Overview

In many VMware environment, the management networks where infrastructure components reside such as vCenter servers and ESXi hosts are mostly isolated from internet for obvious security reasons. In such a highly secured environment, the administrators may have a dedicated workstation in there which can be a challenge to manage the patching of your servers efficiently, as the administrator needs to manually download the latest patches, transfer them to the management station and upload them to every vCenter server.

Update Manager Download Service (UMDS) is a component of vSphere Update Manager that acts as a Patch repository for one or multiple vSphere Update Manager (vCenter) instances. By giving the UMDS server access to *.vmware.com/* via a DMZ proxy, you benefit from a highly secure and up to date patch repository in your management network.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

This greatly simplifies the process of patching the vSphere hosts and virtual appliances:

Setting-up-UMDS

Security: Proxy access to vmware.com open on a single server instead of all vCenter servers.

Download Banner

Reduced operational overhead: No need to manually download the patches, transfer them to a management station, upload them to VUM on each vCenter.

Configuration consistency: Avoids inconsistencies by having all vCenter pull from the same location

Up to date updates: Receive VMware patch recalls and other notifications

What’s new in Update Manager 6.7

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-update-manager-67-release-notes.html

There was no changes to UMDS in version 6.7, however vSphere Update Manager benefits from the following new features:

  • VUM is now available in the HTML5 web client with limited functionalities. Here is a list of the VUM features unavailable in the HTML5 client:
    • Configuration settings
    • Create a VM baseline group
    • Add and Remove Baselines to a Baseline Group
    • Scan Hosts, cluster and VMs
    • Attach/Detach VM baselines
    • Select patches to stage to hosts (all or nothing)
    • Limited remediation functionality
    • Monitoring of Update Manager notifications are unsupported
    • Schedule scan and remediate operations from Task & Events under the vSphere Web Client Monitor tab
  • It uses .NET framework in version 4.7 (which is included in the vCenter iso)
  • Leverages the new Quick Boot feature of vSphere 6.7 that does a “soft” host reboot to dramatically shorten the remediation time. Note that at the moment Quick Boot is supported on a limited range of hardware, see KB52477
  • Virtual appliances patch and upgrade is deprecated

Note that UMDS 6.7 can only be used with vSphere Update Manager 6.7. If you have VUM 6.5 in your environment, a separate UMDS server must be created.

Prerequisites

System

Depending on the size of your environment you might want to change these figures but for most people, this should already be plenty.

OS Windows Server 2008R2 -> 2016
Database SQL Server 2008 -> 2016 (express supported for small infrastructures)
UMDS 6.7.0
Memory 2GB
CPU 2 vCPU (1 core per vCPU)

Disks

It is always tricky to size the disks, however if you already have Update Manager in production you can have a look at the space used by the patches and the db and add something like 30% for good measure (you can always increase them later if needed). It will give you directions on how to size the disks.

Here is how I sized my UMDS server for a fairly big environment. I am not too stressed about it as I can resize the disks easily.

Letter Label Block size Role Capacity
C: SYSTEM 4K Windows / Binaries 40GB
D: UMDS 4K Patches store 120GB recommended
G: UMDS_DB 64K SQL DBs 5GB

Proxy

You must configure your proxy to give the UMDS server access to *.vmware.com/*

Firewall

All vCenter servers must have access to the UMDS server on port 80 (http).

Source Destination Protocol / port
vCenter servers UMDS server http / 80

Preparation of the db

The UMDS database is fairly small so we will host it on the UMDS server, it doesn’t make much sense to have a dedicated server unless if there are specific requirements.

You can choose to install SQL server or let the UMDS installation wizard install SQL Server 2012 Express. Note that SQL Express has limitation and is only recommended for small scale deployments (5 hosts, 50 VMs). This article will cover the use of SQL server 2012 Standard.

Installation of SQL Server

This post doesn’t cover the full installation steps of SQL server as it may not be relevant to your company’s policies, however watch for the following when installing it:

  1. Add the following features:
    • Database engine services
    • Client Tools Connectivity
    • Management Tools – Basic
    • Management Tools – Complete
  2. In “Service Accounts” tab, Set the SQL Server Agent service startup to “automatic
  3. In database engine configuration, Data Directories tab, configure the SQL DB disk in Data root directory

Database preparation

Open SQL Server Management Studio and log in your SQL Server.

  1. Create a new database:
    • Name : UMDSDB
    • Owner : SA
    • Recovery model : Simple (You may leave the default ‘Full’ if you plan to run regular transaction log backups)

    Setting-up-UMDS.jpg

    Setting-up-UMDS.jpg

  2. Create a new SQL user:
    • Name : UMDSDB-USER
    • SQL Server authentication checked
    • Enforce password policy unchecked
    • Default database : UMDSDB
    • Server role : sysadmin
    • Dbowner on UMDSDB & msdb with dbo as default schema

    Setting-up-UMDS-32.jpg

    Setting-up-UMDS-32.jpg

    Setting-up-UMDS-32.jpg

    Create 64 bits ODBC connector

    • Name : UMDS – UMDSDB
    • Server : FQDN of UMDS server
    • SQL Server authentication (login previously created)
    • Default database : UMDSDB
    • The Test Data Source check should be successful

Setting-up-UMDS

Setting-up-UMDS

Setting-up-UMDS

Setting-up-UMDS

Setting-up-UMDS

Update Manager Download Service (UMDS)

Installation of UMDS

I will skip the “next, next” type of windows.

