®
ScriptLogic
®
Patch Authority Ultimate 7.8
Virtual Machine
Quick Start Guide
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
Copyright © 2011 ScriptLogic Corporation.
All rights reserved.
No part of this document may be reproduced or retransmitted in any form or by any
means electronic, mechanical, or otherwise, including photocopying and recording for
any purpose other than the purchaser’s personal use without written permission of
ScriptLogic Corporation.
ScriptLogic Corporation
6000 Broken Sound Parkway NW
Boca Raton, Florida 33487-2742
1.561.886.2400
www.scriptlogic.com
Trademark Acknowledgements
ScriptLogic Patch Authority Ultimate and the ScriptLogic Corporation logo are either
trademarks or registered trademarks of ScriptLogic Corporation. Microsoft, Windows,
and Microsoft Baseline Security Analyzer are registered trademarks of Microsoft
Corporation.
All other trademarks, tradenames, or images mentioned herein belong to their
respective owners.
Updated 17 March 2011
ii
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
iii
DOCUMENTATION CONVENTIONS
Typeface Conventions
Bold
Indicates a button, menu selection, tab, dialog box title, text to type,
selections from drop-down lists, or prompts on a dialog box.
CONTACTING SCRIPTLOGIC
ScriptLogic may be contacted about any questions, problems or concerns you
might have at:
ScriptLogic Corporation
6000 Broken Sound Parkway NW
Boca Raton, Florida 33487-2742
561.886.2400 Sales and General Inquiries
561.886.2450 Technical Support
561.886.2499 Fax
www.scriptlogic.com
SCRIPTLOGIC ON THE WEB
ScriptLogic can be found on the web at www.scriptlogic.com. Our web site
offers customers a variety of information:
ƒ
ƒ
ƒ
ƒ
Download product updates, patches and/or evaluation products.
ƒ
Search Frequently Asked Questions, for the answers to the most common
non-technical issues.
ƒ
Participate in Discussion Forums to discuss problems or ideas with other
users and ScriptLogic representatives.
Locate product information and technical details.
Find out about Product Pricing.
Search the Knowledge Base for Technical Notes containing an extensive
collection of technical articles, troubleshooting tips and white papers.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
iv
Contents
VIRTUAL MACHINE OVERVIEW .......................................................................................................................... 1
Online Virtual Machines................................................................................................................................ 1
Offline Virtual Machines ............................................................................................................................... 1
Virtual Machine Templates............................................................................................................................ 2
SYSTEM REQUIREMENTS .................................................................................................................................... 2
NOTES ABOUT VIRTUAL MACHINES .................................................................................................................. 2
NOTES ABOUT VIRTUAL MACHINE TEMPLATES ................................................................................................. 5
ROADMAP OF TASKS .......................................................................................................................................... 6
Patch Tasks.................................................................................................................................................... 6
ADDING VIRTUAL MACHINES TO A MACHINE GROUP ........................................................................................ 7
ADDING SERVERS AND VIRTUAL MACHINES HOSTED BY A SERVER .................................................................. 8
ADDING OFFLINE VIRTUAL MACHINES THAT RESIDE ON WORKSTATIONS ........................................................ 9
Adding a Virtual Machine Residing on a Workstation ................................................................................ 10
Add a Directory of Virtual Machines .......................................................................................................... 10
VIEWING SERVERS AND VIRTUAL MACHINES IN A MACHINE GROUP............................................................... 11
SUPPLYING CREDENTIALS FOR VIRTUAL MACHINES ........................................................................................ 11
CREDENTIAL PRIORITIES .................................................................................................................................. 12
Initiating Actions From a Machine Group or a Favorite ............................................................................ 12
Initiating Actions From Machine View or Scan View.................................................................................. 13
HOW TO SCAN VIRTUAL MACHINES ................................................................................................................. 13
REVIEWING SCAN RESULTS .............................................................................................................................. 14
Reviewing Patch Scan Results ..................................................................................................................... 14
CONFIGURING YOUR DEPLOYMENT TEMPLATE TO TAKE SNAPSHOTS ............................................................. 15
DEPLOYING PATCHES TO VIRTUAL MACHINES ................................................................................................ 16
Immediate Patch Deployments .................................................................................................................... 16
Scheduled Patch Deployments..................................................................................................................... 18
Power State and Credential Requirements for a Successful Deployment.................................................... 19
MONITORING PATCH DEPLOYMENTS TO VIRTUAL MACHINES ......................................................................... 20
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
1
VIRTUAL MACHINE OVERVIEW
A virtual machine is not actually a physical machine but rather a software
environment (usually an operating system) designed to emulate a physical
machine. A virtual machine can run programs just like a physical machine.
The physical machine used to host the virtual machine can often support
multiple virtual machines.
ScriptLogic Patch Authority Ultimate can scan for and deploy patches to the
virtual machines on your network regardless of whether they are online or
offline. It can also perform a software asset scan of your online and offline
virtual machines.
Online Virtual Machines
A virtual machine that is online and running is treated by Patch Authority
Ultimate the same as a physical machine. Patch scans and asset scans will be
performed in the same manner as on a physical machine. Any patches that
may be missing can also be deployed in the same manner to both your
physical machines and your online virtual machines. This means your online
virtual machines are protected by the latest software patches just like your
physical machines.
Offline Virtual Machines
Patch Authority Ultimate also enables you to scan and patch offline virtual
machines. Offline virtual machines are those that aren't powered on when a
patch scan or an asset scan is performed. These virtual machines may be
powered on for only a few hours or days a month and then powered off until
they are needed again the next month. It's important to ensure that these
systems are patched so that when they are brought online they don't place
your network at risk.
Patch Authority Ultimate makes it easy to scan these offline virtual machines.
When you initiate a scan of a machine group that contains offline virtual
machines, Patch Authority Ultimate will perform a full assessment of the
offline virtual machines and display the scan results alongside the results for
running systems. Offline virtual machines will be differentiated in the patch
scan results by a unique icon ( ). The scan results may even identify offline
virtual machines that you don’t even know about. When viewing machines in
Machine View the Offline Scan column in the top pane will indicate if a
virtual machine was offline at the time of the scan.
Patching offline virtual machines is similarly simple. You simply highlight the
machines and patches you'd like to install and then select Deploy from the
Patch Authority Ultimate menu. For offline virtual machines that are hosted on
a server, the machines will be powered on, the patches installed, and the
machines powered back down. For offline virtual machines that reside on
workstations, the patches will be copied to the offline virtual machines and
will be installed the moment that the virtual machine is started (or according
to the scheduled patch deployment time).
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
2
Virtual Machine Templates
Virtual servers and virtual workstations are often created using a template.
Templates enable you to quickly create new virtual machines that conform to
your particular configuration requirements. A template that is offline poses no
danger to your organization. A template that is brought online, however, is no
different than an online virtual machine. It can perform tasks just like any
other virtual machine, and it can also contain the same viruses, spyware, and
other types of malware that target improperly patched machines. For this
reason it is critical that your virtual machine templates receive the same
patch management care as your physical and virtual machines.
Patch Authority Ultimate enables you to patch your virtual machine
templates. You simply add your templates to a machine group and Patch
Authority Ultimate will take of the rest. For complete details on the virtual
machine template scan and deployment process, see Notes About Virtual
Machine Templates.
SYSTEM REQUIREMENTS
ScriptLogic Patch Authority Ultimate supports offline virtual machines created
by any of the following:
ƒ
ƒ
ƒ
ƒ
ƒ
VMware ESX Server 3.0 or later
VMware ESXi 3.0 or later
VMware vCenter (formally VMware VirtualCenter) 2.0 or later
VMware Workstation 4.0 or later
VMware Player
NOTES ABOUT VIRTUAL MACHINES
Before using ScriptLogic Patch Authority Ultimate to scan virtual machines,
please review the following notes:
ƒ
Only the current state of the virtual machine will be scanned and patched.
Snapshots of virtual machines are not scanned or patched.
ƒ
A virtual machine is counted only once against the total number of license
seats available, even if it is scanned both in online (powered on) mode
and offline (powered off) mode.
ƒ
In machine groups and in scan results, special icons will distinguish an
offline virtual machine ( ) from a physical machine or an online virtual
machine ( ) and from a virtual machine template ( ).
ƒ
Avoid using network drive letters when defining offline virtual machines in
a machine group. The recommended practice is to instead specify the
Uniform Naming Convention (UNC) path. This comes into play when
performing a scheduled scan on an offline virtual machine. Network drive
mappings are session-specific, so it is very possible that a specified
mapping will no longer exist when the scheduled scan process is run.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
3
ƒ
Within a machine group, the Scan only filters do not apply to offline
virtual machines or to virtual machine templates.
ƒ
Dual boot systems (for example, a virtual machine with two partitions,
each containing a different operating system) are not supported.
ƒ
It is possible for two offline virtual machines to have the same domain and
computer name. This will be the case if you clone a virtual machine and
do not change the computer name or domain name on one or both
machines. In this situation, of the two duplicate virtual machines, only the
last one scanned will be visible in Machine View. The machines displayed
in Machine View are keyed on domain and computer name and duplicates
are not allowed.
ƒ
Virtual machines that are offline (powered off) will be mounted before they
are scanned. Virtual machines that are online (powered on) do not need to be
mounted as they are treated no differently than a regular machine.
ƒ
When performing a patch or an asset scan, a virtual machine that was added
to a machine group as an offline virtual machine but that is online at the time
of a scan will be scanned if it is hosted on an ESX server and if the proper
credentials are available in order to access that machine. (See Supplying
Credentials for Virtual Machines for details.) Online virtual machines that are
hosted on workstations will fail to mount and will not be scanned.
