hello world!

NETWORKING GENERAL

  • Networking  is  the  practice  of  linking  two  or  more  computing  devices together for the purpose of sharing data
  • Size Classification
    • LAN
    • MAN
    • WAN
  • Topology Classification
    • BUS
      • Simplest type of network
      • Shares a common cable/bus
      • Example
    • STAR
      • Most Common
      • Uses Switch, Hub or Computer
    • RING
  • Protocol Casting Classification
    • How a computer communicates with others based on a protocol
    • Types
      • Unicast
        • 1-to-1
        • Example
          • TCP, SMTP
      • Broadcast
        • 1-to-All
        • Example
      • Multicast
        • 1-to-Many
        • Example
          • IGP, PIM
    • Is determined by the Communication Protocol
  • The OSI Model
    • Layers are referred by the OSI model
      • Layer 1 – Physical
      • Layer 2 – Data Link
      • Layer 3 – Network
      • Layer 4 – Transport
      • Layer 5 – Session
      • Layer 6 – Presentation
      • Layer 7 – Application
    • Comparison with TCP Model
      • image

 

NETWORKING DEVICES

  • Repeaters
    • A Layer 1 Device
    • Regenerates and propagates all electrical transmissions between 2 or more LAN segments
  • Network Interface
    • Allows a device to communicate with a network
    • Mostly in the form of a card and usually called NIC (Network Interface Card)
    • MAC address
      • A unique identifies a Network Interface
      • Outlined by IEEE 802
      • Used by most networks
      • a 48 Bit Addressing
        • First 24 Bit – For organization
        • Next 24 Bit – For Device
  • Switches
    • Connects Network Interfaces (usuallu MAC addresses) to each other on it’s port
    • Configuration Classification
      • Managed
        • Allows configuration
      • Unmanaged
        • Is shiped with a fixed Configuration
        • Rarely used
    • Type Classification
      • Layer 2 (Data Link Layer) Switch
        • Operates up to layer 2 (Layer 1,2)
        • Uses MAC Address
      • Layer 3 (Network Layer) Switch
        • Operates up to layer 3 (layer 1,2,3)
        • Uses IP Address
        • One key difference with level 2 is the awareness of IP multicast through IGMP snooping
      • image
    • Link Aggregation Technology
      • A technique  of  combining  multiple  physical  network ports into  a  single  link  for  increased  bandwidth,  achieving  load  balancing and increase fault tolerance.
      • Advantages
        • Improves bandwidth
        • Provides  redundancy .  e.g. 
      • Typically used for Trunk Port
      • Available in Layer 2 and Layer 3 switch
    • Hirschmann Switches
      • Commonly Used Models
        • RS40
          • DIN Rail
          • Layer 2 Switch
          • 9 Ports GE (Gigabit Ethernet)
            • 4 Combo Ports
              • Can use Fibre Optic or RJ45
          • Option for AC or DC
        • MACH104
          • Layer 2 Switch
          • 19” Rack Switch
          • 24 Ports GE (Gigait Ethernet)
            • 4 Combo Ports
          • Option for redundant power
        • MACH1040
          • Layer 2 and Layer 3
          • 16 Combo Ports
            • GE (Gigabit Ethernet)
          • Option for DC or AC
        • M-SFP-LX/LC
          • Fibre Optic Gigabit Ethernet Tranceiver
      • Interface or Port Conventions
        • Hirschman Interface are named A/B
          • Example 1/1, 1/2, 1/24, etc
          • A is the slot number
          • B is the port number as seen physically labelled on the front of the switch
      • Connecting to Hirschman Switch using
      • Connect using a Hirschmann Terminal Cable
        • Serial cable (CVP-678FA
          • The end connection uses RJ11
          • Connects to the Switch’s V.24 Port
          • The other end connect using DB9 Female
        • Open putty or Hyperterm
          • Check the port number used. Can be checked from Windows Device Manager
            • image
          • Once connected,
            • image
            • Enter username and password
              • Default Username, password
                • admin, private
                • user, public
      • Configuring a Hirschman Switch using Terminal
        • At any point,
          • type ‘?’ to view available commands
          • type ‘show sysinfo’ to show current system configuration
          • type ‘copy system:running-config nvram:startup-config’ to save configuration into switch ROM
            • Why is command like the above? In Hirschmann Switches there are two location of the config files
              • Running
              • Startup
                • The startup is loaded during startup and pushed to the running.
                • It also acts like a backup
              • Running
                • The running is what’s currently running
            • After making changes, the command pushes the running config to the startup config
            • image
          • show  port all
            • Displays  all  port  status.  Available  in privileged exec or user exec mode
        • Layer 2
          • Type ‘Enable’
            • This enables basic switch commands
          • Configure System Name,IP and Prompt Name
