Novell Home

Pushing out Urgent Packages with ZENworks Patch Management

Novell Cool Solutions: Feature
By Shaun Pond

Digg This - Slashdot This

Posted: 3 Nov 2005
 

Need to send out a Deployment with ZENworks Patch Management in a hurry? See this article for how to deploy urgent packages.

ZENworks Patch Management (ZPM) relies on the agent contacting the Patch Management server to look for work. In most circumstances this is what you want, since it allows deployments to be spread naturally over a period of time, but there may still be a requirement, from time to time, to force a particular PC, or a range of PCs, to go and look for work immediately. This article will give you some ideas about the range of options, so that you can choose which one works best for you.

Background

How often the ZPM Deployment Agent contacts the server is controlled by the "Deployment Agent Default Communication Interval", which defaults to 5 minutes.


It is recommended that you change this to a longer interval (see server installation guide, page 34), somewhere between 30 minutes and 4 hours. But this may introduce a problem if you need to get a deployment run quickly: for example if you need to apply an anti-virus update, or if you've clicked "Scan now" for some PCs, and you want them to run the "Discover Applicable Updates" task right now.

1. Simple Option

For one or two PCs you could use Remote Control, and use the "Novell Update" Control Panel applet to do this by clicking on "Check Now."



2. Automation - Option 1

You could use something like PSEXEC from http://www.sysinternals.com like this:

psexec \\COMPUTERNAME -u administrator c:\progra~1\patchl~1\update~1\plar.exe

which will stop and start the agent. This is fine, but requires you to use a local account with administrator rights, and in your organization, PCs may not all have the same account and password, and you need to know the Computername of each PC you want to do this to.

3. Automation - Option 2

If you want to force many PCs to check for work immediately, there's an elegant solution: the Ping Port. To set the Ping Port (the normal value is zero, which means it is switched off), you can use the Defaults page - from the ZENworks Patch Management web interface, click the "options" link, then the "Defaults" tab.



You can override this with the same setting in the "Agent Policy Sets" (same page, but click the "policies" tab). Here it's called "Agent Listener."



At this point, you need to choose a TCP port that's not in use on your PCs - some nice high number is safest. When the agent next refreshes, it will set up a listener on your chosen port (you can see this if you run "netstat -a"). If you're running a firewall on the PC (for example the one that comes with XPSP2) you will need to open this TCP port - ensure that you only allow this port to be probed from addresses inside your company, not Internet addresses!

Now the fun begins: whenever a TCP connection is established on the specified port, the agent will send its version information to the server, and inquire about work to be done.

There are many utilities you can use to do this, here are some I've tested:

  • http://www.networkingfiles.com/Diagnostic/Scanport.htm
  • You can use telnet like this:
    echo.|telnet [ip address of PC] [ping port]
    The first part of the line is necessary because the telnet session requires a CRLF to terminate.
  • Superscan - lots of places to download this, just Google it.
  • These two utilities, provided free of charge by Hamish Spiers
    chkport-ip
    chkport-dns
    usage is: chkport-ip ip-addr port

    e.g. chkport-ip 192.168.2.200 25

    Chkport-ip will only allow you to use IP addresses, chkport-dns supports DNS names as well.
    e.g.: chkport-dns gmail.novell.com 25

IMPORTANT NOTE: Please See TID 10099523 for news about a current issue with some platforms and some scanning utilities.

With these utilities, you can scan a range of addresses, and they'll all go and look for deployments immediately.

More Ideas

You could expand on this theme: if you set a different port (using the "Agent Listener" setting in the Policy) for different groups of PCs, you can address different PC groups. For example you could use one port for XP machines, one for W2K workstations, one for Windows Servers, allowing you to quickly and easily "ping" each type of machine independently.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell