Overview
You have a highly-secure environment and need to update the GFI LanGuard instance and require patches downloading from the network without internet access.
Solution
When GFI LanGuard is installed on a highly secure domain that does not have network access to the internet, you still have to provide this instance with access to Program Updates and Patch Installers. There are two different types of files that require regular updates for the GFI LanGuard successful operations:
- Program Update Files: This encompasses the update files for the GFI LanGuard program itself as well as the files needed to update its patch definition database. The patch definitions provide GFI LanGuard the ability to scan the computers and contain the locations to download the second type of update files.
- Update/ Patch Installer Files: These files are downloaded from the application vendor (Microsoft or third-party) update sites and provide GFI LanGuard the ability to patch the computers.
There are two paths to ensure regular updates in such an environment – depending on whether you need to scan and patch your computers, or only scan your computers (some customers use GFI LanGuard to only scan for verification and reporting purposes).
Scan-Only Path
If you are only scanning your computers and not deploying patches, you have to take care only of Program Update files. Proceed with the Configuring GFI LanGuard to Download Program Updates from an Alternative Location guide.
You can follow the Scan and Patch Path instead if you like, but it requires more steps.
Scan and Patch Path
To follow this path, you have to:
- Install another instance of GFI LanGuard (referred to as LanGuard 1 in the steps below) on a network that has internet access.
- Update LanGuard 1 and then transfer its updates files and patch repository to the secure network.
- Update the secure network GFI LanGuard instance (referred to as LanGuard 2 in the steps below).
Setting Up the Environment
- Install LanGuard 2 on the secure network. If it is already installed, we strongly recommend upgrading to the latest version.
- Install LanGuard 1 on a network that has access to the internet. This LanGuard server must be the same version as LanGuard 2 and have access to the following sources on the internet:
- gfi-downloader-137146314.us-east-1.elb.amazonaws.com
- *software.gfi.com/lnsupdate/
- lnsupdate.gfi.com
- *.download.microsoft.com
- *.windowsupdate.com
- *.update.microsoft.com
- All update servers of the supported by GFI LanGuard Third-Party Vendors.
Updating LanGuard 1
Perform a manual Program Update on LanGuard 1:
- In the LanGuard 1 console go to the Configuration > Program Updates > Check for Updates.
- Select the checkbox at the bottom for "Update All Files (including the ones already updated)." This ensures that you have all the update files for the LanGuard 2.
Next, configure LanGuard 1 to download all the patches to its configured repository:
- In the LanGuard 1 console, go to the Configuration > Patch Auto-Download > Edit patch auto-download options...
- Enable patch auto-download and choose the All Patches option. This is important since LanGuard 1 will not know what patches have been discovered as missing in the secured network.
The patch repository will occupy a lot of space since with the All Patches option GFI LanGuard downloads every patch for every version of the operating system or application that the patch is intended to update.
It would be helpful if the repository location is changed to a removable drive as it will be easier to transfer files when needed to the GFI LanGuard instance on the secure network.
Configuring LanGuard 2
In the LanGuard 2 console, go to Configuration > Program Updates > Edit program updates options and disable the Enable scheduled updates setting.
Updating LanGuard 2
- In the LanGuard 1 console, go to Activity Monitor > Software Updates Download and check that all the patches are downloaded, and the patch repository is ready to be transferred:
- Copy the patch repository folder
C:\Program Files (x86)\GFI\LanGuard 12\Repository
from LanGuard 1 to the same location on the LanGuard 2 server via the network or using the removable drive. - Copy the Program Updates
C:\ProgramData\GFI\LanGuard 12\Update\
directory contents to the temporary folder on the LanGuard 2 server, for example,C:\Temp\Updates
. - In the LanGuard 2 console, go to Configuration > Program Updates > Check for Updates.
- Select Update application files from the following location > Alternative location.
- Enter the location of the update files, in our example
C:\Temp\Updates
, and click the Next button to open the Choose which packages to update dialog box. - If this is the first update, choose to Update ALL files (including the ones already updated).
- Click Next and perform the update.
Variations
Some organizations may have their networks configured so that the LanGuard 2 can reach LanGuard 1 computer through HTTP or shares. In this case, they can configure their LanGuard 2 to get its updates (and patches in some cases) from Languard 1 via the network.
Another variation is when there is a WSUS server available from the secure network.
Variation 1: Access LanGuard 1 via HTTP
This variation allows simplifying only the Program Updates:
- Configure a virtual website on LanGuard 1, for example, an IIS or Apache, to serve the Program Updates files in the
C:\ProgramData\GFI\LanGuard 12\Update
directory. - In the LanGuard 2 console, go to the Configuration > Program Updates > Edit program updates options..., choose the option Download updates from an alternative location, and enter the HTTP address of the LanGuard 1 virtual website, for example, http://192.168.2.200:8000.
- In the same dialog box, allow the Enable scheduled updates option to update automatically.
Variation 2: Access LanGuard 1 via Network Shares
This variation allows simplifying both the Program Updates and patch repository updates:
- On LanGuard 1, share the Program Updates
C:\ProgramData\GFI\LanGuard 12\Update\
folder from the Microsoft File Explorer. - In the LanGuard 2 console, go to the Configuration > Program Updates > Edit program updates options..., choose the option Download updates from an alternative location, and enter the UNC path of the LanGuard 1 share, for example, \\192.168.2.200\Update\.
- In the same dialog box, allow the Enable scheduled updates option to update automatically.
- On LanGuard 1, share the patch repository
C:\Program Files (x86)\GFI\LanGuard 12\Repository
folder from the Microsoft File Explorer. - In the LanGuard 2 console, go to the Configuration > Patch Auto-Download > Edit patch auto-download options... and in the Patch Repository tab, browse to the UNC path of the shared patch repository folder. Answer No in the pop-up window.
Variation 3: Getting Patch Installers From a WSUS Server
This variation allows only using available WSUS Server instead of patch repository updates:
- Disable the Patch Auto-Download feature on LanGuard 1.
- In the LanGuard 2 console, disable the Patch Auto-Download feature under Configuration > Patch Auto-Download > Edit patch auto-download options > General tab.
- On the Patch Repository tab, choose Use files downloaded by WSUS when available, and enter a UNC path (no mapped drive paths) to the WSUS Content folder. See the article: Configuring GFI LanGuard to Use WSUS Server for Patch Repository.