4 Replies Latest reply on Apr 19, 2012 3:10 PM by Lawrence Garvin

    Best Patch Manager design for our scenario

    Eoin Ryan

      I'm starting to plan our PM deployment, and could do with some advice.

       

      The best document I've found so far about this is the EW Extension Pack Deployment Guide - is this still the best guide to be referring to?  Presuming that it is, here are some basic questions.

       

      Our network is very dispersed, geographically.  We have approx 40 sub-offices which each have a VPN to head office. Currently, there is a WSUS server in about half of those offices, with the rest getting WSUS in the coming months.  Server resources are extremely limited in those sub-offices, and for the most part WSUS and PM will have to co-locate on to an existing server which already has Microsoft Great Plains & SQL installed (we are using Windows Internal Database for WSUS).

       

      (1) I presume that I have to install a PM Application/Automation Server in each sub-office - which is correct, or what is the specific PM server role that has to be installed along with each WSUS install?  Is there a way to avoid that install? (just in case I've got a elementary misunderstanding, and there is in fact only a need to install a limited number of PM servers)

       

      (2) We don't have any noteworthy security boundaries for reporting - I want reports from all sites to roll up to the main console.  At a later date, I might want to set up a second console for a specific region, do I need to design that at the outset or can it be easily tweaked later.

       

      What other considerations are there for planning the deployment?

       

      thanks

       

      Eoin

        • Re: Best Patch Manager design for our scenario
          phil3

          Hi, Eoin.

           

          I expect someone else will weigh in to answer your specific questions, but as a point of clarification, I thought I'd point you (and future users) to the current link for the deployment guide: http://www.solarwinds.com/documentation/patchman/docs/PatchManagerDeploymentGuide.pdf.

           

          At the moment, the content in both guides is the same, except for the details about licensing. In the long run, however, this guide is the one that will be updated; the other one will eventually be retired.

           

          Thanks.

           

          Phil

          1 of 1 people found this helpful
          • Re: Best Patch Manager design for our scenario
            Eoin Ryan

            As an update for anyone that finds this in the future.  I've had an email discussion with support and it looks like our particular requirements would be met by a primary application server in the hub and an automation role server in each remote site, given the small number of nodes in each. I'll be testing it soon.

            • Re: Best Patch Manager design for our scenario
              Lawrence Garvin

              Greetings Eoin

               

              Some thoughts on your reporting question...

               

              With Reporting Rollup enabled on the WSUS upstream server, all collected WSUS client event data will be rolled up and available on the upstream server. This is useful for being able to manage the entire enterprise collection of clients from a single WSUS server node of the Patch Manager console, rather than having to navigate each downstream server (and remembering which client is managed by which server).

               

              For WSUS Inventory, typically each WSUS server is inventoried separately. The primary advantage here is that the data collection on the Patch Manager server is from a consistent point in time across the entire WSUS heirarchy. However, for organizations with limited bandwidth connections to the downstream servers -- such as might exist with site-to-site VPN connectivity -- this might not be optimal (or even affordable) use of that bandwidth. Alternatively, the WSUS Inventory can be targeted to only the upstream server, with Reporting Rollup enabled, and configured to collect data on the entire enterprise. The primary impact here is the delay introduced between the time the client detects/reports to the downstream server, and the time it is collected into the Patch Manager database, and ultimately displayed in the report.

               

              From the report execution perspective, the assigned WSUS server is an available report field in all reports, so the reports can be filtered dynamically to one or more specific WSUS servers, or can be defined as a fixed filter in a custom report definition, and that custom report can be scheduled, exported, and emailed to one or more recipients. You have flexibility in how you provide access to report data (interactive console or scheduled export file).

               

              It's also possible to specify a distributed inventory data storage implementation, and the WSUS Inventory for a given region can be stored in its own database, and the reporting visiblity can be restricted to that datastore for certain users, while other users can  have universal access to additional datastores, or all datastores. The datastore is implemented in the Management Role and defined by the Management Group.