            • Current system name can be seen using ‘Show sysinfo’ command
            • To change system Name
              • (Hirschmann MACH) # config 
              • (Hirschmann MACH) (Config)# snmp-server sysname MYNAMEL2NAME
              • (Hirschmann MACH) (Config)# Exit
            • To change prompt name
              • (Hirschmann MACH) # set prompt MYNAMEL2NAME
            • To change IP
              • To show current IP
                • show sysinfo
                • show network
              • To change IP
                • (Hirschmann MACH) # network parms 192.168.1.230 255.255.255.0 192.168.1.253
          • Create VLAN
            • To show existing VLANs use command
              • show vlan brief
            • To create VLAN
              • (Hirschmann MACH) #vlan database
              • (Hirschmann MACH) (Vlan)# vlan 100 <== ‘100’ is the VLAN ID also called ‘MANAGEMENT VLAN’
              • (Hirschmann MACH) (Vlan)# vlan name VLANNAME
          • Configure the Management IP and Management VLAN
            • To show existing Management IP and Management VLAN
          • User Name and Password Management
            • To show existing users
              • show users
            • To add new user
              • users name NEWUSER
              • users access NEWUSER readwrite
              • users passwd NEWUSER
            • Set snmpv3
              • snmpv3 is mainly used to allow authentication for the device’s webstie configuration portal
              • Use the following command
                • (config)# users snmpv3 accessmode USER readwrite
                • (config)# users snmpv3 authentication USER md5
                • (config)# users snmpv3 encryption USER des
                  • Enter an encryption key
          • Disable IGMP Snooping and Spanning-Tree.
            • (config)#no set igmp
          • Disable spanning-tree
            • (config)#no spanning-tree
          • Configure the Interfaces with VLANs
            • #config
            • (vlan)# interface 1/1
            • (vlan)# name INTERFACENAME
            • (vlan)# vlan pvid VLANID 
            • (vlan)# participation include VLANID
              • The include command allows the port to associate with a VLAN
              • in hirschman, multiple VLANs can be assigned to a port
                • this is commonly used for trunking
            • (vlan)# participation exclude 1
              • The exclude command remove a VLAN association on a port
            • (vlan)# no shutdown <== This ENABLES the port
          • Disable all unused ports.
            • This is good practice to prevent people from simply connecting to the network
            • Command
              • show port all <== TO SHOW PORT status’
              • #config
              • (vlan)# interface 1/1
              • shutdown <=== DISABLES PORT
              • no shutdown <== ENABLES PORT
        • Layer 3
          • Set System Name
            • (Config)#snmp-server sysname Layer3
          • Set Prompt Name
            • (Layer3) #set prompt Layer3
          • Create User Name and Password
            • To show existing users
              • show users
            • To add new user
              • users name NEWUSER
              • users access NEWUSER readwrite
              • users passwd NEWUSER
            • Set snmpv3
              • snmpv3 is mainly used to allow authentication for the device’s webstie configuration portal
              • Use the following command
                • (config)# users snmpv3 accessmode USER readwrite
                • (config)# users snmpv3 authentication USER md5
                • (config)# users snmpv3 encryption USER des
                  • Enter an encryption key
          • Create VLANs
            • To show currently created VLANs
              • (Config)#show vlan brief
            • To create VLAN
              • (Hirschmann MACH) #vlan database
              • (Hirschmann MACH) (Vlan)# vlan 100 <== ‘100’ is the VLAN ID also called ‘MANAGEMENT VLAN’
              • (Hirschmann MACH) (Vlan)# vlan name VLANNAME
          • Assign VLAN to Interfaces
            • To show which default VLANs a port is currently assigned
              • (Config)#show vlan port 1/1 <== 1/1 is PORT number
            • To see which Ports the VLAN is assigned to
              • (Config)#show vlan 100
              • image
              • In the following example, VLAN 100 is assigned to interface 1/1 and 1/2
            • To assign the interfaces
              • (Config)#interface 1/1
              • (Interface 1/1)#name TrunktoArea1
              • (Interface 1/1)#vlan participation include 100
              • (Interface 1/1)#vlan tagging 100
                • This is used to enable VLAN tagging on the port
              • (Interface 1/1)#no shutdown
                • Enables the port
      • Connect using via Web Access
        • To know which IP to connect to
          • From terminal, check the management IP.
          • Command ‘show network’'
            • Also shows which VLANID the management IP network is connected to
        • If VLAN is used, make sure that the Interface port is assigned with the VLAN

