Overview
This article guides you on how to configure GFI LanGuard to check for Program Updates from an alternative location.
Solution
The fact that LanGuard can be configured to check for the updates from alternative locations doesn't mean that the updates for LanGuard can be downloaded from 3rd-party sites - only the GFI website is the trusted source for the updates. Rather, this feature enables high-security environments with limited or no internet access to manage patches and deploy the necessary remediations without jeopardizing the security of the network.
LanGuard requires an internet connection to stay up-to-date and detect the latest threats, therefore for the server(s) in a secured zone you have to set up an alternate download location, for example, a hard drive, a web server, or any other reachable machine inside the network.
The ability to download Program Updates from an alternative location is not available while using an evaluation license key.
Setting Up The Environment
The environment setup with the alternative download location usually requires two GFI LanGuard instances, we will refer to them as LanGuard 1 and LanGuard 2 in the steps below.
LanGuard 1
This is the server with access to the internet, or at least to the following sites:
-
- gfi-downloader-137146314.us-east-1.elb.amazonaws.com
- *.download.microsoft.com
- *software.gfi.com/lnsupdate/
- *.windowsupdate.com
- *.update.microsoft.com
LanGuard 2
This is the server without internet access that is used to scan the network computers for vulnerabilities and download updates from LanGuard 1.
Configuring LanGuard 1
Use the following steps to configure LanGuard1 to download updates and prepare them for distribution:
Step 1 - Select the Files to Update from the GFI Website
- Launch GFI LanGuard console and go to Configuration > Program Updates.
- From the right pane, select the type of updates you want to download.
- Click Edit Program Updates Options, under the Common Tasks section.
- Select Download Updates from the GFI Website and click OK.
Step 2 – Create a Batch File so That Updates Occur Regularly
The batch created for this step executes the LanGuard internal Program Update tool update.exe. It is located in the Agent install folder; typically C:\Program Files (x86)\GFI\LanGuard 12 Agent\update.exe
- Open the folder where
update.exe
is stored. - In the same folder, create a new Text Document.
- In the text editor type
update.exe /s
and save the document as a batch file.BAT
using a recognizable name. For example,CheckForUpdates.bat
- Go to Start > Windows Administrative Tools > Task Scheduler.
- From the left pane, right-click on Task Scheduler Library and select Create Basic Task.
- Follow the wizard steps to create a task to run
CheckForUpdates.bat
periodically.
Example: daily
The batch file is leveraging the ability ofupdate.exe
to be executed on a schedule without GUI using the parameter/s
.
(Alternative) Downloading Program Updates without LanGuard Instance
If you want to set up a process without installing the LanGuard 1 instance, it is possible to download Program Update files manually:
- Connect to
http://lnsupdate.gfi.com
on a machine that can access the internet. - Create a Program_Updates directory on the local machine and download the necessary files depending on your LanGuard version:
- Also, download the wsusscn2.cab file to the same directory.
For automation purposes, it is recommended to install Wget for Windows (most Linux/ Unix/ MAC distributions have it already) or a similar tool and schedule it to download the necessary files.
Copying Downloaded Updates to an Alternate Location for Distribution
The downloaded update files need to be made available on an internal repository reachable by the LanGuard 2. These are several ways to accomplish this:
- Configure a virtual website. For example, an IIS or Apache with the root directory where the update files from Step 1 (
C:\ProgramData\GFI\LanGuard 12\Update
) or by the alternative method (Program_Updates) are downloaded to. - Alternatively, create another batch file to copy the downloaded files to the path used by your internal website. This location needs to be accessible by LanGuard 2 through a path or URL such as:
http://mysite/languardupdates
- Another alternative:
- Share the folder with the downloaded files by selecting Properties > Sharing > Share and following the wizard to create a share.
- On LanGuard 2 enter the share you created in an alternative location option.
Configuring LanGuard 2
To check for updates from an alternate location:
- Launch GFI LanGuard console and go to Configuration > Program Updates.
- From the right pane, select the type of updates you want to download.
- Click Edit Program Updates Options, under the Common Tasks section.
- Select Download Updates from an Alternate Location and specify the address to the location. For example:
http://mysite/languardupdates
- Click OK.
The second instance of GFI LanGuard checks updates in that location every time it is started, and you can check for updates manually:
- Launch GFI LanGuard console and go to Configuration > Program Updates.
- Click Check for Updates under Common Tasks.
- Select Alternative Location and specify the address to the internal updates repository.
- Click Next and follow the wizard steps.
Testing
Once at least one scheduled download finishes on the internet-facing machine and the files are ready, check for updates manually on the LanGuard 2 instance. Verify that all the packages are downloaded
and the installation is successfully completed.