8 Replies Latest reply on Mar 8, 2013 9:10 AM by adamg23

    Replacing agentless patching with agent based - Questions

    Rookie

      Hello,

       

       

      We've been using Shavlik / Vcenter Protect in our infrastructure for a while now.

      Until the past monts the patching was done using the agentless process. Due to changing in organization we are now facing patching servers all over the world.

      The agentless scans are taking over 3 hours per server (on high latency line).

      I've been trying to get agents installed and see if we can see any improvement in scan times.

      Couldn't find any specific answers in the documentation so here are my questions(maybe anyone ):

           1. At the moment ports 139 and 445 are opened from console to targer servers - Do I need any additional port openings to be able to scan / patch the servers using agents (maybe 3121) ?

           2. None of the servers have internet access so I need the agents to download patches / xml from the console (not able at the moment) - Again ports or

           I would prefer avoiding a distribution server so no additional ports need to be opened to a new server

           3. If I must use a distribution server can a DFS share be used?

           4. When using agents will I be able to patch the servers at will - not allow them to download and install automatically the patches

                This is due to the fact that the servers must be patched in specific dates, order and special restart procedure is in place for most of them.

       

      Hope someone has some answers.

       

       

      Thank you!

        • 1. Re: Replacing agentless patching with agent based - Questions
          Apprentice
          1. At the moment ports 139 and 445 are opened from console to target servers - Do I need any additional port openings to be able to scan / patch the servers using agents (maybe 3121) ?

          You will need 3121 from the agent to the console in order for the agent to report results to the server. You will also want 4155 open from the console to the agents so that you can perform agent tasks from the console.

           

               2. None of the servers have internet access so I need the agents to download patches / xml from the console (not able at the moment) - Again ports or.  I would prefer avoiding a distribution server so no additional ports need to be opened to a new server

          The agent will get the data from either a Distribution Server or Vendor Over Internet. You can use the console patch repository as your Distribution Server, however you will end up with a large latency issue pulling down patches to each machine. You can choose the method of connection and port in the Distribution Server setup.

           

               3. If I must use a distribution server can a DFS share be used?

          As long as the folder location is shareable and the agent machines can access the folder it does not matter where it is housed.

           

               4. When using agents will I be able to patch the servers at will - not allow them to download and install automatically the patches
          This is due to the fact that the servers must be patched in specific dates, order and special restart procedure is in place for most of them.

          Agents by their design need to have a scheduled scan and deployment. You can create multiple agent policies to account for setting this process to run at specific times and days of the month for different groups of machines. The template can be set without a reboot if you need to do reboot on a different schedule.

           

          I hope this helps,

           

          Matt

          • 2. Re: Replacing agentless patching with agent based - Questions
            Apprentice

            It occurs to me that you might be better off with remote consoles instead of agents and distribution servers.

             

            Just an idea.

             

            Matt

            • 3. Re: Replacing agentless patching with agent based - Questions
              Rookie

              Thank you for taking the time to clarify.

               

              I will probably go with the distribution points because we have sites spread all over the world and we would require one console per site (or sites linked by good connections).

               

               

              Thank you,

              Andrei

              • 4. Re: Replacing agentless patching with agent based - Questions
                Rookie

                I have managed to open ports for two servers and install / configure agents.

                 

                Now after running new scans I can see no improvement in scan times...

                 

                What am I doing wrong ?

                • 5. Re: Replacing agentless patching with agent based - Questions
                  SupportEmployee

                  Are you still trying to run the scan from the Protect console?

                   

                  To initiate the scan to run locally on the agent itself (from Protect) you need to go to Machine View or agent manager, then right click on the system, and choose Agents > Run Task From Policy > *select task*

                  • 6. Re: Replacing agentless patching with agent based - Questions
                    Rookie

                    Hi,

                     

                    I managed to get the agents to scan the servers locally and I get the number of missing patches.

                     

                    My issue is that I need those results delivered to the console for reporting reasons.

                     

                    Is this some setting that can be defined somewhere?

                    • 7. Re: Replacing agentless patching with agent based - Questions
                      Apprentice

                      The agents will push their results back to the console machine for reporting purposes by default. If they do not have an active connection to the console, they will retain the data and wait for communications to be restored and attempt to resend the results.

                       

                      When you are viewing machines in the Machine View, many times machines with no machine group are these agent machines. Additionally this location is where you see the missing patch count.  Deployment results are available in the results view for agent machines.  Both these locations are able to be reported on.

                       

                      If you are not able to see agent data in these locations, the problem most likely stems from communications between the agent machine and the console.

                       

                      Please verify communications as defined in our Administration Manual on page 8 located here:  http://www.shavlik.com/support/onlinehelp.aspx

                       

                      If you continue to see problems with this and are unable to correct them, please call support at 1-866.407-5279 and open a support request.

                      • 8. Re: Replacing agentless patching with agent based - Questions
                        SupportEmployee

                        The basic answer is that the results from the agents are only viewable in the Protect console via 'Machine View'. (Go to Machine View > select a machine > View under the Patches tab.)

                         

                        Machine View will always show the latest patch scan information that is stored in the Protect database whether it be from an agent scan or Protect console scan.

                         

                        You can also run reports from Tools > Create Reports based on agent scan results.