NETWORK ROUTING

  • Message Transmission
  • Routing Classifications
    • Stating Routing
      • Network Administrator manually configures the routes
    • Dynamic Routing
      • Discovers remote networks.
      • Maintaining up-to-date routing information.
      • Choosing the best path to destination networks.
      • Protocols
        • RIP
          • A simple intra domain routing protocol
          • Each router advertises its routing information periodically (typically every 30 seconds) to neighbours
          • The Internet uses BGP not RIP
  • VLAN (Virtual Local Area Network) Technology
    • VLAN allows machines to connect to a network regardless of their physical location
    • 1 switch can have many VLANs
    • Multiple switches can be on a same VLAN
      • If machine on different network switches want to communicate with each other, we need to link the different switches
      • This is normally achieved by using one of the ports (or interfaces) of the sqitch as a Trunk Port
    • Trunk Port
      • Is a specially dedicated port used to bridge switches for VLAN communication
      • One trunk port will hold packets from multiple VLANs. Normally the last port in the switch is used.
        • To avoid confusion VLAN Tagging Is used
          • VLAN  Tagging  is  the  practice  of  inserting  a  VLAN  ID  into  a  packet  header  in order to identify which VLAN (Virtual Local Area Network) the packet belongs to
          • It is done by the switch itself as it has a knowledge of which network the packet should go.
          • Based on IEEE  802.1Q  (dot1q)  is  an  open  standard  for  VLAN  Tagging,  and  can  be  used  in mixed environments.
          • VLAN  tag  is  integrated  into  the  MAC  data  frame  for  the  VLAN  and Prioritization  functions  in  accordance  with  the  IEEE  802  1Q  standard.  The  VLAN tag consists of 4 bytes. 
          • In Hirschman Switches, a vlan tag is configured as a ‘T’ in the VLAN Static Page (T for Tagged, U for Untagged)
            •  image
            • for untagged packets a default VLAN is configurable on the port, meaning that if a packet is untagged, the port will forward the packet to the default VLA
            • image
            • In the above example, the VLAN packets will by default be forwarded to VLANID 100 for Port 1/1 and Port 1/2.
    • When  a  switch  needs  to  carry  traffic  of  more  than  one  VLAN  over  a  link
      connecting  to  another  switch  or  router,  that  port  used  for  that  purpose  is
      called a Trunk Port.
      - To enable trunking on a trunk port, VLAN Tagging protocols will need to be
      used.
    • Segmentation is based on broadcast domains.
      - Devices  on  different  VLAN’s  can  communicate  with  a  router  or  a  Layer  3
      switch.

