4 Replies Latest reply on Apr 28, 2016 3:30 AM by leratob

    Patch Manager deployment.


      Hi all


      So we have a client with a head office and 15 sites. Those sites have other mini sights connected to them. The client purchased a license that supports 8k nodes. We have PAS deployed at the head office. How would you suggest we deploy the rest of the sights? As automation servers/ managements servers?

        • Re: Patch Manager deployment.

          It depends on the connections you have to the remote locations.  You really only need 1 PAS.  The management servers only run the administrative tasks like inventory and discovery.  If you are looking at reducing WAN traffic you will likely want downstream WSUS servers in which case it can all be managed by one PAS

            • Re: Patch Manager deployment.

              To add my 2 cents here:  


              I agree with frgpugs that typically if you have a bunch of downstream servers you'd often want downstream WSUS servers at those remote sites (unless you just have a rockin' WAN with plenty of bandwidth and/or if you only have a few machines at each site).



              A Patch Manager Automation Server Role is the 'workhorse' piece that actually makes the connections from the PAS out to the targeted machines to do tasks like on-demand update deployments, Inventory, and to pull back info from Computer Explorer tabs, etc...


              It is possible to install additional Automation Server Roles on other machines if desired; that would (potentially) accomplish 2 things:

              • it distributes the load of a task across multiple Auto servers, so some tasks can complete more quickly
              • it reduces the number of ports that need to be opened if there is a firewall between where the PAS is and the remote site from a bunch (needed for WMI communication across the WAN) to just one (port 4092 for the communication between the PAS and the remote Auto server).   Once the remote Auto server has the task, it will make the WMI connections to the local machines.


              So, in that scenario where you have downstream WSUS servers, it often makes sense to put a Patch Manager Automation Server Role on those downstream WSUS servers.    You would then configure a rule on the PAS that says, essentially:  "When i do a task to that subnet, use that Automation Server Role to do it (instead of the 'default' Automation Server Role that lives on the PAS)."


              Not required to do so, but can be helpful for the reasons noted above. 

            • Re: Patch Manager deployment.

              Thank you guys. This has been really helpful. frgpugs kellytice. Took very long to get around it but finally did it. Thank you