Kaseya Community

File source and WSUS

This question is answered

Hello,

I have a couple of questions regarding patch management in Kaseya. A little background of my environment; most servers cannot talk to the Internet, but workstations can.

1. In the File Source settings, what is the benefit of using a "Pulled from file server using UNC path" instead of "Pulled from System server" in an environment where the Kaseya server is the one doing the downloads. I'm assuming there's none (for my environment) but I just want to confirm my understanding of that option.

2. I installed a WSUS server on the same machine as Kaseya as some of our servers miss some updates since they don't talk to the Internet and don't even show up in Kaseya's Patch Scan. Is it somehow possible to have Kaseya use the WSUS path to look for updates so it can get all the MS updates?

3. In my last Patch Scan, most of the Win2008 critical updates came up as "Internet-based Install Only" ; what exactly does it mean? Those machines cannot talk to the Internet, so it can't use Windows Updates to run them. Do I have to manually install those updates?

Thanks,
Sau

Verified Answer
  • Sau,

    I started this response yesterday, but got sidetracked before I could finish...

    In regard to your first question:  If you use the configuration of "System Server", every endpoint in your environment (with this configuration) will look to the KServer to get its patches.  If you use the configuration of LAN Share via System Server, only the LAN file share endpoints will send a request to your KServer for the patches.  

    Let's say you have 10 LAN file shares that serve 10 endpoints each (forgoing exact math here, let's say that's a total of 10 LAN file shares and 100 individual endpoints - I'm not going to double-could the LAN file share as both a server AND an endpoint, which they technical are from a patch standpoint).  If you use the configuration of "system server", you'll have 100 endpoints sending requests to the KServer for all of their patches.  If you configure LAN file share via System Server, then you have only 10 machines hitting the KServer for patches.  Depending on the heft of your KServer and the connection between the endpoints, file shares, and KServers, you may (or may not) notice bandwidth and/or resource issues.  There isn't one specific right or wrong way to configure this - it just depends on your infrastructure configuration and requirements, and these options give you the flexibility to use the config that best balances your available resources with your business needs.

    Question 2:  No, it is not.  Further, Kaseya does not support the running of services other than Kaseya and the SQL for the Ksaeya DB (if hosted together) on the Kaseya Server hardware.  I wouldn't recommend trying to use the same box for both the KServer and WSUS.

    Question 3:  Patches that are listed as "internet based install only" are those that MUST be installed directly from Microsoft to the endpoint.  A file source machine (or system server) cannot be used to install these patches.  If you have a file source/system server configuration, all patches *except these* will download via the file source.  These patches, however, would install using the Windows Update Agent (WUA.api) on the local endpoint.  They will not install if the endpoint does not have internet access or is unable to access the necessary patch tools.  These patches are internet-based install only for one of a handful of reasons.  The most common are:  Microsoft has not released a single-file executable for the patch (no downloadable .exe); The downloadable patch has been released only as a non-supported file type (.cab is the most common; these are multiple patches into a single .cab file, which Kaseya cannot support via File Source/System Server download/install); Microsoft has not provided sufficient information to determine the requirements of the patch (32 v 64 bit; intended OS, language, etc.).  In these cases, the patches are tagged as internet-based install only so WUA can negotiate all transactions with Microsoft directly to ensure the appropriate patch components are downloaded and installed.

    Regarding your more recent post, Kaseya supports all Microsoft patches except drivers, MS Defender, and MS Forefront.  All other patches can be installed via Kaseya, provided the endpoint has the necessary access to do so and any built-in requirements of the patch are met.  Those requirements will sometimes include things such as requiring a user be logged into the machine; requiring interaction from the user; requiring the OS be recognized as legal and registered via Genuine Advantage, etc.)  If a patch is coded for those requirements, there is no way to avoid them.  Patching will take longer when using a file source than when using WIndows Automatic Update because the entire patch file must be downloaded (in your case, it's downloaded first from the internet to the KServer, then distributed from the KServer to the endpoint), and then the patches are executed.  There are additional processes that complete so the data can be parsed and presented within the VSA.  This dual-download isn't a big deal for a 500KB patch, but if you're downloading a couple of service packs, you could be in for a long update process.  Additionally, the single-file .exe is often significantly larger than the file that is processed via Windows Auto Update.  When WUA is used for installations, WUA can determine which parts of the patch the endpoints needs, but the downloadable .exe gets the whole dang patch.  For example, a service pack .exe download might top 100MB.  It will include everything that any qualifying endpoint might need - all rollups, all language support, etc.  However, when WUA is used for the update, WUA determines just what parts of the service pack are needed based on what already exists on the endpoint.  That 100+ MB service pack might only be a few hundred kilobytes when installed via WUA because the endpoint just needs a few pieces of that service pack to come "up to date."  All of these, coupled with your network environment and the connections between each machine, will contribute to the length of time that patching takes to complete.

    I hope that helps to address your questions.

    Thanks,

    Brande

All Replies
  • Any comments?

  • The way we have it setup, is there is a dedicated machine that the updates are downloaded to.

    Then the workstations get there updates from that machine(UNC path). All servers pull from that same update machine as well.

    Now some updates are not able to use the UNC path(ie, service packs) and need to download directly from the internet to the server it self.