ƒ
In order to mount a VMware ESX Server through a virtual infrastructure
server, you must be running VMware Infrastructure 2.5 or later.
ƒ
When scanning virtual machines that are supported by VMware, please
keep in mind the following:
ƒ
ƒ
You cannot mount encrypted virtual disks.
ƒ
You cannot mount a virtual machine that is currently being used by a
running or suspended virtual machine.
ƒ
Linked clones and compressed images are not supported.
You cannot mount a virtual machine if any of its .vmdk files are
compressed or have read-only permissions.
ƒ
When scanning multiple virtual machines that are hosted on one workstation,
it is possible to reach the connection limit for that workstation. If the
connection limit is reached an error will occur and the scans will fail. The
maximum number of simultaneous connections supported varies for each
Windows OS. For example, Windows XP only allows a maximum of 10
simultaneous connections while servers allow many more. See
http://support.microsoft.com/kb/314882 for more information.
ƒ
When deploying patches to an offline virtual machine that is hosted on a
server, the virtual machine will be powered on, the patches installed, and
the virtual machine powered down. See Deploying Patches to Virtual
Machines for more details.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
ƒ
When deploying patches to an offline virtual machine that is hosted on a
server, VMware tools must be installed on the virtual machine.
ƒ
When deploying patches to an offline virtual machine that is hosted on a
server, the following VMware server permissions are required in order to
manage snapshots and to change the power state of the machine during
the deployment process:
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
4
VirtualMachine.State.CreateSnapshot
VirtualMachine.State.RemoveSnapshot
VirtualMachine.Interact.PowerOn
VirtualMachine.Interact.PowerOff
VirtualMachine.Interact.DeviceConnection (to disable/enable the
network card)
When deploying patches to an offline virtual machine that resides on a
workstation, the new deployment job will overwrite any older deployment
jobs that have not yet been performed. For this reason you should deploy
all desired patches in a single deployment.
Example: You deploy Patch A to a workstation-based offline virtual
machine. The virtual machine is still offline a month later when you deploy
Patches B and C. Because the first deployment job was never executed it
gets overwritten and only Patches B and C are now scheduled for
deployment. To avoid this you simply include Patch A along with Patches B
and C in the second deployment job.
One way to manage this is to use a patch group to define the patches you
want deployed to your workstation-based virtual machines. When new
patches are identified you simply add them to the list of patches in the
patch group. This is particularly useful when specifying a patch group and
enabling the Deploy missing patches using check box on a patch scan
template. See Creating a New Patch Scan Template in the Help file for
more details about these options.
ƒ
ScriptLogic Patch Authority Ultimate Agent operations are not supported
on offline virtual machines.
If you install ScriptLogic Patch Authority Ultimate Agent on an online
virtual machine and then later scan the virtual machine while it is in an
offline state, ScriptLogic Patch Authority Ultimate may report the wrong
agent status for that image. For example, it may show that the agent is
not installed, or it may let you attempt to uninstall the agent. This occurs
because ScriptLogic Patch Authority Ultimate Agent operations are not
supported on offline virtual machines. The correct status will be reported
once the virtual machine is brought back online and rescanned by
ScriptLogic Patch Authority Ultimate.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
5
NOTES ABOUT VIRTUAL MACHINE TEMPLATES
Before using Patch Authority Ultimate to scan and patch virtual machine
templates, please review the following notes:
ƒ
For information on using virtual machine templates in patch scans, asset
scans, and patch deployments, see Roadmap of Tasks.
ƒ
The type of virtual machine template (server template, workstation template,
etc.) does not matter, they are all supported by Patch Authority Ultimate.
ƒ
Only virtual machine templates that are hosted on a VMware server are
supported by Patch Authority Ultimate. The templates are added to a
machine group using the Hosted Virtual Machines tab. Virtual machine
templates that reside on individual workstations are not supported.
ƒ
A unique icon ( ) is used to identify virtual machine templates. You will
see this icon when adding a template to a machine group and when
viewing scan results in Scan View and in Machine View.
ƒ
As with anything that involves components on a network, errors can occur
if connections go bad, if servers are shut down, if a template is modified
while being accessed by Patch Authority Ultimate, etc. In general, the
templates should not be touched at any time during the scanning or patch
deployment process.
ƒ
When you initiate a patch or an asset scan of a virtual machine template,
Patch Authority Ultimate will scan the template in its current state and will
report the results in the same way it does for virtual machines and
physical machines.
ƒ
During a scan, a template will be accessed using the VMware server
credentials. Any individual credentials supplied for the template are ignored.
ƒ
You should supply online credentials for any virtual machine template that
will be included in a patch deployment process. During the patch
deployment process the template is converted to a virtual machine and
powered on—Patch Authority Ultimate will need the supplied credentials in
order to access the online version of the machine.
