How to configure Update Manager with Firewall and ...

nbomont · ‎03-26-2008

We are trying to implement Update manager with virtual Center 2.5. We use a Firewall and a proxy. The proxy has been configured during installation and no authentication is needed.

We opened only the website to download the patches but it seems that it is not enough.

Has anyone implemented the solution with a proxy and a firewall? If so could you please tell me what are the urls to open in order to have the update manager working.

We tried to sniff in order to see but we only saw

and .

We have to know the exact all urls to open and nothing more for securit reasons.

I also tried to take all the patches from a VC working in my lab and copying to the repository in the production envirronment but it is not working. I tried to add the packages manualy, but I(ve got the error message "invalid patch bundle"

I searched in the knowledge base and in the documentation, but there are not enough informations to solve the problem.

Texiwill · ‎03-26-2008

Hello,

I use a firewall but not a proxy. So far no issues. My firewall lets out all Web traffic and lets only things back in that were Established by my systems. I did have a proxy in place for a little bit but I disabled it when other issues occurred. So I have yet to test the proxy option.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

nbomont · ‎03-27-2008

Hi Thanks for the answer

the problem is not around the proxy, it is around the firewall. For security reasoin it is not possible to open all internet traffic so I need to know exactly which URL to open.

I opened a call at vmware Support for that, and this is the first answer :

https://www.vmware.com/PatchManagementSystem/patchmanagement

http://vip-patchmgmtwlc.vmware.com:7004/patchMdSvc?WSDL

http://www.shavlik.com

https://xml.shavlik.com/

There it gathers a list of download locations. Please note that these

locations may change over time!

Hope it helps for other people, I have to test for me now, I'll let everyone informed of the result.

Thanks.

PWhiteGB · ‎11-18-2008

Has anyone has anyone checked/used these recently? we're having the same problems with one customer going through a bluecoat proxy device and we cannot get this to work

dmadden · ‎11-18-2008

For the BlueCoat issue; try doing this:

- Specify the correct proxy address and port number (you can do this in the vi client with later editions of Update Manager)

- Change the update manager service to logon with a domain account that has full access to the proxy

For the firewall issue:

- ESX patches are downloaded from download3.vmware.com

- You can check the log files in c:\documents and settings\all users\application data\vmware\vmware update manager\logs (open the biggest log file); see what address it is failing at

- If you're using update manager to download virtual machine patches then you will not be successful with this configuration; since virtual machine patches are downloaded directly from the vendors (install update manager on a machine that has direct access to the internet or use update manager download service)

emmar · ‎11-18-2008

The following is set

- Proxy server and port defined as part of install (FYI - can be modified by "Repairing" the app in add/remove programs) the proxy server is shown correctly in the VUM Gui

- Proxy uses authenication - so stopVUM service - run VUM-proxyauthcfg.exe to define account and password. set VUM service to use the same account to run the service. servcie restarted

- test connection in the VUM gui completes successfully.

The customer is using a bluecoat proxy server and have set up exception rules for the following URLs

yet we are still getting failures to download the patches... the vmware-vci-log4cpp.log has entries like this:

Calling web service at https://www.vmware.com/PatchManagementSystem/patchmanagement

with cert

Downloading https://www.vmware.com/PatchManagementSystem/patchmanagement via proxy proxyserver:8080

Status code: 403

Error retrieving document 'https://www.vmware.com/PatchManagementSystem/patchmanagement'. Unhandled status code: 403

Download host update metadata error, Error retrieving document 'https://www.vmware.com/PatchManagementSystem/patchmanagement'. Unhandled status code: 403

Waiting for 16 seconds to retry.

Download host update metadata, 2

Constructing xml request

Calling web service at https://www.vmware.com/PatchManagementSystem/patchmanagement

with cert

Downloading https://www.vmware.com/PatchManagementSystem/patchmanagement via proxy proxyserver:8080

Status code: 403

Error retrieving document 'https://www.vmware.com/PatchManagementSystem/patchmanagement'. Unhandled status code: 403

Download host update metadata error, Error retrieving document 'https://www.vmware.com/PatchManagementSystem/patchmanagement'. Unhandled status code: 403

Waiting for 16 seconds to retry.

Leave Validate. Succeeded for integrity.VcIntegrity.retrieveVcIntegrityContent on target: Integrity.VcIntegrity

emmar · ‎11-19-2008

All sorted!

These are the specific rules that you need to apply on your BLUECOAT proxy server:

Create a 'do not authenticate' rule for the source IP in the Web Authentication Layer.

Create a Web Access Layer rule to allow the source IP access to any destination.

Ensure that the destination URLs are excluded from AV scanning within the AV Downloads layer.

I also had to increase the timeout settings in vci-integrity.xml - The timeout value is specified by the <recvTimeout> value.

All

How to configure Update Manager with Firewall and Proxy