We have a client with many remote sites, all setup with a constant hardware VPN using Watchguard firewalls. Client has port 80 HTTP traffic blocked outgoing at these stores, which caused major issues at first with patch management. We resolved this by setting the file source to pull from a server across the VPn, and also some machines/stores had the file source set to pull from the system server (we set a firewall rule to allow port 80 HTTP traffic to our Kserver).
One of the above two options has worked for the vast majority of the machines, but I am left with 4 problem machines that the client is questioning us on. These machines will pass the patch status test when using a file source across the VPN or using the system server. When the patch installation is scheduled, it shows as success but then comes back with failed to install, invalid credential (which passed 15 minutes ago on the test and passes when test now). Procedure logs show the following:
Patch scan check failed using primary data source with result 0x80072efd; Attempting patch scan using alternate data source.
Patch scan check failed using primary data source with result 0x8024402c; Attempting patch scan using alternate data source
Patch scan completed using alternate data source.
I have researched both of the above result codes and still have a couple of things to test. However, I wanted to go ahead and post and see if anyone has ran into this previously and has additional suggestions to try. Also, is the alternate data source using the local wsusscan.cab file that is downloaded? I am aware that I could remove the port 80 block and manually update the machines, but that negates automation through Kaseya. Thanks for any ideas/input.
It would be better if you make the patch depositories local to each site and the way around this is to allow server you are going to use as a patch depository to bypass Firewall or proxy filter. The reason for this is currently your patch management is now reliant on internet connectivity between 2 sites and VPN connection between the two sites.
The issue you are describing appears to be caused by some sort of an access issue between the machines being patched and the patch source. Create a simple script that copies a test file from the File Source (patch depository) to the Agent Temp Dir (kworking directory) and run it on the machines that has been failing or remote into them using the Agent Credentials and test this manually.
Here are some Gotcha's I have run into when setting up a patch depository are;
• Use the IP address instead of the network/FQDN, this will get around internal DNS resolution errors that might occur especially when agents connect to the patch depository via a VPN link.
• Make sure that you are using a static IP address for your patch depository and disable/configure the software firewall on the managed machines and the patch depository server to ensure access.
• Make sure your Agent Credentials have full read and write access to the patch depository‘s network share same with the file/folder permissions.
• Ensure that the system/s used for the File Source (patch depository) has direct internet access and is not redirected via a Proxy server. You can test this by running Windows Updates directly from this machine if it can successfully scan and download patches for itself then it should be able to download patches for the rest of the network.
• Set the number of active connections to unlimited on the patch depository’s network share, keep in mind that some workstation OS’s do not allow more then 5-10 simultaneous connections so always use a server OS.
• Turn off Windows Updates via Kaseya’s Patch Management function to ensure that only Kaseya can patch the managed systems.
• Disable/Remove WSUS GPO’s to prevent it from changing the Patch management settings.
• Make sure to select the following two options when configuring the File Source (patch depository) settings;
o Copy packages to the working directory on local drive with most free space. – Installing patches direct from a network share can fail, so it is safer to copy the patches to the local drive before installing them.
o Delete package after install (from working directory)