    Now Kaseya and WSUS are two totally diffrent things. It one or the other. For my clients that had WSUS installed, i completely removed from the domain and removed all the updates. Now they are using Kaseya for updating.

  • is Josh mentioned, kasyea patch management and WSUS are 2 different methods for updating. You should not use both at the same time. For all clients I serve I have removed or disabled WSUS and setup k-patch management.

    The options you want explained are documented in the K help. you read this?

    For my clients I have setup 1 server with a fileshare which downloads all patches and is used in the filesource of all agents in that location. This way I have only one machine downloading the patches.

  • Ok, trying this again since it didn't post my previous reply!

    Thank you both for your replies. I really appreciate it.

    I find the Kaseya PatchMgmt to be flaky since it doesn't get all the MS Updates/Patches and seems slower that WUpdates as well. That being said it might be in my environment since my servers don't connect to the Internet at all.

    I have the K server (system server) setup so it downloads ther updates and the Agents go to SystemServer to get them. I don't understand what the advantage is of having another file server that downloads the updates/patches since K server already talks to the Internet. Again this might be since we only have about 100 machines total and one site.

    I did go through the K-help but couldn't find anything regarding Internet based Install only. I understand it to mean that the agent on that particular machine has to talk to the Internet to download it rather than going to the K server. Is that correct? or does it somehow still go to the K-server automatically?

    Thanks again,

    --S

  • Sau,

    I started this response yesterday, but got sidetracked before I could finish...

    In regard to your first question:  If you use the configuration of "System Server", every endpoint in your environment (with this configuration) will look to the KServer to get its patches.  If you use the configuration of LAN Share via System Server, only the LAN file share endpoints will send a request to your KServer for the patches.  

    Let's say you have 10 LAN file shares that serve 10 endpoints each (forgoing exact math here, let's say that's a total of 10 LAN file shares and 100 individual endpoints - I'm not going to double-could the LAN file share as both a server AND an endpoint, which they technical are from a patch standpoint).  If you use the configuration of "system server", you'll have 100 endpoints sending requests to the KServer for all of their patches.  If you configure LAN file share via System Server, then you have only 10 machines hitting the KServer for patches.  Depending on the heft of your KServer and the connection between the endpoints, file shares, and KServers, you may (or may not) notice bandwidth and/or resource issues.  There isn't one specific right or wrong way to configure this - it just depends on your infrastructure configuration and requirements, and these options give you the flexibility to use the config that best balances your available resources with your business needs.

    Question 2:  No, it is not.  Further, Kaseya does not support the running of services other than Kaseya and the SQL for the Ksaeya DB (if hosted together) on the Kaseya Server hardware.  I wouldn't recommend trying to use the same box for both the KServer and WSUS.

    Question 3:  Patches that are listed as "internet based install only" are those that MUST be installed directly from Microsoft to the endpoint.  A file source machine (or system server) cannot be used to install these patches.  If you have a file source/system server configuration, all patches *except these* will download via the file source.  These patches, however, would install using the Windows Update Agent (WUA.api) on the local endpoint.  They will not install if the endpoint does not have internet access or is unable to access the necessary patch tools.  These patches are internet-based install only for one of a handful of reasons.  The most common are:  Microsoft has not released a single-file executable for the patch (no downloadable .exe); The downloadable patch has been released only as a non-supported file type (.cab is the most common; these are multiple patches into a single .cab file, which Kaseya cannot support via File Source/System Server download/install); Microsoft has not provided sufficient information to determine the requirements of the patch (32 v 64 bit; intended OS, language, etc.).  In these cases, the patches are tagged as internet-based install only so WUA can negotiate all transactions with Microsoft directly to ensure the appropriate patch components are downloaded and installed.

    Regarding your more recent post, Kaseya supports all Microsoft patches except drivers, MS Defender, and MS Forefront.  All other patches can be installed via Kaseya, provided the endpoint has the necessary access to do so and any built-in requirements of the patch are met.  Those requirements will sometimes include things such as requiring a user be logged into the machine; requiring interaction from the user; requiring the OS be recognized as legal and registered via Genuine Advantage, etc.)  If a patch is coded for those requirements, there is no way to avoid them.  Patching will take longer when using a file source than when using WIndows Automatic Update because the entire patch file must be downloaded (in your case, it's downloaded first from the internet to the KServer, then distributed from the KServer to the endpoint), and then the patches are executed.  There are additional processes that complete so the data can be parsed and presented within the VSA.  This dual-download isn't a big deal for a 500KB patch, but if you're downloading a couple of service packs, you could be in for a long update process.  Additionally, the single-file .exe is often significantly larger than the file that is processed via Windows Auto Update.  When WUA is used for installations, WUA can determine which parts of the patch the endpoints needs, but the downloadable .exe gets the whole dang patch.  For example, a service pack .exe download might top 100MB.  It will include everything that any qualifying endpoint might need - all rollups, all language support, etc.  However, when WUA is used for the update, WUA determines just what parts of the service pack are needed based on what already exists on the endpoint.  That 100+ MB service pack might only be a few hundred kilobytes when installed via WUA because the endpoint just needs a few pieces of that service pack to come "up to date."  All of these, coupled with your network environment and the connections between each machine, will contribute to the length of time that patching takes to complete.

    I hope that helps to address your questions.

    Thanks,

    Brande

  • Thanks Brande!