6 Replies Latest reply on Apr 18, 2012 1:54 PM by jeremym8

    Help determining best method for patching

    Rookie

      Hello,

       

      Our organization has about 100 remote sites that we are trying to manage.  Each site is on its own domain and each site has stations on multiple subnets. We are trying to figure out what the best patching method will be as our connection to some sites is rather slow.  Have looked at using preferred servers but from what I have read I think those only work per subnet.  At these sites our actual server is on a separate subnet than our workstations so I am not sure if I would be able to utilize it that way.  Have also looked at Stage and Repair tasks but have not worked with it much up til now so again just not sure if that best suits our needs.  Just to note we do have a management gateway in place in case that may be something we could utilize in this situation.

       

      Any suggestions on how you would handle this type of environment would be greatly appreciated.

       

      Thank you!

        • 1. Re: Help determining best method for patching
          Apprentice

          I would recomend you to use Multicast Domain Representatives for each remote site subnet. This is easy to setup as you can let each remote subnet to select automatically its MDR or alternatively you can define these manually. Also you can control the bandwith usage for each scheduled Stage/Repair task. I have been using this schema for Patch Manager in a network with more than 700 remote sites and nearly 7000 ldms client nodes most of them in Europe and some of then in north and south America with pretty good results for now.

          Good luck!

          • 2. Re: Help determining best method for patching
            MarXtar ITSMMVPGroup

            You should be perfectly fine using targeted multicasting as part of a policy supported push (whether or not you decide to stage the patches).

             

            You can set the throttling levels on the multicast so that there is minimal impact to your WAN links and for those that aren't online at the time of the multicast they will get the file from their peers on their local subnet.

             

            Just pay attention to how long you have the patches sitting in the representative and client caches to make sure it is there for long enough that machines away for a while will still have a local source for the patches (maybe 14 days). You could also force them only to accept a patch from their cache or a local peer to make absolutely sure nothing ever goes back to the core server.

             

            Mark McGinn

            MarXtar Ltd

            http://landesk.marxtar.co.uk

            LANDesk Silver ESP

             

            The One-Stop Shop for LANDesk Enhancements

            - Wake-On-WAN - Distributed Wake-On-LAN, Scheduled Power Down, and SWDist Sequencing

            - State Notifier - Real-Time Device & User State Inventory Updating & Alerting

            1 of 1 people found this helpful
            • 3. Re: Help determining best method for patching
              Rookie

              Thanks for the advice as that does make much more sense than just trying to push them to our remote sites.  Along with that, how often are you patching?  It is a continuous process for you or do you just push all necessary patchs on a scheduled date?  Just trying to determine how much "man power" we need to put behind this portion of the product as it seems that keeping up with patches could be a full time job in itself.  Also, how do you handle the monthly Microsoft patches? Do you place them in separate folders or just add them into the huge list of "Scan".

               

               

              Thanks again for all your help and insightfullness!

              • 5. Re: Help determining best method for patching
                Apprentice

                We only have one person dedicated 30%  to this task. We receive a vulnerability list to be deployed once a month from the security department, and then we prepare the repair tasks for the selected vulnerabilities previously discovered by a weekly vulscan task. Initially we test every vulnerability repair task in a test environment (30 nodes) and if all goes well then we start deploying to a diferrent areas one after other until at least 90% success is reached.  All the repair task are created using dinamic queries that runs recurrently until no affected nodes are found.

                 

                Hope this helps

                Pedro J. Moreno

                • 6. Re: Help determining best method for patching
                  Rookie

                  Thanks, that is exactly what i was wondering.  Thanks for all your help!