Setting up Vmware Update Manager Download Service for Isolated Networks

Setting up Vmware Update Manager Download Service for Isolated Networks

Patching Offline ESX servers with Vmware Update Manager

This is my brief guide to what I did to setup patching for isolated networks, like those in intellegence communities, etc. This is meant to help fill in some of the gaps that the documentation left in the process.

Install Update Manager Download Service

Setup a machine to be your Update Manager Download system:

  • This machine must have Internet access.

  • This system will require another database beyond what the Update Manager in Virtual Center uses, so you may not want to install it there.

  • Also, you will need to burn CDs/DVDs or transfer files to a device

  • This all being said, a workstation is a good candidate system

Install the Update Manager Download Service on the above machine. Take note of the installation folder and the folder where the downloads will be stored.

  • Files are located in "umds" folder of the Virtual Center installation CD image

  • Open the VMware-UMDS.exe file to install

  • Select to use the local SQL 2005 Express database server

Download Current Updates

The best thing to do is setup a Windows Scheduled Task that downloads the updates automatically. The first step is to create a script to accomplish this manually then you can make it a scheduled task.

To get current downloads:

  • Change to the "C:\Program Files\VMware\Infrastructure\Update Manager" directory

  • Run the program: vmware-umds --download (or "vmware-umds -D")

  • Get coffee! Really, the first run takes a loonngg time.

NOTE: It is possible to configure the download to only retrieve ESX host updates, Windows VM updates and/or Linux VM updates. To change which updates are downloaded use the following syntax:

  • vmware-umds -S -h true | false

  • vmware-umds -S -w true | false

  • vmware-umds -S -l true | false

For example: vmware-umds -S -h true will d/l ESX host patches, vmware-umds -S -w false will NOT d/l Windows VM patches, etc. This can be useful if you want to verify the process but not spend time waiting for the Windows patches to download. Before running "vmware-umds -D", disable Windows and Linux and verify that the ESX patches are downloaded successfully

Once downloads are done you need to export to a local file repository:

  • Change to the "C:\Program Files\VMware\Infrastructure\Update Manager" directory

  • Run the program: vmware-umds -E --dest <FULL PATH TO YOUR REPOSITORY> -s 2007-01-01T00:00:00 -t 2007-12-31T23:59:59

  • This downloads all the patches for 2007, specify different time ranges as required.

Once exported you need to export your repository to some sort of portable media, say a DVD (most likely a DL from what I have already seen!!!)

Import Updates to Virtual Center on Isolated Network

Now that your Internet connect machine has done all the dirty work, you need to get the updates into Virtual Center's Update Database:

  • Get you update media connected to Virtual Center so it can access the files

  • Change to the "C:\Program Files\VMware\Infrastructure\Update Manager" directory on Virtual Center

  • Run the program: vmware-updateDownloadCli.exe --update-path <YOUR DRIVE LETTER HERE> --config-import windows esx --vc-user <YOUR VC USER>

This is a very brief explanation of what to do. See these fine documents below for more stuff:

VMWare Update Manager

0 Kudos
Comments
vmugu
‎03-11-2009 09:52 AM
‎03-11-2009 09:52 AM

Great article!

A permanent way to download patches for hosts only it to modify

C:\Program Files\VMware\Infrastructure\Update Manager\downloadConfig.xml:

hollandwl
‎10-09-2009 03:25 AM
‎10-09-2009 03:25 AM

UMDS needs a major overhaul to:

1. Let the customer choose which versions to download patches for. I don't have, never have had, and never will have ESX 3.0, so why should I download those patches? There should be a config file setting to set the versions you want something akin to: Vesions=35,40

2. Rather than downloading everything or specifying a date range to re-download:

Download a listing of available patches for the versions I have specified

Compare that listing to what is in my local repository

Download only the differences

3. Provide a way to cleanup a repository to remove patches that are no longer needed.

It cannot be good for VMware to have everyone repeatedly downloading multiple gigabytes of patches from them all the time.

DSeaman
‎12-09-2009 11:47 AM
‎12-09-2009 11:47 AM

I agree that UMDS needs a MAJOR overhaul. In its current state the product is barely usable.

1. Allow granular selection of what products should be patched. Allow the user to select via a GUI the major products to download patches for (vSphere 4.0, ESX vs ESXi, what Microsoft products, which Linux distros).

2. Allow a metadata only download feature, so we can scan for all vulnerabilities and updates without having to download the actual patches themselves. Scenario: Use VUM as a verification product, not as a remediation product.

3. Build in a scheduler that downloads the specified patches at a user defined interval.

4. Provide a GUI for easily specifying the re-download date range, and export date range.

5. Allow it to co-exist on a VUM server.

6. Provide a cleanup tool to delete previously downloaded patches that are no longer applicable.

chakrit
‎04-27-2010 08:34 AM
‎04-27-2010 08:34 AM

Hi,

I noticed that this article has been last updated since 04-Apr-2008,,, but the previous comments made are towards the end of 2009. So in between those time, are there any revised version or improvements made to the umds? -> VMware-UMDS.exe <-

Also, is there an equivalent version for linux? I'm thinking of using the linux as a patch repository.

Regards

ScottHBIC
‎05-24-2011 05:16 AM
‎05-24-2011 05:16 AM

Charkrit's post of over a year ago is still germane.  Has anyone else had any luck with making UDMS more useful?

Version history
Revision #:
1 of 1
Last update:
‎01-09-2008 07:21 PM
Updated by:
Enthusiast
 
View Article History