/build/static/layout/Breadcrumb_cap_w.png

Systems Management Question


What are the offsite patching options?

12/21/2016 1244 views
What non-Kace alternatives are you all finding useful for offsite patching? 

Due to limitations with both our DMZ configuration and Kace, we can't use Kace to patch offsite machines. For example if a laptop is pointed to a Kbox in our DMZ, the laptop won't be able to patch with that same Kbox when the laptop is onsite. 

We need to patch our apps as well as Windows OS updates.

Thanks for any ideas or suggestions.
0 Comments   [ + ] Show comments

Comments


All Answers

1
You should setup the KACE in the DMZ correctly that it has the same address for both networks to solve such issues.

But back to the question:
I prefer WSUS Offline Update (former C'T Offline update) which you can find here:
http://www.wsusoffline.net/
I use it as a post install task for the K2000 to bring the updates directly to the machine and rebuild the repository for each used OS once a quarter.
Answered 12/22/2016 by: Nico_K
Red Belt

  • Thanks Nico.
    If we setup a Kace server in our DMZ, then we can't use it to also patch our onsite clients. At least, that's what Kace support has said given our security needs.

    I thought there would be a way to set it up with multiple NIC's and allow offsite clients to be managed and patched, or at least patched via one connection and onsite clients with another. That creates a security issue from what I've been told and can't be done.

    Our policy is to patch not just the Windows OS, but also third parties like Adobe Flash, Reader, Java and a few other oddballs. And for fun, our policy states that it must reportable on a per patch, per client level. I fine with using a non-Kace method to patch offsite, but it needs to be able to report the status.

    Is anyone else having a similar issue where they need to patch offsite clients, but can't use their onsite Kace server?


    Thanks again for any help...
  • Nico,
    Our understanding based on Kace support's info is that we would need to open the Kace server up to outside patching and inside patching, thereby creating a security risk that our policies find unacceptable. That's from our Security office.

    Are we mis-understanding something? Would opening Kace to on and offsite patching create a potential risk...any way to mitigate?

    Thanks
    • Our Security Team has been involved with KACE since the beginning, and so luckily they worked with us to make sure offsite patching was secure. Have you updated to 7.0? If so, I would show your security folks these new agent settings: “Verify SSL Certificates” and “Require SSL”
      Maybe that could persuade them to open up offsite access
1
We like Ninite Pro: https://ninite.com/pro
Answered 02/01/2017 by: JasonEgg
Red Belt

  • Thanks Jason. I'm researching that option. Much appreciated.

    More info: We only have about 1600 machines. About 40% are laptops that may or may not go offsite. Some stay offsite for extended periods (up to 6 months), and when they come onsite, they may not be here long enough to get patched.
    • Yikes. Are there any network locations which people can access from offsite?
      • Only over VPN - yes...and our Kace will patch over VPN, but we've been tasked with finding a way to patch offsite machines also when they're not connected to the VPN.
    • One idea off the top of my head: Create a lightweight offline script so it can be run on a schedule even when not connected. Have the script do one or more of the following:
      1. Remind the user that using VPN is a best practice (maybe your org has a webpage for VPN?)
      2. Set VPN to run at startup
      3. Start the VPN at another time
      4. Add VPN shortcut to desktop
      5. Pin VPN shortcut to start menu or task bar etc.
      With these nudges hopefully more people will use VPN and therefore be patched.
This content is currently hidden from public view.
Reason: Removed by member request For more information, visit our FAQ's.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