Patch Management Group

Hello,

What are best practices for patching servers in DMZ zone ?

Can anyone share their experience using Patch Management solution ?

At the moment our DMZ servers are not managed by Altiris. We looking for options to use Altiris ITMS suite to keep the servers compliant.

Thanks

Tomasz

 

Hi Tomasz,

Start with the settings outlined on HOWTO59024 if your SMP server is behind the DMZ and doesn't have internet access, for the Import Patch Data for Windows (PMImport MetaData) and the Download Software Updates processes need access to the internet to be able to build Software Update Packages and target for deployment/install.

However, if your SMP has internet access but is behind a proxy or other network security; ensure that SolutionSam.com is cleared for the Import Patch Data for Windows downloaded, and review the tool provided on TECH186657, for the DownloadURLMaskMaker.exe can be utilized to see what URL's are actually needed to be cleared in the network security for the Download Software Updates process to complete.

After that; the product will work just the same as it would in an internet facing environment, for the Clients will send Assessment Scan data to the SMP, the Patch Filter will update and target Applicable Software Updates, and the Software Update Policies can be created in the Patch Remediation Center and utilized to deploy the Software Update Packages. The updates will install on the schedule Software Update Cycle configured in the Default Software Update Plug-in Policy (which can be cloned to target as needed for different computer groups/filters if needed to separate for rebooting and notifications).

Let me know if you have any further questions and I will be happy to help.

Thanks,

Joshua

Reading the issue I think the issue is not how to get Patch Management to work, its more around getting it to patch the DMZ servers. I'm thinking either open up the Altiris ports between the SMP and the DMZ servers, since nothing else is needed or use CEM (Cloud-enabled Management) clients for the DMZ.

In response to "DMZ servers are not managed by Altiris" and request for best practices; I provided the setup and configurations of the product for DMZ. 

If the problem is port usage; review DOC6770 for the complete listing in ITMS 7.5.x, 7.6.x and 8.0.x. 

Review HOWTO79448: This document will help with understanding the life-cycle of Patch Management Solution and how to troubleshoot it if necessary. 

Configuring clones of the DSUP policy to schedule outside the regular patching schedule, and most likely restricting reboots as they are servers, is usually required. Please review the configurations and usage as per the HOWTO above and the links for configuration.

Please let me know if any further questions arise and I will be happy to help. 

That's is correct. I am looking how to patch the end clients in DMZ, that are currently not managed and running between 2 firewalls.

I do not need setup the PM solution in DMZ zone.

I do not like option of opening ports for every single server to NS. I am more towards the CEM solution.

It is enough to open the 443 port for DMZ client for patching to work ?

Hello Joshua,

Thank you for all articles. What I am interested in are best practices for clients in DMZ zone, not how to setup the NS in DMZ zone.

What is your internal policy for servers in DMZ in Symantec , can you share it with us ?

thanks,

Tomasz

Tomasz you might find that people are hesitant to discuss specifics of their corporate security policies in a public forum as this is a great way to do research on a potential target.

That said, what do your corporate policies dictate for patching frequency?  Why would you treat these servers differently than any others that you have?  If anything, given that these servers are exposed to the outside world in some capacity they might require a more frequent patch cycle than your others.

Also, if you're finally able to bring them under management you'll want to take the opportunity to ensure that AV and any other security needs are accounted for, especially if you have to undertake a firewall rule change effort.