ƒ
When deploying patches to a virtual machine template, the following
VMware server permissions are required in order to manage snapshots
and to perform the deployment:
ƒ
ƒ
ƒ
ƒ
ƒ
VirtualMachine.State.CreateSnapshot
VirtualMachine.State.RemoveSnapshot
VirtualMachine.Provisioning.MarkAsTemplate
VirtualMachine.Provisioning.MarkAsVM
The patch deployment template you use must not specify the use of a
distribution server. The virtual machine will be disconnected from the
network and unable to download the patches from the distribution server.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
6
ƒ
The patch deployment template you use must not specify the use of a
Office media path. The offline virtual machine will be disconnected from
the network and unable to access the location of the original Office
installation media.
ƒ
The patch deployment template you use should not specify a pre-deploy
reboot (the program will be unable to initiate the reboot because the
machine will be offline) but it should always perform a post-deploy reboot
(this is a "best practice" when deploying patches). For deployments to
virtual machine templates it is recommended you use the Virtual
Machine Standard deployment template.
ƒ
During a patch deployment, a virtual machine template that may normally
be available only to an administrator will become visible to other users.
This is because during the patch deployment process the template is
temporarily converted to a virtual machine and powered on.
ROADMAP OF TASKS
Patch Tasks
ScriptLogic Patch Authority Ultimate can scan for and deploy patches to online
virtual machines, to offline virtual machines, and to virtual machine
templates. You do this by performing the following tasks:
1. Create one or more machine groups that contain the virtual machines and
virtual machine templates you want to scan and patch.
See Adding Virtual Machines to a Machine Group on page 7 for details.
2. Supply credentials for the virtual machines.
When performing scans, the recommended best practice is to always
supply credentials for the virtual machines and virtual machine templates.
When performing patch deployments, credentials must be set at the
machine, group, or default level. See Supplying Credentials on page 11 for
details.
3. Use the machine group in a scan.
See How to Scan Virtual Machines on page 13 for details.
4. Review the scan results. See Reviewing Scan Results on page 14 for
details.
In the scan results, unique icons will distinguish an offline virtual machine
) from a physical machine or an online virtual machine ( ) and from
(
a virtual machine template ( ). When viewing machines in Machine View
the Offline Scan column in the top pane will indicate if a virtual machine
was online or offline at the time of the scan.
5. (Optional) If you want to take snapshots of your hosted virtual machines
and templates immediately before and/or immediately after the
deployment process, make sure you specify this on the Hosted
VMs/Templates tab of the deployment template you plan to use.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
7
6. Deploy the desired patches to the desired virtual machines and virtual
machine templates. See Deploying Patches to Virtual Machines on page 16
for details.
You may not know if a particular virtual machine is online or offline at the
time you perform a deployment, and it typically doesn't matter. The
following guidelines apply for patch deployments to virtual machines:
ƒ
If a virtual machine is hosted on a server, the deployment can be
successful regardless of whether the virtual machine is online or offline
at the time of the deployment.
ƒ
If a virtual machine is defined in a machine group using the
Workstation Virtual Machines tab, the deployment can be
successful as long as the virtual machine is offline.
ƒ
If a virtual machine is defined in a machine group using the Machine
Name, Domain Name, or IP Address/Range tab, the deployment
can be successful as long as the virtual machine is online.
If a virtual machine is online the patch deployment is performed in the
same manner as for a physical machine. Patch deployments to offline
virtual machines and to virtual machine templates are performed by Patch
Authority Ultimate in a slightly different manner. See Deploying Patches to
Virtual Machines on page 16 for details.
7. Monitor the deployment activities.
See Monitoring Patch Deployments to Virtual Machines on page 20 for details.
ADDING VIRTUAL MACHINES TO A MACHINE GROUP
Virtual machines can be added to a machine group. The recommended best
practice is to create a machine group consisting of nothing but virtual
machines. You can, however, add both physical machines and virtual
machines to the same machine group if you wish.
There are four different ways to add virtual machines to a machine group:
ƒ
If virtual machines are hosted by a server you can add the server to the
machine group. This effectively adds all virtual machines hosted by the
server to the machine group. The virtual machines can be in either online
or offline mode. See Adding Servers and Virtual Machines Hosted by a
Server for details.
ƒ
If virtual machines are hosted by a server you can add individual virtual
machines to the machine group. The virtual machines can be in either
online or offline mode. See Adding Servers and Virtual Machines Hosted
by a Server for details.
ƒ
You can also add virtual machine templates that may be hosted on a
server.See Notes About Virtual Machine Templates for details.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
ƒ
8
If virtual machines reside on individual workstations you may consider
adding the machines to the group twice to ensure that each virtual
machine is successfully scanned regardless of its current power state
(online or offline).
ƒ
You can add the full path names or directory names of the offline
virtual machines to the machine group using the Workstation Virtual
Machines tab. The virtual machines defined using this tab are
scanned only if they are in offline mode. See Adding Offline Virtual
Machines That Reside on Workstations on page 8 for details.
