in the Console:
failed to download Software Update Package
Download failed for: SampleURL.com The remote server returned an error (403) Forbidden.
Wireshark Patches using the SMP Console. Customer checked with firewall team if any port is blocking the download from the Altiris Console but everything looks fine from their end. They are able to access the download link via browser from our computers and the SMP (The Download link is found in the SMP Logs - open LogViewer to review the logs).
You can also use Powershell Command Test-NetConnection <ipaddress> -port <port> to get similar results to PSPing. More information on Test-NetConnection: https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2025-ps
Patch Management 8.x
If you have a Proxy: The remote server returned an error (403) Forbidden
From the SMP Logs we found that the download failed for: https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.2.10.exe
Error message: The request was aborted: Could not create SSL/TLS secure channel.
We also see these download links, and their intended destination:
Start download [from:'https://2.na.dl.wireshark.org/win32/Wireshark-win32-3.4.6.exe' to:':\Program Files\..\Updates\WIRES34-210603\{82584f57-1ff4-4042-8866-04971aa0c13b}\Wireshark-win32-3.4.6.exe' task:Download Software Update Package]
Finished download [from:'https://2.na.dl.wireshark.org/win32/Wireshark-win32-3.4.6.exe' to:':\Program Files..\..\Updates\WIRES34-210603\{82584f57-1ff4-4042-8866-04971aa0c13b}\Wireshark-win32-3.4.6.exe'
Resolution #1: Use Wireshark to determine the Cipher Suite that the Website requires, and then use IISCrypto (download from Nartac.com) to 'add' this Cipher Suite to the OS of the SMP Server (click Best Practices in IISCrypto usually works). See KB How to Get the Cipher Suite List Presented in Wireshark.
Resolution #2: If you're getting the (403) Forbidden error, then you may have a Proxy and this new URL may need to be Whitelisted on the Proxy. See the Error logs for the exact URL to add to the Whitelist.
Workaround #1. Create a Software Package by Importing the Bulletin files as a new Software Package; then create a Managed Software Policy to deploy the Software Package, and finally create a Target of vulnerable systems.
Steps to complete the Workaround #1 using MANAGED SOFTWARE DELIVERY POLICY:
Workaround #2 brings the Update into PATCH MANAGEMENT by recreating the expected File Structure as if the files were downloaded by another SMP, and then import those files into the current SMP.
In Part 1 we will manually create the staging paths to import from (the Desktop works), and then in Part 2 we will do the Import from the Desktop into Patch Management. As an Example of how this works, we will use Wireshark and Chrome updates.
Part 1 - manually create the staging paths and files:
If you downloaded a Wireshark bulletin named Wireshark-YYMMDD in Part 1 above, You would have created the following file / folder structure:
Part 2 - Importing the Staged files into the SMP
This is similar to using Patch Management without an Internet Connection: KB Configuring Patch Management 8.x to operate without an internet connection. We're just creating the Import file structure instead of using another SMP to stage the downloads which would also create the same file structure.
For troubleshooting Cipher Suite issues, it is also possible to use Wireshark to tell us what Cipher Suites the Client and Server support. See KB How to Get the Cipher Suite List Presented in Wireshark. If you can make changes to the OS Cipher Suites, this may be helpful.