3 Replies Latest reply on Jan 23, 2013 9:47 AM by SupportAL

    Agent Questions....

    PaulFreedman Apprentice

      As per my previous post we are in the process of testing an Agent deployment on a single machine before rolling out to further servers.


      I can now perform a scan with my Agent but have some questions related to it:


      1. Is there no way to install the missing patches from the Agent Console? I have a patch scan status with 181 patches missing, is there not a way of installing these. Or am I supposed to use the Patch Task that is associated with my policy? The problem I can see with this is that I don't want any patches being deployed automatically and this seems that you can only configure it to do that.
      2. If the above is true then is there a way that I can set up a Patch task that will only become active when manually started by a user logged onto the Agent console? The problem I can see is that the patch task has to be scheduled, which would result in patches being deployed automatically.
      3. Is it possible to deploy patches from the Console to machines that have Agents installed? When I try a test deployment it Fails with "Could not conenct to remote machine via ICMP" Is this because I need ports 139 & 445 allowing between my console and agent servers?
      4. From the console when I right click my machine and select Add to Machine group, the machine group is not being show in Machine View and the machine is still being shown as not in a group.


      Thanks for your help!

        • 1. Re: Agent Questions....

          Hi Paul ,

          Hope i can answer your questions here,
          The only patch operation you can begin from the Agent GUI is to initiate the Patch Scan
          And you are correct in assuming that you deploy the patches via the Patch Task associated with your policy. - See suggestion below

          Yes your assumptions are correct and a Patch Task must be scheduled at least once
          You can deploy Patches to machines which have Agents installed. However this action would take place in an "Agent-less" manor , and would require all the prerequisites associated with an agentless deployment including ports.
          Port requirements can be found in the Best Practice guide from here
          It is not possible to initiate a Patch Deployment to be carried out by the Agent installed on the Target machine from the Console. it must be part of the Patch Scan / Auto Deploy Process.
          This will not immediately update. The Machines groups and lists in Machine view are all based on scan results. You will need to rescan the Machine Group to see the additional machine.
          To be more selective in which patches your agent deploys , the best way is to start using Patch Groups.
          Create a Patch Group with only the patches you wish the Agent to Deploy. Configure this in a Custom Patch Scan Template. Use this custom patch scan template in your Agent Policy. Set an auto deploy.
          As new patches become released and approved for deployment, add them to the Patch Group , When the next scheduled deployment takes place on the agent , the new patches added to the group will be deployed.
          Hope this helps ,
          1 of 1 people found this helpful
          • 2. Re: Agent Questions....
            PaulFreedman Apprentice

            Thanks for your reply, it's very helpful in understanding the options.


            The reason I have used agents is because the systems are in another domain which is not trusted, do I have to use agents in this scenario? Or could I use agentless like I am currently?


            With regards to ports I have allowed the following:


            Agent to Console  - 3121, 443, 139, 445

            Console to Agent - 4155, 139, 445


            Do I need more?



            • 3. Re: Agent Questions....

              No Problems Paul ,


              Yeah , would be best in your scenario really.

              Agentless Scan/Deploy can run into some difficulty going across Domains , Especially if you are using Machine name to configure your Machine Groups. IPAddress would be best generally.

              You have the added complication of the Domains not having trust , so you are going to run into some Security / Credential issues.

              Agents the way to go i feel.


              Regarding Ports , I found a KB which has a more complete explanation



              Port requirements for Agents are little less, but depending on your configuration. Whether you are using a Distribution Server , Using Listening Agents etc.

              Generally Port 4155 and the File Share ports on the Agent Machine

              Port 3121 on the Console Server for sure too so Agent can check in.

              Best to follow the above KB at first and lock down after.


              If you want to delve more into the configuration and setup there is lots of documentation available here.



              Any problems or run into any issues you can always open a support ticket. We will be more than happy to help you out



              Anthony ,