  1. Mount the vCenter ISO and select Download Service with .Net 4.7 checked
  2. Setting-up-UMDS-32.jpg

  3. Select the Data Source Name (DSN) previously created
  4. Setting-up-UMDS-32.jpg

  5. Type in the SQL user credentials created earlier
  6. Setting-up-UMDS-32.jpg

  7. Configure the proxy (See Prerequisite chapter)
  8. Setting-up-UMDS-32.jpg

  9. You can amend the location of the patches now but it will be changed when we configure UMDS. You can still discard the space warning.
  10. Setting-up-UMDS-32.jpg

    Setting-up-UMDS-32.jpg

  11. Finish and complete the installation
  12. Configuration of UMDS
  13. Open a command prompt as administrator and cd to the UMDS installation folder
  14. Cd C:\Program Files\VMware\Infrastructure\Update Manager

  15. Remove all ESX versions that are not relevant to you. In this example I left version 6.7 only.
  16. Vmware-umds -S -d embeddedEsx-6.0.0 embeddedEsx-6.5.0 embeddedEsx-6.6.1 embeddedEsx-6.6.2 embeddedEsx-6.6.3
  17. Change the patches download location
  18. Vmware-umds -S -P D:\UMDS_Patches
  19. Change the Patches store location
  20. Vmware-umds -S -o D:\UMDS_Store
  21. Check the configuration – it should look like this
  22. Vmware-umds -G

    Setting-up-UMDS-32.jpg

    Download and Export patches

  23. Download the patches (as of the date of this writing there is no vSphere 6.7 patches out)
  24. Vmware-umds -D
  25. Export the patches to the store location (default location specified above)
  26. vmware-umds -E

Setting-up-UMDS-32.jpg

IIS

  1. Install IIS role with default Role Services
  2. Add virtual directory:
    • Alias: UMDS_Store
    • Physical path: D:\UMDS_Store

    Setting-up-UMDS

  3. Add MIME Types:
    • Vib > application/octet-stream
    • Sig > application/octet-stream

    Setting-up-UMDS-32

    Setting-up-UMDS-32

    Setting-up-UMDS-32

  4. Enable Directory browsing
  5. Setting-up-UMDS-32.jpg

    Setting-up-UMDS-32.jpg

  6. Edit UMDS_Store folder permissions
    • Advanced > Check Replace all child
      […] entries for this object
    • Click Yes to apply permission on all descendants

    Setting-up-UMDS-32.jpg

    Setting-up-UMDS-32.jpg

  7. The repository and its sub folders should now be accessible on http://srv-umds/umds_store

UMDS Scheduled task

To download the new patches and serve them on the store automatically, a scheduled task must be created.

For this purpose, I wrote a simple Powershell script that is called by a batch file. A dated log file is generated in the same location containing all the output of the script. The Powershell script will keep the latest 8 log files (2 months if once per week) and delete the others.

  1. Create a local user SRV-LOCAL-UMDS member of local administrators
  2. Setting-up-UMDS-32.jpg

  3. Create a task with explicit name and description:
    • Run the task as .\SRV-LOCAL-UMDS
    • Check Run whether user is logged on or not
    • Check Run with highest privileges
    • Trigger : Set at your convenience
    • Action : Path to the .bat script C:\UMDS\Schedule-UMDS.bat

C:\UMDS\Schedule-UMDS.ps1

$InstallPath = “C:\Program Files\VMware\Infrastructure\Update Manager”

$Start = Get-Date

Write-Output “`n— SCHEDULING UMDS : $(Get-Date -Format u)”

if (!(Test-Path “$InstallPath\vmware-umds.exe”)) {Throw “$InstallPath not found”; break}

cd $InstallPath

Write-Output “`n— Downloading Patches”

.\vmware-umds.exe -D

Write-Output “`n— Exporting Patches”

.\vmware-umds.exe -E

$Duration = New-TimeSpan -Start $Start -End (Get-Date)

Write-Output “`n— Execution completed at $(Get-Date -Format u)”

Write-Output “— Execution time: $([string]$Duration)”

$KeepLogs = Get-ChildItem “C:\UMDS\Schedule-UMDS-*.log” | Sort-Object -Property CreationTime | select -last 8

Get-ChildItem “C:\UMDS\Schedule-UMDS-*.log” | where {$KeepLogs.name -notcontains $_.name} | Remove-Item -Confirm:$false

C:\UMDS\Schedule-UMDS.bat

CD %~dp0
SET runDate=%DATE:~6,4%_%DATE:~3,2%_%DATE:~0,2%
C:\Windows\System32\cmd.exe /c powershell.exe -noninteractive -noprofile -file %~dp0\%~n0.ps1 >> %~dp0\%~n0-%runDate%.log

Setting-up-UMDS

Setting-up-UMDS-32.jpg

Setting-up-UMDS-32.jpg

Setting-up-UMDS-32.jpg

vSphere Update Manager configuration

These steps are to be performed on all the vCenter server that need to be configured with UMDS as a download source.

  1. Log in the vSphere web client and go to the configuration of Update Manager
  2. In Download Settings click Edit
  3. Setting-up-UMDS

  4. Check Use a shared repository and enter the url to the UMDS store and click OK
    http://fqdn-umds-server/umds_store
  5. The Validating screen may take a few minutes to complete, the final output should be as follows
  6. From then on the updates will be downloaded from the UMDS server.

    Setting-up-UMDS

  7. Check that everything works by downloading the latest patches in Manage > Patch Repository > Download now. The new ones should arrive quickly.
  8. You can now configure the download and notification schedule at your convenience.

Read more: How to Install UMDS on a Linux OS

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.