1 of 1 people found this helpful
Hi Paul ,Hope i can answer your questions here,1)The only patch operation you can begin from the Agent GUI is to initiate the Patch ScanAnd you are correct in assuming that you deploy the patches via the Patch Task associated with your policy. - See suggestion below2)Yes your assumptions are correct and a Patch Task must be scheduled at least once3)You can deploy Patches to machines which have Agents installed. However this action would take place in an "Agent-less" manor , and would require all the prerequisites associated with an agentless deployment including ports.Port requirements can be found in the Best Practice guide from hereIt is not possible to initiate a Patch Deployment to be carried out by the Agent installed on the Target machine from the Console. it must be part of the Patch Scan / Auto Deploy Process.4)This will not immediately update. The Machines groups and lists in Machine view are all based on scan results. You will need to rescan the Machine Group to see the additional machine.To be more selective in which patches your agent deploys , the best way is to start using Patch Groups.Create a Patch Group with only the patches you wish the Agent to Deploy. Configure this in a Custom Patch Scan Template. Use this custom patch scan template in your Agent Policy. Set an auto deploy.As new patches become released and approved for deployment, add them to the Patch Group , When the next scheduled deployment takes place on the agent , the new patches added to the group will be deployed.Hope this helps ,Anthony
Thanks for your reply, it's very helpful in understanding the options.
The reason I have used agents is because the systems are in another domain which is not trusted, do I have to use agents in this scenario? Or could I use agentless like I am currently?
With regards to ports I have allowed the following:
Agent to Console - 3121, 443, 139, 445
Console to Agent - 4155, 139, 445
Do I need more?
No Problems Paul ,
Yeah , would be best in your scenario really.
Agentless Scan/Deploy can run into some difficulty going across Domains , Especially if you are using Machine name to configure your Machine Groups. IPAddress would be best generally.
You have the added complication of the Domains not having trust , so you are going to run into some Security / Credential issues.
Agents the way to go i feel.
Regarding Ports , I found a KB which has a more complete explanation
Port requirements for Agents are little less, but depending on your configuration. Whether you are using a Distribution Server , Using Listening Agents etc.
Generally Port 4155 and the File Share ports on the Agent Machine
Port 3121 on the Console Server for sure too so Agent can check in.
Best to follow the above KB at first and lock down after.
If you want to delve more into the configuration and setup there is lots of documentation available here.
Any problems or run into any issues you can always open a support ticket. We will be more than happy to help you out