ƒ
You can add the virtual machines to the machine group using the
Machine Name tab, the Domain Name tab, or the IP
Address/Range tab. The virtual machines defined using this tab are
scanned only if they are in online mode.
ADDING SERVERS AND VIRTUAL MACHINES HOSTED BY A SERVER
Many organizations will host their virtual machines on one or more VMware
servers. Doing so provides the means to manage the virtual machines in an
organized fashion. There are two main types of VMware servers:
ƒ
VMware ESX/ESXi Servers: A server dedicated to hosting and
managing multiple virtual machines. VMware ESX servers are typically
used in small- and medium-sized organizations that want to control
multiple virtual machines from one location. The server often runs on a
dedicated blade computer that is using a VMware operating system.
ƒ
VMware vCenter Servers: A virtual infrastructure server is typically
used by large organizations that need to manage multiple VMware ESX
servers, each of which may be running multiple VMware images. For
example, you can quickly move a highly-utilized virtual machine from a
busy ESX server to another less busy ESX server.
You can use the Hosted Virtual Machines tab to log on to these servers and
select the virtual machines and the virtual machine templates you want to
include in your machine group. The virtual machines can be in either offline or
online mode.
1. Log on to the desired server by clicking Add Server and then specifying
the server name and the proper credentials.
The credentials you use to log on to the server are called browse credentials.
They will be used to connect to the server and to enumerate the machines
hosted by the server.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
9
After a connection is made the server is displayed in the left-hand pane.
The virtual machines hosted by the server are displayed in the right-hand
pane. At this point you can either add the server itself to the group or you
can add individual virtual machines and virtual machine templates.
Note: You must have server permission set on the datacenter, the folder,
or the individual virtual machines in order for the machine to be displayed.
If you don't have permission for a specific virtual machine it will not be
displayed in the right-hand pane.
Tip: You can log on to multiple servers at the same time. All virtual
machines found on the servers are displayed in the right-hand table.
2. To add all machines hosted by a server, select the server in the left-hand
pane and click Add Server(s) to Group.
3. To add individual hosted machines, in the right-hand pane select the
virtual machines you want to add to the machine group and then click
Add Machine(s) to Group.
The virtual machines are added to the bottom pane of the machine group.
4. Supply any credentials that may be needed for the individual virtual
machines and virtual machine templates.
See Supplying Credentials for Virtual Machines for details.
ADDING OFFLINE VIRTUAL MACHINES THAT RESIDE ON WORKSTATIONS
Some virtual machines may reside on individual workstations. Any machine
using VMware Workstation software is capable of supporting a virtual machine.
The virtual machines may reside almost anywhere, including hard drives,
network drives, jump drives, etc. You use the Workstation Virtual Machines tab
to add these stand-alone offline virtual machines to a machine group.
Note: This tab is used to specify the offline identity of each virtual machine.
If a virtual machine added here is online when a scan is performed, a
mounting error will occur and the scan of that machine will fail.
Tip: If you want to be absolutely sure that all your virtual machines are
successfully scanned, simply add the same machines to the group a second
time using one of the other tabs (Machine Name, Domain Name, or IP
Address/Range). This duplication assures that each virtual machine will be
successfully scanned regardless of its power state (online or offline).
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
10
The virtual machines specified here are the actual images and you must
therefore specify the full path name. Once the virtual machine is added to a
machine group you should also specify the credentials used to connect to that
virtual machine (see Supplying Credentials on page 11). This is different from
virtual machines hosted by a server. On a server you can simply reference a
file that points to the actual virtual machine, letting the server manage the
path and credential information.
Adding a Virtual Machine Residing on a Workstation
There are two ways to add an offline virtual machine that is hosted on a
workstation:
ƒ
In the Click here to enter the full path to a virtual machine box, type
the full path name of the virtual machine. You must specify the full path
name and not just the name of the virtual machine. The name must
contain a valid image extension (such as .vmx) and must not contain any
illegal characters (such as @, ", etc.). When possible, avoid using network
drive letters; the recommended practice is to instead specify the Uniform
Naming Convention (UNC) path. For example:
\\machinename\sharename\directory\machine.vmx.
ƒ
Click the Browse button (
) and locate the virtual machine by browsing
your local machine and your network for the desired file.
Once the virtual machine is defined, click Add VM to add it to the machine
group list.
Add a Directory of Virtual Machines
There are two ways to add a directory of offline virtual machines:
ƒ
In the Click here to enter the path to a directory of virtual
machines box, type the full path name of the directory. When possible,
avoid using network drive letters. The recommended practice is to specify
the Uniform Naming Convention (UNC) path. For example:
\\virtual\directory.
- OR -
ƒ
Click the Browse button (
) and locate the directory by browsing your
local machine and your network for the desired directory.
