Patch Management Solution

Hello!

Is there a way to change the patch repository on site server to a file server?

I believe this can be done on NS: Settings > All Settings > Software > Patch Management > Core Services and change "Software Update Packages Location"

How can we accomplish this on package server?

 

THankS!!

 

There is no separate patch repository on site servers. All updates/plugins and software packages are stored under one directory on the site server. Your best bet to make a symbolic link on the package delivery folder located on the site server and direct it to the file server. Test it in a dev environment before testing production.

what directory? is it package delivery?

will this kb not apply to patch? http://www.symantec.com/business/support/index?page=content&id=HOWTO3545

 

I'm going to assume the agent was installed on the C drive of the site server... I'm not infront of a SS at the moment. But the directory name sounds right. It's best practice to install the agent on the drive with the largest disk space. If their is another drive on the site server, you may be better off to uninstall the agent, delete the SS from the CMDB and reinstall the agent to the drive with the largest disk space. Ps: the article only refers to software packages that are associated to software products

Yeah... I have also doubt that the article will apply to Patch Management....
I have browse the Package Server settings.. I think there is something like location in there but I don't have a chance to test or find out what it is....

Appreciate your thoughts on this.

Hello Marilou,

Open the Console > Settings > All Settings > Software > Patch Management > Windows Patch Remediation Settings > Policy and Package Settings; under the Package Distribution; Enable the setting for 'Use alternate download location on Package Server, and enter the alternate drive location in the field below. This is detailed in KM: HOWTO56242 - Section 7.

Keep in mind that once this is implemented, a run of the Check Software Update Package Integrity Job will need to be executed (should prompt you when clicking 'Save Changes' to start this process). This process will rebuild all the Patch Packages with the newly added snapshot data for downloading updates from that alternate download location within the database. It could take some time to rebuild on the SMP, and then replicate to the Site Servers on the overnight scheduled tasks (e.g. NS.Package Refresh and others).

Let me know if you have any further questions and I will be happy to help.

Joshua

Thanks for your reply Joshua!

For the follow-up question, if we have five site server and planning on putting patches on a file server (different file server for each site) what will be our strategy there?

And also what will be the patch replication time? Will it be the agent default update of site server (configuration request)? Any configuration that we can set for desired replication time?

Marilou

Unfortunately, the seeing I provided is a global setting. There isn't a setting for individual site servers at this time. You may submit an enhancement request, and that will allow Product Management & Development to see what it is the customers desire.

As for Update Configuration; that is the Site Server Agent that will request any new Patch packages. This setting is managed on the Console > Settings > Agents/Plug-ins > Symantec Management Agent > Settings > Symantec Management Agent Settings - Targeted; select the 'All Site Servers' in the Policy Name pane, and on the General Tab under 'Download new configuration every:' and that will be when the Site Server will download packages.

Another thing to keep in mind; on the Windows Patch Remediation Settings > Policy and Package Settings tab; under Package Distributions, the 'Assign package to:' setting controls which Site Servers will get Patch Packages. There are 4 options, and the one that is not self-explanatory is the 'Package Servers automatically with manual prestaging'

The setting for 'Package Servers automatically with manual prestaging' configuration will only replicate Patch Packages to Site Servers if the Clients they manage request that package from that Site Server, and that request is sent to the SMP Server to replicate the package out to the Site Server for deployment. This setting has been confusing in the past for many and I wanted to ensure you were aware of it as you are configuring the environment.

This is covered in the configuration KM: HOWTO56242 - Section 7, for the 'best practice' setting is 'All Package Servers' as that will get the packages out there and ready for clients, for I have seen environmental communications issues that lose that 'request for package' from the clients, or from the Site Server and the package is never replicated with the 'Package Servers automatically with manual prestaging' setting in place.

Let me know if you have any further questions and I will be happy to help.

Thank you,

Joshua

 

Does global setting means that it can only perform locally (i.e. on Site Server local drive)? Can you site an example?

I just came to think that for each site server with dedicated file server for storage of patch we will just create a folder with same name.. would that work? Will it need configuration on Package Server individually under Policy and Package Settings?

To clarify; global setting means that it controls ALL of that item. The other policies in that list of Symantec Management Agent Settings - Targeted (e.g. All Desktop computers (excluding 'Site Servers') are controlling just that ALL of that resource type.

The folder will need to be in the same path/directory. That is where the product will read it and where it will store the updates for that Site Server.

You could play around in a test lab and confirm if your expectations are being met before rolling into production, for 'test-test-test' is the Patch motto.