ZENworks 2017 Update 2 Patch Management Airgap Solution

February 2018

The Airgap solution for ZENworks Patch Management enables you to deliver patches to networks that are disconnected and isolated from the Internet. These networks are referred to as “airgapped” or “closed” networks.

NOTE:Airgap supports Microsoft Windows patches, not including Microsoft Office 365. Airgap does not currently support patches for Linux distributions or Mac operating systems.

1.0 About the Airgap Solution

The Airgap solution requires two ZENworks Management Zones, one zone in the open (Internet-connected) network and one in the closed network. A Primary Server (referred to as the Airgap Collector) in the open zone receives patches through the subscription service. You then transfer the patches via portable media from the Airgap Collector to a Primary Server (referred to as the Airgap Server) in the closed zone. The Airgap Server deploys the patches to managed devices as if it had received them directly through the subscription service.

The ZENworks Management Zone in your open network can optionally include managed devices that you want to patch. The patches downloaded by the Airgap Collector are retained in the zone (in addition to being copied to a transfer directory) and can be deployed to managed devices within the open zone.

2.0 Prerequisites

  • Two ZENworks Management Zones, one in the open network (the Airgap Collector) and another in the closed network (the Airgap Server).

    ZENworks Servers must be 11 SP4 or later versions. For information about installing ZENworks, see the ZENworks Server Installation Guide.

  • ZENworks Patch Management licensed in both zones, which includes a ZENworks Patch Management license for the Airgap Collector (open zone) and a ZENworks Patch Management Airgap license for the Airgap Server (closed zone). You cannot use an evaluation license.

    NOTE:The Airgap license is a no-charge entitlement if you are a licensed ZENworks Patch Management customer with Maintenance. The license must be requested for you by your sales representative. After it has been requested, it is added to your ZENworks Patch Management entitlement in your Customer Center portal, and you add the license key to the Airgap Server using a system variable.

  • Airgap Collector enabled prior to server replication or caching of patches on the Airgap Collector server.

3.0 Setting Up the Open Zone

The tasks required to configure the ZENworks Management Zone in your open network are described in the following sections.

3.1 Mirroring the Closed Zone’s Managed Devices

When a ZENworks Primary Server downloads patches from the subscription service, it downloads the patch fingerprints, not the entire patch. A patch fingerprint contains metadata about which operating systems the patch applies to. The Primary Server compares the downloaded patch fingerprints against the operating systems of the zone’s managed devices and displays the applicable patches in the Patches list. You can then select the patches you want to cache to the Primary Server for distribution to your managed devices.

If possible, we recommend that you register devices in your open zone that mirror the operating systems of the closed zone’s managed devices. This limits the Patches list to only those patches that are applicable for your closed zone’s devices.

If you do not mirror your closed zone’s devices in your open zone, the Patches list displays all patches, which in the following example totals 4,957 patches. In this case, you would either need to cache all patches or manually filter and cache only the patches that apply to devices in your closed zone.

If you choose to mirror your closed zone’s devices in your open zone, consider the following guidelines:

  • In your closed zone, log in to ZENworks Control Center and review the Devices list. The list displays the operating system for each registered device.

  • In your open zone, register devices that have the same operating systems as the ones displayed in your closed zone’s Devices list.

  • Registering a device in your open zone adds the device object to the zone. The device object is what is needed to automatically filter the Patches list to show applicable patches only. Once the device is registered in your open zone, it does not need to continue to contact the zone; if desired, you can re-register the device against your closed zone for management purposes. Optionally, you could retain the devices in your open zone and use the devices to test new patches.

3.2 Licensing ZENworks Patch Management

To activate your ZENworks Patch Management license, do the following:

  1. Log in to the ZENworks Control Center for the zone in your open network.

  2. Click Configuration in the navigation panel and scroll down in the Configuration page to locate Licenses > Product Licensing.

  3. Click the ZENworks 2017 Patch Management link, and select Activate Product in the Patch Management License panel.

  4. Enter your Product Subscription Serial Number in the field provided, and click Add.

  5. Click OK to save the changes.

3.3 Enabling the Airgap Collector

You enable the Airgap Collector by adding a PATCH_AIRGAP_COLLECTOR=true system variable to your ZENworks Management Zone.

  1. Log in to ZENworks Control Center for the zone in your open network.

  2. Click Configuration > Device Management (in the Management Zone Settings panel) > System Variables to display the System Variables list.

  3. Click Add to display the Add Variable dialog box.

  4. Fill in the following fields:

    Name: PATCH_AIRGAP_COLLECTOR

    Value: true

  5. Click OK to add the variable to the list.

  6. Click OK to save the list.

3.4 Limiting the Patch Content Downloaded by the Subscription Service

Because you will be copying patches from your open zone (Airgap Collector) to your closed zone (Airgap Server), you should limit patch content downloads to only the languages and vendors your devices need. This reduces the amount of portable disk space required and speeds up the copy process. Only the Windows platform is currently supported for Airgap, so Windows should always be checked in the platform options of both the Airgap Collector and Airgap Server. If you have Linux and Mac systems in your open zone, leave those platform types selected in the open zone, but these options are not applicable in the closed zone, because those patches will not be included.

To configure the Subscription Service Content Download in the Airgap Server (closed zone):

  1. Launch the ZENworks Control Center in the Airgap Server and click Configuration > Patch Management (in the Management Zone Settings panel) > Subscription Service Content Download to display the content download settings.

  2. Select Windows for platforms to download.

  3. Select the languages you want to download.

  4. Click OK to save your patch download settings.

NOTE:You can also configure the Select vendors to use in the system list to limit the number of vendor patches to only those that are required. However, the list is not populated until the first subscription update is complete after starting the Subscription Service. The Airgap Collector content will not reflect a change in this setting until another subscription download completes after configuring and saving the list.