If you want the program to recursively search all subdirectories for virtual
machines when performing a scan, enable the Include all VMs in all
subdirectories check box.
Once the directory is defined, click Add Directory to add it to the machine
group list.
Note: Adding a large number of virtual machines that are all hosted on the
same workstation could cause a connection limit error to occur when scanning
the virtual machines. See Notes About Virtual Machines on page 2 for more
information.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
11
VIEWING SERVERS AND VIRTUAL MACHINES IN A MACHINE GROUP
When servers, virtual machines, and virtual machine templates are added to
a machine group, the new entries are displayed within the bottom section of
the machine group pane. For example:
The recommended best practice is to always supply credentials for the
VMware servers, the virtual machine templates, and the offline workstation
virtual machines. See Supplying Credentials for Virtual Machines for details.
Be careful if you have multiple console administrators, as different
administrators are likely to provide different server credentials.
SUPPLYING CREDENTIALS FOR VIRTUAL MACHINES
There are several different tabs that can be used to add virtual machines to a
machine group. The credentials that will be used to scan and/or deploy
patches to these machines depends on how the machines are defined to the
group and on the current power state of each machine.
ƒ
Hosted Virtual Machines tab: Used to add virtual machines that are
hosted by a server. The credentials used to scan each machine depends
on the current power state of the machine.
ƒ
A hosted virtual machine that is offline at the time of a scan will be
accessed using the server’s browse credentials. Any individual
credentials supplied for the machine are ignored.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
ƒ
12
A hosted virtual machine that is online at the time of a scan will be
accessed using authorized credentials for that machine. See Credential
Priorities (below) for details.
ƒ
Workstation Virtual Machines tab: Used to add offline virtual machines
that reside on individual workstations. You must supply individual machine
credentials for each virtual machine defined using this tab. The credentials
are used during the mounting process and provide permission for Patch
Authority Ultimate to access the virtual machine files on the workstation.
ƒ
Machine Name tab, the Domain Name tab, or the IP Address/Range
tab: Used to add virtual machines that reside on individual workstations and
that are online at the time of a scan. See Credential Priorities for details.
You typically use these three tabs if you want to be absolutely sure that all
your workstation-based virtual machines are successfully scanned. Adding the
same machines here and on the Workstation Virtual Machines tab assures
that each virtual machine will be successfully scanned regardless of its power
state (online or offline).
CREDENTIAL PRIORITIES
Initiating Actions From a Machine Group or a Favorite
Machine groups and favorites can be used to initiate patch scans and assets
scans (on online/offline virtual machines) and power management actions (on
online virtual machines). When performing these actions, Patch Authority
Ultimate will attempt to authenticate to each virtual machine using a variety
of credentials and will do so in the following order:
1. Machine-level credentials (described above in Supplying Credentials for
Virtual Machines).
2. Group-level credentials (via the Credentials button in the top pane of the
machine group).
3. Default credentials (via Tools > Options > Default Credentials).
4. Credentials of the person currently logged on to the program (will not
work for deployments to offline virtual machines).
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
13
If none of these credentials work the scans and the power management tasks
will fail.
One suggestion is to make your default credentials the same as the account
credentials you typically use to log on to the program. This will eliminate
problems that may occur if you forget to assign credentials.
Initiating Actions From Machine View or Scan View
When initiating a patch deployment or a power management action from
Machine View or Scan View, the program will attempt to authenticate to the
target machines using a variety of credentials and will do so in the following
order:
1. The credentials used in the last successful scan of the target machines
(when from Machine View) or the credentials used in the corresponding
scan (when from Scan View).
2. Default credentials (used if the scan credentials are invalid or missing (for
example, if an agent performed the scan rather than the console)).
3. Credentials of the person currently logged on to the program (will not
work for deployments to offline virtual machines).
If none of these credentials work then the action will fail.
HOW TO SCAN VIRTUAL MACHINES
After defining your virtual machines in a machine group, you initiate a scan in
the exact same manner as any other machine group.
1. In the Machine Groups pane select the machine group that contains your
virtual machines.
2. Verify the desired virtual machines are contained within the group.
3. In the Scan with box select the desired scan template or power template.
4. Click Begin Scan.
ScriptLogic Patch Authority Ultimate will perform a full assessment of each
virtual machine. In the scan results, special icons will distinguish offline
virtual machines ( ) and virtual machine templates (
machines and online virtual machines ( ).
Updated 17 March 2011
) from physical
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
14
REVIEWING SCAN RESULTS
Reviewing Patch Scan Results
You can review patch scan results using either Scan View or Machine View.
When reviewing your patch scan results, special icons will distinguish an
offline virtual machine ( ) and a virtual machine template (
physical machine or an online virtual machine ( ).
) from a
ScriptLogic Patch Authority Ultimate will otherwise treat an offline virtual
machine or virtual machine template no differently than a physical machine.
