Scenario
This document provides an overview of requirements necessary for this configuration and the specific options that need to be set for this to work. The following applies in a scenario where you may have one of the following setups:
- You have a Protect console connected to the internet, and another Protect consoles withe no connection to the internet.
- The internet connected console may be a rollup console with the other consoles sending results back to it.
Requirements/Prerequisites
You will need to be able to set up a Distribution Server (share) that can be accessible by the internet connected and disconnected Protect servers, and it must meet any connection/port requirements. See the following linked documentation for more information on configuring a Distribution Server and any requirements:
- Configuring a Distribution Server
- Port Requirements for Shavlik Protect
- Synchronizing Distribution Servers
- How to Manually Synchronize Distribution Servers
For the configurations mentioned below it would be easiest to make your existing 'Patch download directory' as the share for the distribution server. This way the patch downloads from your internet facing console will automatically be downloaded to the share and patch files don't need to be synced. You set this in Tools > Operations > Downloads.
If you would like for definitions and patches to be downloaded automatically on the online console so that they will be ready to sync to your distribution server without intervention, you can set this up by scheduling an automatic download of definitions and selecting to use the Predictive patch downloads feature which is further discussed here:
Overview on the Predictive Patch Download Feature
You will find this configuration option in Tools > Operations > Downloads on the online console in Protect 9.2 and in Tools > Options > Downloads in the online console in Ivanti Patch for Windows Server 9.3.
Configuration
This section assumes that you have already set up a Distribution Server meeting all requirements outlined in above documents. Below are the special requirements or information you may need to set up special configurations. The graphic below is intended to provide a basic illustration of possible configurations covered here.
Using Distribution Server to Host Data files & Patch Files for disconnected consoles
This configuration can only be used if you have at least one offline Protect console server that can reach the Distribution Server share. This allows the offline
Protect console(s) to update patch definitions, binaries, and patch files easily without being connected to the internet.
The distribution server will need to be set up under Tools > Operations > Distribution Servers for all consoles.
Once you have your Distribution Server set up in all consoles, change the following settings for the Protect console servers located on the offline network:
1. Navigate to Tools > Operations in Protect 9.2 or Tools > Options in Ivanti Patch for Windows Servers 9.3.
2. Click the 'Downloads' tab.
3. Change the 'Definition download source' to "Specific Distribution Server" and set it to use your distribution server.
4. Change the 'Patch and Service Pack download source' to use a "Specific Distribution Server" and point to your distribution server.
(Optional) You can set the 'Schedule automatic downloads' settings.
This configuration requires that you are downloading the latest engines, definitions, and patch files on your internet connected console, and that you are synchronizing those downloads to the distribution server from the internet connected console. Definitions are downloaded by running Help > Refresh Files, and patch files are downloaded manually - either using View > Patches or by downloading from a scan result.
If the latest definitions and patches do not exist on the distribution sever share, your offline consoles will not display the latest patches and most likely fail to install many outdated patches.
If the "Specific Distribution Server" section is grayed out and cannot be chosen, refer to this document:
Attempting To Set Definition Download Source - "Specific Distribution Server" Is Grayed Out
If using data rollup
You can still use the data rollup function, however, you will need to either:
A) Open port 3121 and have a connection available to the master console system, or;
B) Set up port forwarding to port 3121 from one network to the other. We do not assist in setting this up so you will need to contact your network admin.
This will allow you to run reports on your master console to see the current status of all machines in your environment. Note that the master console for data rollup has no control over the other Protect consoles - it is only able to run reports based on results available from any other console that is set to run data rollup to the master console.
More information about setting up the data rollup function can be found here:
- Implementing a Data Rollup from a Secondary Console to a Primary Console
- Help: Data Rollup Operations
Affected Product(s)
Shavlik Protect 9.x