Creating offline patch windows

You can create a patch window to apply patches for outdated and offline virtual machines with the use of the Offline Patch Window Scheduler dashboard. From the dashboard, you can set the time and date when the patch window starts and ends.

When you select the Switch VLAN check box, you can switch to a pre-configured and quarantined VLAN from the dropdown menu.

Virtual machines that get turned on for the first time in a long while can have many unpatched vulnerabilities that leave them vulnerable to the outside world. Normally, when offline windows are set, the virtual machines that get turned on can be attacked by the outside world.

A separate VLAN can be setup and used in conjunction with the offline patch window dashboard. In this setup, the offline virtual machines are switched from a normal network to a VLAN where they can only communicate to a pre-configured BigFix relay. In this setup, the relay can communicate to all of the clients and to the world, but the individual clients cannot communicate with the world.

The machines patch in a safe environment and at the end of a patch window, they return to their initial VLAN. To use this mode, the user needs to setup this separate network. If a VLAN is set but a targeted virtual machine does not have this VLAN configured to be one of it's network adapters, the VLAN isn't switched for that particular endpoint.



Note: You must have a VLAN configured on an adapter that lets through traffic only from port 52311.
Note: You must have quarantine VLAN setup with a BigFix relay already installed.

You can manage the number of virtual machines that are patched in one batch when you enter a value in the Concurrent Operations drop-down menu. This function turns on only a maximum number of virtual machines at a time per host. The window turns off the machines when it gets through the patch baseline and turns on the next batch of virtual machines.

This function can help avoid having all the virtual machines turned on simultaneously, if, for example, you have a patch that targets several thousands of virtual machines.

The following image is an example of 5 virtual machines targeted with a concurrency value of 2 and a patch window time of 30 minutes.



In this example shown in the image, at the beginning of the window, VM#1 and VM#2 starts up. After 30 minutes of being on, VM#1 and VM#2 turns off and #3 and #4 starts. After #3 and #4 turn off, if it's still before 7:00 p.m., VM#5 and VM#1 will start back on again. After 7:00 p.m., no new machines are turned on through this patch window, so when VM#1 and VM #5 turn off at the end of the 30 minute patch window, they won't turn on again.

Both the Switch VLAN and Concurrent Operations functions are optional.

Using the Offline Patch Window Scheduler dashboard

To create a patch window using the Offline Patch Window Scheduler dashboard, select System Lifecyle from the console. From the navigation tree, select Virtual Endpoint Management > Offline Patching > Offline Patch Window Scheduler.

The dashboard opens. Click Create New Patch Window. Enter information for the following fields:
  • Name
  • Start Date
  • Start Time
  • End Date
  • End Time


You have the option to click Switch VLAN. Select the VLAN from the dropdown menu. You can also select the number of concurrent operations that will be executed.
Note: Setting Switch VLAN and Concurrent Operations are optional steps.
Click Create Task. At the end of the patch window, the plug-in suspends or powers off any remaining virtual machines depending on the initial conditions of the virtual machines.