Related
Recommended

Using Patch Manager in a Disconnected Network Environment

LGarvin
3 minute read time

One of the scenarios sometimes encountered in patch management environments is the disconnected network. Microsoft recognized this need and created functionality in WSUS to handle disconnected networks, and I wrote about this in the PatchZone article: Considerations with the WSUS Disconnected Network Environment.

Just to review, a disconnected network scenario with WSUS and Patch Manager looks like this:

DisconnectedNeworkDiagram.png

One of each server (WSUS, Patch Manager) in each network.

Patch Manager Enhancements for Disconnected Operations

Patch Manager also provides a similar capability as WSUS, but with a couple of nice enhancements. First, where WSUS requires you to export all of the updates in the catalog, Patch Manager allows you to export one, some, or all of the updates. Second, WSUS requires you to export the metadata separately from the installation files; Patch Manager allows you to bundle them in the same CAB file for transport on removable media. Detailed procedures can be found in the Patch Manager Administrator Guide, in the section “Importing and Exporting Catalog” on page 52.

The Challenge for Patch Manager in a Disconnected Environment

However, the biggest challenge for Patch Manager in this scenario is not a technological problem, but rather a licensing problem. There’s no argument that a 250-node license for a two client installation of Patch Manager on the connected network is a pretty steep price to pay. If you were willing to forego telephone support for that connected server, you could use a 50-node installation of DameWare Patch Manager, but even that’s a pricey cost for a two-node network.

The good news, however, is that you do not have to purchase a separate license for your single-node connected network. With a bit of creative use of Patch Manager server roles, you can license that connected server as a node of the license applied to the disconnected server. Let’s look at how this is done.

Install Both Servers from Disconnected Network

On the disconnected network, we’re going to install the Patch Manager Primary Application Server (PAS). This is the server that will be used to manage the WSUS server in the disconnected network, as well as the clients of the disconnected network.

Also, on the disconnected network, we’re going to install a Patch Manager Secondary Application Server (SAS) with the Management Server role. This server will be registered with the PAS, and as such, will be automatically licensed for use by the license applied to the PAS. Note that this can be either a physical system or a virtual machine. When we’re ready to put this SAS in service, it’s just a matter of transporting the physical system (or virtual machine files) across the network gap and plugging it into the connected network.

Create Scope Objects on PAS for SAS

There is one technological consideration to be aware of in this scenario. The PAS replicates all defined scope objects (Domains, Workgroups, WSUS Servers, and Computers) to the SAS. In order to get the connected WSUS server registered on the SAS, the WSUS server scope object must be created at the PAS and replicated before moving the SAS to the connected network.

ConfigureWSUSServerScopeOnPAS.png

From the Patch Manager System Configuration node, in the Details Pane, double-click on Scope Management. Click on Add Rule, and select Update Services Server. Use the “Enter the object to add” button to manually  create an entry for the connected WSUS server, and click on Save. In a couple of minutes, that scope declaration will replicate to the SAS. You can access the Scope Management tool on the SAS to confirm. You may also wish to add the Domain or Workgroup for the connected network.

Deploy SAS to Connected Network

One the replication is completed and the SAS moved to the connected network, the connected WSUS server can be registered on the SAS and added to the management group defined on the SAS.

Credentials, Credential Rings, Security Role memberships, and User Preferences are all entities defined at each individual application server, so you can create those directly on the SAS at any time, before or after actual deployment to the connected network.

If you’re not currently using Patch Manager and you have a disconnected network environment, check it out. Download your 30-day trial today. Even if you don’t have a disconnected network, try it anyway!

Thwack - Symbolize TM, R, and C

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.