2 Replies Latest reply on Jul 31, 2014 7:19 AM by lshunnarah

    Patch Manager Agents Questions

    lshunnarah

      We use PM to manage many customers WSUS servers from a single PAS and typically an automation role server somewhere in each customers network.  I'm recently testing the agent based system as it appears to get around quite a few of our issues relating to NAT between some of our customers and ourselves.  In doing so, I have some basic questions that I can not seem to find the answer to.

       

      1.  When deploying agents, what determines which server they report to?  In other words, if I have a customer with an automation server deployed.  I configure the routing rules in my PM Mgmt group to use the automation role at the customer location when attempting to contact their WSUS server or domain.  I then deploy the PM agents to the customers systems.  They start to report back in, however the "Connected Server" field is not consistent.  Some agents report in showing connected server as being my PAS, and some report in showing the connected server as the local automation role server on the customers subnet.  What determines this?

       

      2.  The next question is, how does the communication work when doing common tasks with agent based systems.  In other words, if I have an automation role on a customer subnet, and I open a computer explorer window from my PAS in our subnet, does the communication go directly from the PAS to that agent or does it use the automation role as a proxy?  If the agents are supposed to help get around the issues with NAT, then how does my request reach the agent if the communication is initiated from the PAS?

       

      3.  If I create a package to deploy using WSUS, or install automatically using the Wizard, does that package have any specifics related to the domain that the WSUS system is on that would prevent me from using that same package to deploy across other customers with different domains/WSUS systems?

       

      4.  When running a scheduled inventory on the computers using the agents, like I do with an agentless customer who's domain is configured in our PAS, the inventories do not seem to gather any information.  If I manually select the computers in the agents view, and then select to inventory them, they inventory properly.  Are there any specific instructions on how to setup scheduled inventory scanning for computers using agents?

       

      Please refer me to any sections in the Admin guide that covered this and I just completely missed.  I thought I read through it, but it didn't appear to have any detailed information that I was looking for.

       

      Thank you,

      Louis

       

      After posting this figures I would find some additional information.  I just found the policy editor that can be used for controlling different aspects of the agents.  I'm going to start working with that and see how many questions this answers for me.

        • Re: Patch Manager Agents Questions
          Lawrence Garvin

          Greetings Louis!

           

          1. The agent, at the time of installation, can be configured with an "assigned" Automation Role server. I'm checking for additional details regarding what happens if no server is configured, or how we deal with defining a "pool" of Automation servers. Fundamentally the agent knows where the PAS is because there's a certificate chain that originates from the Patch Manager Certificate Authority that resides on the PAS, so my belief is that this has an impact. I'll get a more detailed answer on this as soon as I can.

           

          2. The Agent maintains a dedicated RPC connection to the Automation Server on port 4092 (whenever the Automation Server is within network range). So when you initiate a configuration management task at a PM console, the agent becomes aware of this task through the normal channels, the only difference is that instead of the AutoServer building an RPC connection to the client, the RPC channel is already open from the client.

           

          3. WSUS and the Windows Update Agent are completely domain agnostic. The only relationship that AD has to the patch management environment is as a vehicle to deliver the WUA's configuration state via GPO. As long as the WUA of the client system can communicate with the WSUS server via HTTP, nothing else matters.

           

          4. If client systems are not gathering inventory data as a result of a scheduled inventory task, this may be a function of the "Inventory Configuration Template" that's been assigned to that task. When scheduling an inventory task, first load the "Inventory Configuration Editor" (ICE) and set the objects desired, or load an existing template. The inventory task being scheduled will be built with the current values of the ICE. If this continues to be an issue, for this I would recommend opening a support ticket. Configuring an inventory task for an agent-based computer will be identical to that for a WMI-based (agentless) computer; the only difference being the directionality and ports involved in the connection between the client and the Automation Role server.

          1 of 1 people found this helpful
            • Re: Patch Manager Agents Questions
              lshunnarah

              Hi Lawrence,

               

              Thanks for your prompt response.

               

              It's funny how sometimes just the act of coming here to post questions or issues I'm having, causes a light to turn on in my head. 

               

              I was able to locate the policy editor for the agents after looking through some help files on setting up the agents.  This helped me to understand some of the agents functions.  I now know how to control which automation servers the agent reports back too using the policy.  However there are some questions I still have about the policy editor and it's settings.  For one, is there any documentation on the default settings?  All currently show no values defined unless I specify one.  One setting in particular I was wondering about was the IP address in the Target category.  Since we have some customers who we have to use NAT in order to communicate, I wondered if I should put the real IP address of the automation server or the NAT one we communicate with.  I would assume that using the real IP address would be correct in that the agents are the ones using this setting to communicate with, but I just want to be sure.

               

              Regarding the scheduled inventory tasks, they are set up for the customers who use agents in the same manner as customers who are agentless.  All the agentless customers work fine.  I thought perhaps there was something different involved with the agents.  And it was odd that if I manually select the agents it works.  Perhaps it's a scope issue when I setup the initial inventory task.  I will look further into it and contact support if needed.

               

              Thanks for the helpful response.

               

              Louis