6 Replies Latest reply on Jul 23, 2014 3:18 AM by pcarrick

    Patch Manager across a WAN

    pcarrick

      Hello,

       

      I have the PAS on Site A and have recently install a secondary application/management server on Site B (4000 miles away). Site A & B both have standalone WSUS servers. Site B have local IT staff who whish to approve the updates to Site B.

      Everything appears to work fine but the publishing and approving of an update in Site B is very very slow. I suspect that some of the traffic is coming back across the WAN to the PAS in Site A.

       

      EDIT: We only use Patch Manager for 3rd party applications. We do not use inventory.

      Do I have this configured correctly or is what I am asking for not possible?

       

      Any help appreciated.

        • Re: Patch Manager across a WAN
          Lawrence Garvin
          Everything appears to work fine but the publishing and approving of an update in Site B is very very slow. I suspect that some of the traffic is coming back across the WAN to the PAS in Site A.


          Quite likely! Be sure you've defined an Automation Server Routing Rule for the WSUS Server on Site B so that all traffic for that WSUS server is routed through the AutoServer on the SAS, and not the AutoServer on the PAS.

          This article shows some examples of creating ASRRs: Patch Manager Architecture - Deploying Automation Role Servers

            • Re: Patch Manager across a WAN
              pcarrick

              Thanks Lawrence, does the WSUS server from Site B have to be in the same management group as the WSUS server in Site A?

                • Re: Patch Manager across a WAN
                  Lawrence Garvin

                  It does not, which brings up an important distinction.

                  If the WSUS Server on Site B is assigned to a Management Group hosted by the Management Server on Site B, then there is only one Automation Server for Site B and no routing rule is required.

                  In that case it would be impossible for any traffic to that WSUS server to be routed through Site A.

                   

                  However, that's also now made me realize that if you do have a Management Server on Site B, and the WSUS Server is assigned to the Managed Enterprise management group, then you do not have a choice as to where the traffic is routed, as there's only one Automation Server for the Managed Enterprise management group.

                   

                  In short, a Management Group/Management Server defines where the inventory data is physically stored, and a Management Group owns Automation Role servers (including the one enabled on the Management Server).

                  An Automation Server merely directs the flow of traffic.

                   

                  Given that you do want autonomony for the IT Staff on Site B, deploying a Management Server was the correct choice, and the WSUS Server on Site B should be assigned to its own management group hosted by the Management Server on Site B.

                  This will effectively eliminate any flow of traffic through SIte A that would be occuring if the WSUS Server is assigned to the Managed Enterprise management group.

                    • Re: Patch Manager across a WAN
                      pcarrick

                      Thanks again Lawrence, how do I see where the management group is hosted?

                      I have also noticed that the patch manager console was connected to Site A from Site B - Right Click 'Patch Manager' > select 'Connect to an Application Server' I have changed this to Site B which has speeded things up.

                        • Re: Patch Manager across a WAN
                          Lawrence Garvin
                          how do I see where the management group is hosted?

                           

                          Management groups are created/managed in the Management Groups node of the MMC console under Patch Manager System Configuration

                           

                          When you install and register an Application/Management server, the Patch Manager Server Wizard should have prompted you to create a new Management Group, and that App/Mgmt server should be assigned to that Management Group.

                           

                          To assign the WSUS server to the new management group you'll need to:

                           

                          Remove the WSUS server from the Managed Enterprise management group

                          1. Launch the Management Group Wizard from the Managed Enterprise node
                          2. Select "Windows Server Update Servers" on the second screen
                          3. Select the WSUS Server and click "Remove"

                           

                          Add the WSUS server to the new management group using the same tool.

                           

                          I have also noticed that the patch manager console was connected to Site A from Site B - Right Click 'Patch Manager' > select 'Connect to an Application Server' I have changed this to Site B which has speeded things up.

                           

                          Good catch! Quite possibly this is an artifact from the original install/configure of the Site B server which requires you first to connect to the PAS to complete the server registration and provisioning process. The step often missed afterward is disconnecting from the PAS and reconnecting to the SAS.

                  • Re: Patch Manager across a WAN
                    pcarrick

                    Thanks for your assistance Lawrence, after connecting to the SAS console this worked as expected.