How do I configure Patch Management 7.1.X / 7.5 to operate without internet connection.

Article:HOWTO59024  |  Created: 2011-08-23  |  Updated: 2014-08-22  |  Article URL http://www.symantec.com/docs/HOWTO59024
Article Type
How To



Question
What are the required steps to configure Patch Management Solution 7.1.X & 7.5 to run without an Internet connection?

Answer
Two servers are required to Patch Management Solution for Windows on a server with no internet access. The first needs to be internet facing to be able to download the Metadata (PMImport) and updates files (.exe, msp, msi etc) from the vendors.
Follow the steps below to configure the two servers. Allowing a server with limited to no internet access to successfully patch clients.
Internet facing server steps
-          Download the Meta Data used by Patch Management Solution for Windows to associate Bulletins, Vendors, Software, and Updates etc together as well as other information.
o   In the Symantec Management Console go to Home> Patch Management
o   Select Windows> Settings> Meta Data Import Task.
o   In the right hand pane open Vendors and Software
o   Click ‘Update’ and wait for the process to complete. Typically a couple of minutes.
o   Once the initial import has completed, select the desired Vendors and Languages
o   Save Changes and click the ‘Update’ button again after saving
o    Under the ‘Task Status’ section create a New Schedule. Save changes then do an additional schedule to run ‘Now’.
Note: The status can be monitored by right clicking the running task under the Task Status section.
-          Download the updates to be deployed on the Internet facing server.
o   In the Symantec Management Console go to Home> Patch Management
o   Select Windows> Compliance and Remediation> Remediation Center
o   Select the desired Vendor from the drop down list and use the Search field to the right to select the desired bulletins\updates to download. Shift click and CTRL click work to select multiple bulletins\updates
o   Right click the selected Bulletin’s\Update’s and select ‘Download Packages’
-          Copy the following folders to a location that can be accessed by the Non Internet facing server (UNC, DVD, etc)
o   <Install Dir>:\Program Files\Altiris\Patch Management\Downloads (Entire directory)
o   <Install Dir>:\Program Files\Altiris\Patch Management\Packages\Updates (Entire directory)
Non-internet facing server steps
-          Copy the files from the Internet facing server to a location that can be accessed by the Non Internet facing server
-          Modify the location the server will download and import the Meta Data from
o   In the Symantec Management Console go to Home> Patch Management
o   Select Windows> Settings> Meta Data Import Task
o   Under the General section 'Alternative Location:’ field, enter the UNC path to the pmimport.cab file contained in the location where the ‘Downloads’ folder was copied
o   In the right hand pane open ‘Vendors and Software’
o   Click ‘Update’ and wait for the process to complete. Typically a couple of minutes.
o   Once the initial import has completed, select the desired Vendors and Languages
o   Save Changes and click the ‘Update’ button again after saving
o    Under the ‘Task Status’ section create a new schedule. Save changes then do an additional schedule to run ‘Now’.
o   Once this Import has completed move to the next step. The status can be monitored by right clicking the running task under the Task Status section.
-          Define an Alternate download location
o   In the Symantec Management Console go to Settings> Settings> Software> Patch Management> Core Services
o   Select ‘Download from staging location:’ and enter the location the Updates folder was copied to
o   Save Changes
-          Deploy the updates on the Non Internet facing server.
o   In the Symantec Management Console go to Home> Patch Management
o   Select Windows> Compliance and Remediation> Remediation Center
o   Select the desired Vendor from the drop down list and use the Search field to the right to select the desired bulletins\updates to deploy. 
o   Right click the selected Bulletin’s\Update’s and select ‘Distribute Packages’
Patch Management 7.5 Advisory: If the Site Servers / Clients are in a Cloud Enabled Management (CEM); they will not be able to access the SMP that is held behind the non-internet facing environment, so they will not get the Patch Packages, nor the needed Patch Policies, to run the Software Update Cycle. As long as the Clients & Site Servers are able to communicate with the SMP full time within the DMZ (non-internet environment); the Patch/Core processes shouldn't have problems functioning with this configuration.

Note:  New file location for the file pmimport.cab should include the file name.

Advisory: This process is only available for Patch Management Soluton for Windows as outlined in KM: DOC3955 pg 31 - Table 5-1. The process to allow this functionality for other vendors, such as Linux, has been presented to Development in an Enhancement Request and is currently under review to be added in a future release of Patch Management.

Hierarchy Configuration: This process can be implemented in a Hierarchy as follows:

  1. Hierarchal environment with no internet for all Symantec Management Platforms (SMP): Work through the following:
    • Configure the Parent SMP as detailed above
      • Internet facing server steps
      • Non-Internet facing server steps
    • Configure the Child SMP 'Core Services' > 'Download from staging location' to target the Parent SMP's 'To Location:' 
      • Found on the Child SMP Console > Settings > All Settings > Software > Patch Management > Core Settings > 'Download from staging location'
      • Note: This location needs to target the Parent SMP's folder structure that holds the Update Packages download by the Parent SMP from the vendor site; however, if that location is not reachable; those packages need to be moved to a location that the Child SMP is able to access, and modify the 'Download from staging location' accordingly.
    • Attach the Child SMP to the Hierarchy and run replications on schedule
      • Please review KM: HOWTO83929 for further details regarding the schedule process in Hierarchy.
         
  2. Hierarchal environment with no internet for Child SMP(s) only: Work through the following prior to implementing the Hierarchy on each affected Child Symantec Management Platform (SMP):
    • Run the attached SQL scripts to remove the 'Replicable' status of the Patch 'Core Services'
      • Caution: Always ensure recent backup of the database is in place before running any updated SQL scripts
    • Configure the Child SMP 'Core Services' > 'Download from staging location' to target the Parent SMP's 'To Location:' 
      • Found on the Child SMP Console > Settings > All Settings > Software > Patch Management > Core Settings > 'Download from staging location'
      • Note: This location needs to target the Parent SMP's folder structure that holds the Update Packages download by the Parent SMP from the vendor site; however, if that location is not reachable; those packages need to be moved to a location that the Child SMP is able to access, and modify the 'Download from staging location' accordingly.
    • Attach the Child SMP to the Hierarchy and run replications on schedule
      • Please review KM: HOWTO83929 for further details regarding the schedule process in Hierarchy.

 


Attachments

Attached script has comments that outline which scripts to run against the Parent and which to run against the Child database. Caution: Always ensure recent backup of the database is in place before running any updated SQL scripts
SQL Script - Remove Replicable - Patch 'Core Services'.txt (363 Bytes)

Supplemental Materials

ValueScript comments detail which to run on Parent SMP and which to run on Child SMP databases. Always ensure recent backup of the database is in place before running any updated SQL scripts


Article URL http://www.symantec.com/docs/HOWTO59024


Terms of use for this information are found in Legal Notices