Showing results for 
Search instead for 
Did you mean: 
Create Post

Using Patch Manager in a Disconnected Network Environment

Level 17

One of the scenarios sometimes encountered in patch management environments is the disconnected network. Microsoft recognized this need and created functionality in WSUS to handle disconnected networks, and I wrote about this in the PatchZone article: Considerations with the WSUS Disconnected Network Environment.

Just to review, a disconnected network scenario with WSUS and Patch Manager looks like this:


One of each server (WSUS, Patch Manager) in each network.

Patch Manager Enhancements for Disconnected Operations

Patch Manager also provides a similar capability as WSUS, but with a couple of nice enhancements. First, where WSUS requires you to export all of the updates in the catalog, Patch Manager allows you to export one, some, or all of the updates. Second, WSUS requires you to export the metadata separately from the installation files; Patch Manager allows you to bundle them in the same CAB file for transport on removable media. Detailed procedures can be found in the Patch Manager Administrator Guide, in the section “Importing and Exporting Catalog” on page 52.

The Challenge for Patch Manager in a Disconnected Environment

However, the biggest challenge for Patch Manager in this scenario is not a technological problem, but rather a licensing problem. There’s no argument that a 250-node license for a two client installation of Patch Manager on the connected network is a pretty steep price to pay. If you were willing to forego telephone support for that connected server, you could use a 50-node installation of DameWare Patch Manager, but even that’s a pricey cost for a two-node network.

The good news, however, is that you do not have to purchase a separate license for your single-node connected network. With a bit of creative use of Patch Manager server roles, you can license that connected server as a node of the license applied to the disconnected server. Let’s look at how this is done.

Install Both Servers from Disconnected Network

On the disconnected network, we’re going to install the Patch Manager Primary Application Server (PAS). This is the server that will be used to manage the WSUS server in the disconnected network, as well as the clients of the disconnected network.

Also, on the disconnected network, we’re going to install a Patch Manager Secondary Application Server (SAS) with the Management Server role. This server will be registered with the PAS, and as such, will be automatically licensed for use by the license applied to the PAS. Note that this can be either a physical system or a virtual machine. When we’re ready to put this SAS in service, it’s just a matter of transporting the physical system (or virtual machine files) across the network gap and plugging it into the connected network.

Create Scope Objects on PAS for SAS

There is one technological consideration to be aware of in this scenario. The PAS replicates all defined scope objects (Domains, Workgroups, WSUS Servers, and Computers) to the SAS. In order to get the connected WSUS server registered on the SAS, the WSUS server scope object must be created at the PAS and replicated before moving the SAS to the connected network.


From the Patch Manager System Configuration node, in the Details Pane, double-click on Scope Management. Click on Add Rule, and select Update Services Server. Use the “Enter the object to add” button to manually  create an entry for the connected WSUS server, and click on Save. In a couple of minutes, that scope declaration will replicate to the SAS. You can access the Scope Management tool on the SAS to confirm. You may also wish to add the Domain or Workgroup for the connected network.

Deploy SAS to Connected Network

One the replication is completed and the SAS moved to the connected network, the connected WSUS server can be registered on the SAS and added to the management group defined on the SAS.

Credentials, Credential Rings, Security Role memberships, and User Preferences are all entities defined at each individual application server, so you can create those directly on the SAS at any time, before or after actual deployment to the connected network.

If you’re not currently using Patch Manager and you have a disconnected network environment, check it out. Download your 30-day trial today. Even if you don’t have a disconnected network, try it anyway!

1 Comment
Level 15

Hmm, had not thought about that scenario.  Thanks!

About the Author
I'm a Head Geek and technical product marketing manager at SolarWinds. I wrote my first computer program in RPG-II in 1974 to calculate quadratic equations and tested it on some spare weekend cycles on an IBM System/3 that I ‘borrowed’ from my father’s employer. After that I dabbled, studied, and actually programmed in just about every language known for the past 40 years; worked on a half-dozen different variants of Unix on 3B2s, RS6000s, HP9000s, Sparc workstations, and Intel systems; connected to CompuServe on a 300 baud modem; ran a FidoNet BBS on OS/2 on a 9600 bps modem; and started working with Windows when Windows NT4 was still the latest operating system. Along the way, I did a few years in database programming and database administration. I installed some of the first ADSL and SDSL Internet circuits in Texas, and then migrated into full-time Windows systems management, which had a lot to do with my interest in SUS and WSUS 10 years ago. This ultimately led me to EminentWare in 2009, and SolarWinds three years later.