Kaseya Community

Some Clarifications on Patch Management in Lan Cache scenario

  • Hello to all Community and SysAdmins, I’m having serious doubts about the Patch Management module when Lan Cache is used as File Source. We often get test fail messages when deploying such scenario, I could not find exact answers elsewhere and I think that the VSA documentation should be improved on this part. We use on premises installation.

    Here are my questions, I hope someone can help…:

    • Which agent will download a client patch for the first time? The client agent or the server agent?
    • Who is in charge of putting patches in the LC folder? The client agent or the server agent? What exactly happens when a client does not find a required patch in the LC share?
    • Do the options “Copy packages to the working directory on local drive with most free space” and “Delete package after install” on server have any impact on Patch availability from Lan Cache?
    • Do the same options on clients have any impact on how downloaded patches are made available to other clients?
    • Does the “Specify location to fetch patches and updates” option have to be set specifically for server / clients using LC in Patch Management?
    • Does the cache credentials type (auto-generated or existing domain admin) have some impact on LC access for patch download?
    • Definitively, what is the lifecycle of a patch source file when “Pulled from LAN Cache” is enabled?

    Thanks all!

    Gabriele

  • I'm not certain about everything, but can answer a few points:

    Do the options “Copy packages to the working directory on local drive with most free space” and “Delete package after install” on server have any impact on Patch availability from Lan Cache?

    no. It's simply a disk management issue for the agent that's applying the patch....i.e. ensuring enough space to copy the patch locally, install it then clean up afterwards. Some bug patches e.g. Win7SP1, SQL2008R2SP's are over a gig in size, and bigger when unpacked - hence the need to manage storage use.

    Do the same options on clients have any impact on how downloaded patches are made available to other clients?

    The above options have nothing to do with LanCache operation.

    Does the “Specify location to fetch patches and updates” option have to be set specifically for server / clients using LC in Patch Management?

    Yes. If you want to use LanCache, you must specify 'pull from lancache' for both servers and workstations.

    Definitively, what is the lifecycle of a patch source file when “Pulled from LAN Cache” is enabled?

    Once present in the LanCache, patch files exist forever. nothing is ever deleted or updated. If the lancache patch "library" fills up over time, you must urge it manually.  If a patch you purge is required, it will be re-downloaded, so you're safe to 'empty out' however emptying out may cause a fresh round of downloads, thus defeating the purpose. Purge old patches with care.

    Note: LanCache is earmarked for retirement - So i'd recommend you don't too much time and energy into it. The new software management module replaces classic Patch management and uses the new endpoint fabric to cache patches across multiple machines at the same site. I'd expect LanCache to vanish when classic patch management is retired - which may be another 12 months or more, so at least in the short term you can get it working until you are ready to move over to Software Management.

  • Thank you Craig for your detailed answer and for that valuable information.

    Yes, I know that the new module will replace the LC concept, I can’t wait for it to be on our installation.

    It’s still unclear which agent is in charge of downloading patches that aren’t already present in LC share; also, the “Download from Internet if machine is unable to connect to the file server / LAN Cache” option is a bit confusing: if a client machine doesn’t find a patch in LC, it should *in any case* download that patch from internet - I suppose. Or the relevant difference is “unable to connect” vs. “able to connect but patch not available”…?