If an offline machine is brought online and is rescanned, the offline virtual
machine icon will be replaced by a regular machine icon.
The Patches tab in the middle pane displays general information about the
machines selected in the top pane.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
15
CONFIGURING YOUR DEPLOYMENT TEMPLATE TO TAKE SNAPSHOTS
What is a virtual machine snapshot? A snapshot captures the state,
configuration, and disk data of a virtual machine at a given time. Snapshots
are useful for storing states that an administrator or user might want to
return to at some point in the future.
If you want to take snapshots of your hosted virtual machines and virtual
machine templates immediately before and/or immediately after the patch
deployment process, make sure you specify this on the Hosted
VMs/Templates tab of the deployment template you plan to use. This tab
does not apply to virtual machines that reside on workstations.
Complete snapshots are taken of offline virtual machines and of virtual
machine templates. If a virtual machine is online at the time of the patch
deployment the memory state will not be included in the snapshot—this will
quicken the process and reduce the amount of time that the online virtual
machine is affected.
There are reasons why you may choose to NOT take a snapshot. You may
have a limited amount of disk space, or you may have performance concerns.
Taking a snapshot reduces the performance of the virtual machine while the
snapshot is created.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
16
DEPLOYING PATCHES TO VIRTUAL MACHINES
The method for initiating a patch deployment is the same regardless of whether
you are deploying to a physical machine, to an online virtual machine, to an
offline virtual machine, or to a virtual machine template. You simply right-click
the desired machines or patches and select Deploy.
It's what happens after you initiate the deployment, however, that is slightly
different for virtual machines and virtual machine templates.
Note: For deployments to virtual machines that are hosted on a server it is
recommended you use the Virtual Machine Standard deployment template.
Also, in all cases, during deployment the virtual network will need to remain
connected.
Immediate Patch Deployments
When you perform an immediate deployment to a physical machine, an online
workstation virtual machine, or an offline workstation virtual machine, the
files required for the deployment are copied to the target machine
immediately and the deployment is scheduled to occur immediately using the
scheduler on the target machine. The online/offline status of these machine
types is determined at the time you initiate the deployment. The actual patch
installation is performed on the target machines and the console is not
actively involved in the patch installation.
When you perform an immediate deployment to a virtual machine that is hosted
on a server, the entire deployment process occurs on the Patch Authority
Ultimate console machine. The console determines the online/offline status of the
hosted virtual machines and the console service is actively involved during the
patch installation. This allows the console service to modify the state of the
hosted virtual machines during the deployment.
The following table summarizes what happens at the time you perform an
immediate deployment based on where the virtual machines are defined
within the machine group.
Machine Group Tab
Target Machine is Online
Target Machine is Offline
Machine Name,
Domain Name,
IP Address/Range,
Organizational Unit
Push files and initiate
deployment immediately.
Fail
Workstation Virtual Machines
Fail
Push files and schedule on
target; deployment will occur
the next time the virtual
machine is brought online.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
17
Machine Group Tab
Target Machine is Online
Target Machine is Offline
Hosted Virtual Machines
Push files and initiate
deployment immediately.
The process is the same as
a physical machines except
that snapshots will be taken
as directed by the
deployment template.
*See steps below.
VMware tools must be
installed on the virtual
machine in order for the
deployment to be successful.
*During deployment to an offline hosted virtual machine or an offline virtual
machine template, the following steps occur:
1. [Conditional: Templates Only] Convert the virtual machine template to
an offline virtual machine.
2. (Optional) Take a snapshot if the deployment template is configured to
take a pre-deployment snapshot.
3.
(Optional) Delete old snapshots if one of the snapshot thresholds
defined on the patch deployment template is exceeded.
4. Copy the patches to the offline virtual machine.
5. Reconfigure the following on the offline virtual machine:
ƒ
Disable the network adaptor's Connect at power on option. This is
done so that the machine is isolated from the network when the patch
process is run.
ƒ
Disable Sysprep so it will not automatically configure the machine's
operating system when the machine is first powered on.
6. Power on the virtual machine.
7. Install the patches.
8. Power down the virtual machine.
9. Reset the machine configuration to its original network connection and
Sysprep settings.
10. (Optional) Take a snapshot if the deployment template is configured to
take a post-deployment snapshot.
11. (Optional) Delete old snapshots if one of the snapshot thresholds defined
on the patch deployment template is exceeded.
12. [Conditional: Templates Only] Convert the offline virtual machine back
to a virtual machine template.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
18
Scheduled Patch Deployments
When you schedule a deployment to a physical machine, an online
workstation virtual machine, or an offline workstation virtual machine, the
files required for the deployment are copied to the target machine
immediately and the deployment is scheduled using the scheduler on the
target machine. The online/offline status of these machine types is
determined at the time you schedule the deployment. The actual patch
installation is performed on the target machines and the console is not
actively involved at the time the patches are installed.
When you schedule a deployment to a virtual machine that is hosted on a
server, the entire deployment process is scheduled to occur on the Patch
Authority Ultimate console machine using the scheduler on the console. The
online/offline status of the hosted virtual machines is determined at the
scheduled time, and the console is actively involved at the time the patches
are installed. This allows the console to modify the state of the hosted virtual
machines during the deployment.
The following table summarizes what happens at the time you schedule a
deployment based on where the virtual machines are defined within the
machine group.
Machine Group Tab
Target Machine is Online
When Scheduled
Target Machine is Offline
When Scheduled
Machine Name,
Domain Name,
IP Address/Range,
Organizational Unit
Push files to the target and
schedule the deployment on
the target. The deployment will
occur the next time both of the
following are true:
Fail
ƒ
ƒ
Workstation Virtual
Machines
The machine is online
The scheduled time has
passed
Fail
Push files to the target and
schedule the deployment on the
target. The deployment will
occur the next time both of the
following are true:
ƒ
ƒ
Hosted Virtual Machines
The machine is online
The scheduled time has
passed
Schedule the deployment on the console. At the scheduled time,
treat as an immediate deployment (see Hosted Virtual Machines
in the previous table).
If the scheduled deployment contains a mix of hosted virtual machines and
other types of machines, the machines are separated into two groups. The
deployment of the hosted virtual machines is scheduled to occur on the
console at the scheduled time. For all machines other than hosted virtual
machines, the files are copied to the target machines immediately and the
deployment is scheduled to occur using the scheduler on the target machine.
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
19
Power State and Credential Requirements for a Successful Deployment
Note: Keep in mind that, from Patch Authority Ultimate's point of view, the
definition of a successful deployment depends on where the virtual machine is
located. A successful deployment to a hosted virtual machine means the
machine is fully patched, while a successful deployment to a workstationbased virtual machine means the patches have been pushed to the offline
virtual machine.
An offline virtual machine (workstation-based or hosted on a server) is a file
or set of files. To scan or deploy to an offline virtual machine requires
permissions to the file system where the files reside. An online virtual
machine is almost indistinguishable from a physical machine. To deploy
patches to an online virtual machine requires credentials for an administrator
account on the virtual machine operating system.
Because of these differences between online and offline virtual machines, you
may need to provide two sets of credentials – one for when the virtual
machine is in the online state and one for when it is in the offline state.
For workstation virtual machines, if you wish to scan and/or deploy to the
virtual machine in either its online or offline state, you should add the virtual
machine to the machine group twice:
ƒ
For its online state, enter the machine identifier and online credentials in the
machine group as you would any physical machine – on the Machine Name,
Domain Name, IP Address/Range, or Organizational Unit tab.
ƒ
For its offline state, enter the information and credentials for the virtual
machine file locations on the Workstation Virtual Machines tab.
For hosted virtual machines, you only need to specify the machine once, on
the Hosted Virtual Machines tab. Separate credentials, however, are still
required to access the machine in either the online or offline state. The
browse credentials you enter when connecting to the VMware server are used
when the machine is in the offline state. You should enter online credentials
for each hosted virtual machine using the Set Admin Credentials option in
the bottom pane of the machine group editor.
The following table summarizes the credentials used for various machine types.
Machine Type
Machine State
Machine Group Tab
Credentials Required
Physical Machine
Online
Machine Name, Domain
Name,
IP Address/Range,
Organizational Unit
Machine or machine
group credentials
Workstation VM
Online
Machine Name, Domain
Name,
IP Address/Range,
Organizational Unit
Machine or machine
group credentials
Workstation VM
Offline
Workstation Virtual
Machines
Machine or machine
group credentials
Hosted VM
Online
Hosted Virtual Machines
Machine or machine
group credentials
Hosted VM
Offline
Hosted Virtual Machines
Browse credentials (the
creds used to log on to the
VM server)
Updated 17 March 2011
ScriptLogic Patch Authority Ultimate 7.8 Virtual Machine Quick Start Guide
20
If you specify both online and offline credentials for virtual machines, you will
be able to scan and deploy to those virtual machines whether they are online
or offline.
MONITORING PATCH DEPLOYMENTS TO VIRTUAL MACHINES
ScriptLogic Patch Authority Ultimate provides a number of ways to monitor
patch deployments:
ƒ
Scheduled patch deployments can be managed using the Scheduled
Task Manager.
ƒ
Active patch deployments can be monitored using the Deployment
Tracker. If you notice that a server task has failed for a virtual machine
(for example, taking a snapshot or re-enabling the network), you can
complete the task using your client software.
ƒ
When the deployment has completed, you can review the status of the
deployment by selecting the deployment in the Today's Items list of the
Patch Results pane.
In addition to using the tracking tools provided by Patch Authority Ultimate,
for virtual machines that are hosted on a server you can also use your client
software to monitor the patch deployment progress. For example:
Updated 17 March 2011