3.5 Starting the Subscription Service

To ensure that you have all the required patches for your closed zone, you need to start the Subscription Service and wait for the subscription download to successfully complete. You can verify this in the Subscription Service History panel on the Patch Management Dashboard.

Information about caching patches after the subscription download completes is provided in Section 5 Transferring Patches from the Open Zone to the Closed Zone.

IMPORTANT:Ensure that you enable the Airgap Collector before starting the subscription service or caching of patches. Otherwise, you may have missing patches for the Airgap Server.

To start the Subscription Service and initiate the patch download:

  1. In ZENworks Control Center, click Configuration > Patch Management (in the Management Zone Settings panel) > Subscription Service Settings to display the Subscription Service Settings page.

  2. In the Start the Subscription Service list, select the ZENworks Primary Server, and then click Start Service to start the subscription service on the Primary Server.

  3. Click the Update Now button to initiate an immediate request for patches from the subscription service.

    The initial subscription service request will take some time to process. You can use the Patch Management Dashboard (Patch Management > Dashboard tab) to monitor the request status.

  4. By default, the Airgap Collector contacts the subscription service for patch updates at midnight each day. If desired, you can use the Subscription Communication Interval field to change the daily time.

  5. Click OK to save your changes and exit the Subscription Service Settings page.

4.0 Setting Up the Closed Zone

In your closed network, you need to configure the ZENworks Management Zone to enable the Primary Server to act as an Airgap Server. When you transfer downloaded patches from your open network to the closed network, the Airgap Server pulls them into the ZENworks Management Zone as if it had received them directly through the subscription service. You then deliver the patches using the standard ZENworks Patch Management methods.

  1. Log in to ZENworks Control Center for the zone in your closed network.

  2. Enable the Airgap Server by adding several system variables:

    1. Click Configuration > Device Management (in the Management Zone Settings panel) > System Variables to display the System Variables list.

    2. Click Add to display the Add Variable dialog box.

    3. Fill in the following fields:

      Name: PATCH_AIRGAP_SERVER

      Value: true

    4. Click OK to add the variable to the list.

    5. Repeat to add the following two variables:

      • Name: PATCH_AIRGAP_LICENSE

        Value: The Airgap license key you received from your Sales Representative.

        NOTE:This step validates licensing on the Airgap Server for the closed network. You do not need to activate a ZENworks Patch Management license for this zone in Product Licensing.

      • Name: PATCH_AIRGAP_PATH

        Value: The directory path from which the Airgap Server will retrieve the patches you’ve transferred from the open network (the Airgap Collector) to your closed network. For example:

        c:\program files (x86)\novell\zenworks\zpm\airgap

        or

        /opt/novell/zenworks/zpm/airgap

    6. Click OK to save the list.

  3. Start the Subscription Service:

    1. Click Configuration > Patch Management (in the Management Zone Settings panel) > Subscription Service Settings to display the Subscription Service Settings page.

    2. In the Start the Subscription Service list, select the ZENworks Primary Server, then click Start Service to start the subscription service on the Primary Server.

    3. Click OK to exit the Subscription Service Settings page.

5.0 Transferring Patches from the Open Zone to the Closed Zone

To transfer patches from the open zone to the closed zone:

  1. On the Airgap Collector in the open zone:

    1. (Optional) Make sure you have the latest patches. To do so, click Configuration > Patch Management (in the Management Zone Settings panel) > Subscription Service Settings to display the Subscription Service Settings page. Click the Update Now button to initiate an immediate request for patches from the subscription service.

      Patches are updated daily at the time specified in the Subscription Service Settings. You only need to manually update if you want to ensure that you have any patches that might have been released since your last scheduled update. Use the Patch Management Dashboard (Patch Management > Dashboard tab) to monitor the status of the patch update.

    2. Cache all patches that you want to copy. To do so, click Patch Management > Patches to display the patch list. Select the patches you want to cache, click Actions > Update Cache.

      If you chose not to mirror your closed zone’s devices in your open zone (see Mirroring the Closed Zone’s Managed Devices), the Patches list does not display any applicable patches. In this case, deselect the Not Patched option in the Search box and click Search to display all available patches. Use this list to select the patches you want to cache. You will also need to do this if you mirrored some but not all of your closed zone’s devices.

    3. After caching of the selected patches is complete, copy all contents (files and folders) from the following folder to your portable media:

      Windows Airgap Server: c:\program files (x86)\novell\zenworks\zpm\airgap

      Linux Airgap Server: /opt/novell/zenworks/zpm/airgap

  2. On the Airgap Server in the closed zone, copy the patch content from the portable media to the Airgap directory you specified with the PATCH_AIRGAP_PATH variable when setting up the Airgap Server (see Step 2.e).

    If you have previously copied patch content to the Airgap Server, do not remove that content. Add the new patch content to the existing content.

  3. Log in to ZENworks Control Center for the Airgap Server zone (in your closed network).

  4. Click Configuration > Patch Management (in the Management Zone Settings panel) > Subscription Service Settings > Update Now to initiate an immediate patch content update.

    The subscription service request will take some time to process. You can use the Patch Management Dashboard (Patch Management > Dashboard tab) to monitor the request status.

  5. After the subscription service request completes, go to the Patches tab (Patch Management > Patches tab) to check the device status for each patch.

  6. Deploy the patches. If necessary, see the .

6.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.novell.com/company/legal/.

Copyright © 2018 Micro Focus Software, Inc. All Rights Reserved.