Speeding up agentless deployment with distribution servers

I thought I’d take this time to share an idea that might help you speed up the agentless patch deployment process. Turns out, some work we did to support agent-based deployments can provide a big benefit for agentless deployments.

In a standard agentless deployment, the NetChk console pushes each patch or group of patches to each remote system. If there are two patches to push to each of 1,000 systems, the console will push 2,000 patches total. The console can push to 64 machines simultaneously – so it may take some time to push out all of the patches all of the machines. The patch push can also consume a lot of network bandwidth, especially if pushing patches to a large number of systems across a slow link.

We can address both speed and bandwidth issues for agentless deployments via the use of distribution servers.

The term ‘distribution server’ is really a misnomer. It’s not really a server at all. Instead, a distribution server is simply a UNC file share or a web share on a workstation or server machine.

Let’s start with the simple scenario: use the NetChk console as a distribution server. On the NetChk console, share out the C:\Program Files\Shavlik Technologies\NetChk\Patches\en-us (or similar) folder with read-only permissions for a specific netchk patch user account. This ‘share’ is your distribution server.

Next, go to tools-distribution servers to define the distribution server share you just created. Select New on the servers tab and then select the UNC radio button. Enter the UNC path to the share (ex. \\console\patchrepository) and the username and password for the account that has read-only access to this share (don’t worry, this password info is encrypted). There’s no need to enter synchronization data at the bottom of this window because the console patch repository is the same location as the distribution server share.

On the IP ranges tab of the distribution server window, create an IP range for your network. If you want all of your machines to use the same distribution server, you may enter 0.0.0.0 – 255.255.255.255. Assign the distribution server you just created to this IP range.

Finally, go to the deployment template that you’d like to use and select the distribution servers tab. Check the box to deploy patches using distribution servers. Set the randomization number of minutes (if desired) and also decide if you want the target systems to download the patches from the vendor websites directly if the machines can’t contact the distribution server.

Here is where the magic happens. When you go to deploy patches using this deployment template, the patches won’t be pushed to each systems. Instead, the NetChk console will push a very small deployment instruction set to each machine (and the Shavlik Scheduler, if not already present) and will schedule that instruction set to execute at the scheduled deployment time. When this deployment time occurs, the system will realize that it doesn’t have the necessary patches to deploy, it will read the instruction set to obtain the distribution server information, and it will then login to the distribution server and download the specified patches.

The above process will speed up the deployment process, however, the overall bandwidth hit against the network will be the same as if the console was doing a normal patch push. To conserve bandwidth and better handle remote sites, consider the following:

Create one distribution server at each remote site. This can be the UNC style distribution server we created above, or an http or https website at each remote site. The distribution server UNC or web share can reside on workstation or server class machines – whatever is ‘always available’ at the remote site. (Keep in mind that workstation class machines may only support ten concurrent sessions for UNC and web connections).

When defining the distribution servers, create groups of IP addresses – one group for each remote site – and assign the IP ranges to the distribution server at that site. This will ensure that the machines at remote site A will download their patches over the local area network from the distribution server at site A, thus reducing your network bandwidth over the slow link back to the NetChk console. Make sure to run the distribution server sync function to ensure that the remote distribution servers have a full copy of the patches from the console.

The above process is a unique method to leverage distribution servers (normally reserved for agent-based deployments) to aid in the speed and network bandwidth utilization when performing agentless deployments.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: