Overview
GFI LanGuard requires two different types of update files to scan and remediate:
- Program Update Files: This encompasses the update files for the GFI LanGuard program itself as well as the update files required to update its patch definition database. The patch definitions provide GFI LanGuard the ability to scan the computers and contain the locations to download the second type of update files.
- Update/ Patch Installer Files: These files are downloaded from the application vendor (Microsoft or third-party) update sites.
This article explains how to update GFI LanGuard in a secure network instance.
Contents:
Environment
- GFI LanGuard 12 (all builds)
- GFI LanGuard 2015 (11.4)
- GFI LanGuard 2014 R2 (11.3)
Process
When GFI LanGuard is installed on a highly secure network that does not have access to the internet, we must find a way to update this instance with Program Updates and Patch Installers in another way. There are two methods – depending on whether you need to scan and patch your computers, or only scan your computers (some customers use GFI LanGuard to only scan for verification and reporting purposes):
-
Scan and Patch Method:
- Install another instance of GFI LanGuard on a network that has internet access.
- Update this internet-facing instance, and then transfer its updates files and patch repository to the secure network. This updates the GFI LanGuard instance on the secure network.
- Update the secure network instance specifying the Update from an alternative location option.
-
Scan Only Method:
- If you are only scanning your computers, and not deploying patches, you can use either the Scan and Patch method or the Scan Only method.
- The Scan Only method removes the requirement for a second LanGuard instance.
- With this method, you can download the Program Update files manually or via a script, and transfer the update files to the secure network instance of GFI LanGuard.
- You can now run the Program Update utility specifying the Update from an alternate location option.
Back to top
Scan and Patch Method
Configure Instance 1: Internet-Facing Instance
- Install GFI LanGuard on a network that has access to the internet.
- It must be the same version as it is installed on the secure network.
- This instance must have access to the following sources on the internet:
*.software.gfi.com/lnsupdate/*.download.microsoft.com*.windowsupdate.com*.update.microsoft.com- All update servers of third-party vendors supported by GFI LanGuard.
- Perform a manual Program Update and choose the Update all files (including the ones that have already been downloaded) option. This ensures that you have all the update files the secure network instance needs.
- If you are using the GFI LanGuard instance on the secure network to remediate (patch) the systems on its network, you must also configure GFI LanGuard to download all the patches to its configured repository in Configuration > Patch Auto-Download > Edit patch auto-download options...
NOTES:
- For downloading patch installers, you must choose the All Patches option. The other option - Download only needed patches relies on the scan results to tell GFI LanGuard which patches are required. Since this instance of GFI LanGuard does not have access to the backend database of the internal secure network instance of GFI LanGuard, it will not know what patches have been discovered as missing on those systems.
- When using this option, GFI LanGuard downloads every patch for every version of the operating system or application that the patch is intended to update. Therefore, the patch repository must be vast (at least initially).
- It would be helpful if the repository is located on a removable drive to move it to the GFI LanGuard instance on the secure network.
Configure Instance 2: Secure Network Instance
- Install GFI LanGuard on the secure network if you have not done so already.
- In the GFI LanGuard console, go to Configuration > Program Updates > Edit program updates options.
- Ensure it does not automatically update by disabling the Enable scheduled updates setting.
- When you want to update the instance 2, use the Update Procedure section below.
|
Back to top
Scan Only Method
Download Program Update Files Manually
- Connect to
http://lnsupdate.gfi.com on a machine that can access the internet.
- Download the list of files to a Program_Updates directory on the local machine.
- Also, download the wsusscn2.cab file to the same directory.
Download Program Update Files via a Script
- On a computer with internet access, download and install Wget for Windows (or use the Wget utility found on most Linux/ Unix/ MAC distributions).
- Create an
InputFile.txt with an appropriate list of files from the Wget utility.
- Contact GFI Support for the UserName and Password for use in the commands below.
- Create a batch file (
DownloadProgramUpdates.bat) that runs the following commands:
wget.exe --input-file=InputFile.txt --base=http://lnsupdate.gfi.com/ --http-user=UserName --http-password=Password --output-file=WgetLogFile0.txt --directory-prefix=Program_Updates
wget.exe --output-file=WgetLogFile1.txt --directory-prefix=Program_Updates http://go.microsoft.com/fwlink/?LinkID=74689
NOTE: The output-file is a log of the process. Use this log file if you encounter problems.
Configure Instance 2: Secure Network Instance
- Install GFI LanGuard on the secure network if you have not done so already.
- In the GFI LanGuard console, go to Configuration > Program Updates > Edit program updates...
- Ensure it does not automatically update by disabling the Enable scheduled updates setting.
- When you want to update the instance 2, use the Update Procedure section below.
|
Back to top
Update Procedure
When you want to update the GFI LanGuard instance 2 (secure network instance), do the following:
On GFI LanGuard Instance 1:
Copy the contents of the C:\ProgramData\GFI\LanGuard 12\Update\ directory (or C:\Documents and Settings\All Users\Application Data\GFI\LanGuard 11\Update on a 2003 class computer) to the removable drive and move the drive to the GFI LanGuard instance 2 location.
On GFI LanGuard Instance 2:
- Insert the removable drive on the GFI LanGuard instance 2 machine (or copy the files to a location on the hard drive of instance 2).
- In the GFI LanGuard console, go to Configuration > Program Updates > Check for Updates.
- Select Update application files from the following location > Alternative location.
- Enter the location of the update files and click the Next => button to go to the Choose which packages to update dialog box.
- If this is the first update, you should choose the Update ALL files (including the ones already updated) option. Otherwise, select the Next > button to perform the update.
|
Back to top
|
Variations
Some organizations may have their networks configured so that the GFI LanGuard instance 2 can get access to the GFI LanGuard instance 1 computer (through HTTP or shares) and yet not be able to access the internet.
In this case, they can configure their GFI LanGuard instance 2 to get its updates (and patches in some cases) from the GFI LanGuard instance 1. Another variation is when there is a WSUS server available from the secure network.
Case 1: Access GFI LanGuard Instance 1 via HTTP
- Configure an HTTP server on the GFI LanGuard instance 1 server (Microsoft Internet Information Server or other) to serve the files in the
C:\ProgramData\GFI\LanGuard 12\Update directory (or C:\Documents and Settings\All Users\Application Data\GFI\LanGuard 12\Update\ on a 2003 class computer).
- On the GFI LanGuard instance 2 server, in the Configuration > Program Updates > Edit program updates options... dialog, choose the option Download updates from an alternative location, and enter the HTTP address of the GFI LanGuard instance 1 computer, e.g., http://192.168.2.200/ or http://192.168.2.200:8000, depending on the configuration of the HTTP server.
- In the same dialog box, allow the Enable scheduled updates option to update automatically.
Back to top
Case 2: Access GFI LanGuard Instance 1 via Network Shares:
- On the GFI LanGuard instance 1 computer, share the
C:\ProgramData\GFI\LanGuard 12\Update\ directory (or C:\Documents and Settings\All Users\Application Data\GFI\LanGuard 12\Update on a 2003 class computer).
- On the GFI LanGuard instance 2 server, in the Configuration > Program Updates > Edit program updates options... dialog, choose the option to Download updates from an alternative location, and enter the UNC path of the GFI LanGuard instance 1 computer, e.g., \\192.168.2.200\Update\
- In the same dialog box, allow the Enable scheduled updates option to update automatically.
- In this case, the repository of the GFI LanGuard instance 1 machine can also be used by sharing it and then configuring the GFI LanGuard instance 2 (under the Configuration > Patch Auto-Download > Edit patch auto-download options... dialog > Patch Repository tab) by entering the UNC path of the directory shared (see step 1) on the GFI LanGuard instance 1.
Back to top
Case 3: Get Patch Installers From a WSUS Server
- Disable the Patch Auto-Download feature on the GFI LanGuard instance 1 computer.
- On the GFI LanGuard instance 2 computer, disable the Patch Auto-Download feature under Configuration > Patch Auto-Download > Edit patch auto-download options > General tab.
- On the Patch Repository tab, choose Use files downloaded by WSUS when available, and enter a UNC path (no mapped drive paths) to the WSUS Content folder. See the article: Configuring GFI LanGuard to Use WSUS Server for Patch Repository.
|
Back to top
Related Article
Configuring GFI LanGuard to Check Updates from Alternative Locations
Back to top
Priyanka Bhotika
Comments