Home » Patch Management for Closed Networks (DMZ)
Applicable For Endpoint Central MSP 
 
 

Patch Management for Closed Networks (DMZ)

When the Endpoint Central server is installed in a closed network without Internet connection, such as the Demilitarized Zone (DMZ), basic Patch capabilities such as vulnerability database synchronization, downloading missing patches etc, cannot be performed. The following steps will help you to keep applications up-to-date in such cases, manually download all the missing patches, and update them to the required computers:

Endpoint Central - Closed Network Patching

Configure Proxy Settings

The steps given below will guide you to configure the proxy settings:

  1. Open Endpoint Central console and navigate to Admin -> Proxy Server, under Server Settings.
  2. Click Edit under the Proxy server icon.
  3. Select No connection to Internet.
  4. Click OK to save changes.

    Proxy Server Settings

Configure Patch Database Settings

To configure the patch database settings, follow the steps below:

  1. Open Endpoint Central console and navigate to Admin -> Patch Database Settings, under Patch Settings.
  2. Under Schedule Vulnerability Database Update, disable Schedule.

    Disable Patch DB Schedule

This prevents the DB sync from being initiated without the necessary data in the <installdirectory>/conf/CRSData directory because the updatedb folder in the above-mentioned directory will get erased after a successful sync. So, the upcoming DB sync will get failed if the required folder is expunged.

Download and setup the DMZ tool

Follow the steps below to download and set up the DMZ tool:

  1. Download this zip and extract it on a computer with an internet connection.

    If the computer does not have direct internet connection, open the downloadMgr.prop file available within the extracted location and provide the details of the proxy server, port and authentication details.

  2. You have successfully configured the tool and it is ready to be used. Configuring Proxy and setting up the tool are one time operations, whereas Updating the Vulnerability Database and downloading the required patches need to be done every time you want to scan for vulnerabilities and deploy the latest missing patches.

Updating the Vulnerability Database

Follow the steps below to update the vulnerability database:

  1. Go to the machine where you have extracted the downloadMgr.prop, open a command prompt and navigate to the extracted directory.
  2. Execute the following command depending on the operating system of the machines you manage:
    • If you manage only Windows & Mac:
      patchsync.bat -c updatedb -b <BUILD_NUMBER>
    • If you manage all three, Windows, Mac and Linux:
      patchsync.bat -c updatedb -i linux -b <BUILD_NUMBER>
    • Verify that you have entered the build number of the installed Endpoint Central server and that it is in the correct format. For example, 11.3.2400.1 or 113240001.

      You can find the build number by clicking on your profile located in the top-right corner of the Endpoint Central console.

      Build location in console

  3. This will download the latest vulnerability information from the Central Vulnerability Database to the local computer. This download will take some time and after completion, the necessary information will be updated in the updatedb directory.
  4. Copy the updatedb directory to the Endpoint Central Server to <Installation Directory>/conf/CRSData directory.
  5. From the web console, navigate to Threats & Patches -> Update Now, and click on the Update Now button under Update Vulnerability DB. This will copy the necessary information from the updatedb directory to the local database present in the server. Now, the local database will have the latest patch information.
  6. Now, scan the computers in the network to identify the missing patches.

    You will not be able to view all the missing patches unless scanning is completed for all the computers. Ensure that all the computers are scanned, before manually downloading the missing patches.

The next step is to download the missing patches from the computer with internet connection and copy it back to this computer.

Download the required patches

  1. You can manually download the required patches from the vendor sites and upload it to the console using Upload Patches option.
  2. To download the patches, you would first require the details of the missing patches. To get this, go to the Missing Patches view, select the patches to be exported, and click Export Missing Patches button. This will export the details of the missing patches that has not been downloaded and the dependent patches which should be downloaded as downloadUrlJson.txt.

    Export Missing Patches

  3. Copy this file to the directory in the computer where you had extracted the UpdateManager.zip file.
  4. Open a command prompt and execute the command:
    patchsync.bat -c dwnpatch -f downloadUrlJson.txt
  5. This will download all the missing patches to the store directory. Once all the files are downloaded, copy the contents of the store directory and copy it to the Endpoint Central Server to <Installation_Dir>/webapps/DesktopCentral/Store directory (this is the default location; if this has been changed copy it to the appropriate location)
  6. You should then update this information to the Endpoint Central Server database so that all these patches are shown in the Downloaded Patches view. To do this, open the Downloaded Patches view and click Update Downloaded Patches button.

    Update Downloaded Patches

  7. All the manually downloaded patches will appear in the view from where you can deploy them to the required computers.

Now, you can successfully manage vulnerabilities and have configured the patch management process in a closed network.