LOCAL AREA NETWORKS

  • Casting
    • Type
      • Unicast Routing
      • Multicast
        • Multiple Unicasting
        • Multicasting
        • Protocol Independent Multicast
          • PIM Dense Mode
            • Used by VNET/IP
          • Sparse Mode
        • IGMP
          • Controls Multicasting
          • IGMP Snooping
            • Is Implemented by layer 2 device
            • IGMP Joint messages are sent by a computer to layer 2 switch
  • Yokogawa VNET
    • Uses Hirschmann Devices
      • RS40
        • DIN Rail
        • Layer 2 Switch
        • 9 Ports GE (Gigabit Ethernet)
          • 4 Combo Ports
            • Can use Fibre Optic or RJ45
        • Option for AC or DC
      • MACH104
        • Layer 2 Switch
        • 19” Rack Switch
        • 24 Ports GE (Gigait Ethernet)
          • 4 Combo Ports
        • Option for redundant power
      • MACH1040
        • Layer 2 and Layer 3
        • 16 Combo Ports
          • GE (Gigabit Ethernet)
        • Option for DC or AC
      • M-SFP-LX/LC
        • Fibre Optic Gigabit Ethernet Tranceiver
    • Make sure to order terminal cables!!!
    • Yokogawa has an agreement with Hirschmann which
      • Burns the VNETIP Configuration into the switch’s ROM
        • This becomes the default configuration, which can be reset using  putty terminal connected with the terminal cable.
        • The command is : Clear Config Factory
      • Hirschmann will add a Yokogawa logo underneath it’s logo on the switch if it has burned the default settings to Yokogawa VNET IP
    • Switch Settings
      • VnetIP Setting Required for Layer 3 Switch
        • Enable Multicast Routing (IGMP and PIM-DIM) among VLAN
        • Comfigure Management IP for NMS
        • Disable RSTP
          • To reduce latency, because VNET IP supposed to be for real time application. RSTP takes time to recover if a loop happens
          • Cause VNET has VNET 1 and VNET 2 so no worries is loop happens
        • Shutdown Unused Ports
        • Change Default Password
        • Backup and Restore configuration using ACA21 or NMS Server
        • RIP set to 1 second
        • IGMP and PIM-DM Enabled
      • VnetIP for Layer 2 Switch
        • IGMP Snooping disabled
          • To ensure all devices send multicast data
        • Disable RSTP
        • Shutdown Unused Ports
        • Change Default Password
        • Backup and Restore configuration using ACA21 or NMS Server
      • VNET IP addressing Rules
  • Yokogawa Pre COnfigured
  • VLAN
    • A Layer 2 Technology
    • Why use VLAN
      • Help to do security
      • Cost Reduction
      • A little bit performance
    • VLAN Trunking
    • VLAN Tagging
      • Practice of inserting a VLAN ID into a packet header to identify which VLAN the packet belongs to
  • Link Aggregation
  • Rapid Spanning Tree Protocol (RSTP)
    • An enhanced version of Spanning Tree Protocol (Faster)
    • To prevent network loops or broadcast storm
    • How it works
      • Determine Root Bridge/Switch
        • Based on lowest Root ID
      • Select Root Port
      • Select Designated Port
      • Block the Ports
    • Is sometimes disabled
      • For example in Yokogawa VNET IP

ANTI VIRUS

  • Type of Virus
    • File Virus
    • Boot Sector Virus
    • Macro Virus
    • Network Virus
      • Also known as worm
  • Virus Life Cycle
    • Dormant
    • Propagation
    • Triggering
    • Execution
  • Antivirus Solutions
    • Symantec Endpoint Protection
    • McAfee VirusScan Enterprise
      • Yokogawa uses this
        • Has agreement with McAfee
        • Cheaper for Yokogawa
        • The virus definition will no affect Yokogawa Systems
  • Symantec Endpoint Protection
    • Components
      • LUA
        • Downloads Virus Definitions
      • SEP
        • Client
    • LUA and SEP not recommended to be installed on same machine
  • McAfee VirusScan Enterprise
    • Components
      • File Server
        • Optional
          • ePO server can connect to McAfee directly
        • Some sites wish to setup a file server where the virus definition is downloaded from the Internet and hosted on the files erver
          • Can use FTP Servers as well
      • ePO Server
        • Deploys virus definition to all agents in one shot
        • Optional Cause
          • Virus definition can be installed directly on a machine or obtained from a File Server but a bit tedious as need to be manually deployed on ach machine
        • Obtains product & virus definition from either
          • Internet McAfee Server
          • McAfee
        • In a process environment, there would typically be two ePO Servers:
          • DMZ ePO Server
            • Sometimes this Server connects to the McAfee Server
          • PCN ePO Server
        • Components
          • System
          • Dashboard
            • Audit Dashboard
            • Executive Dashboard
            • Product Deployment Dashboard
          • Repository
            • A function inside ePO
            • Types
              • Master Repository
                • Pulls DAT files from the Source site
                • Replicates DAT files to Distributed Repos
              • Distributed Repository
              • Agent Repository
            • Branches
              • Is just a means where McAfee keeps different versions of a package
                • This is to allow roll back in case something fails
              • Two versions are kept
                • Current
                • Previous
              • A third version called ‘Evaluation’ is used for testing purpose only and should be ignored
            • Communication
              • FTP
                • Most Preferred
              • UNC
                • Not preferred as it requires the use of port 135
              • HTTP
                • Not preferred as it uses port 80
          • Server Task Logs
            • All EPO activity logs is logged here
            • goto Menu ==> Automation ==> Server Task Logs
      • Agents
        • Can pull virus definition from ePO
        • Can also be manually updated using virus definitions
        • Agent to ePO Server communication is by default every 60 minutes
      • DAT Files
        • Virus Definition Files
      • Policy
        • A collection of setting that you create, configure and enforce.
        • The policy groups
          • McAfee Default
          • My Default
            • A best practice is to replicate McAfee Default here and work out any changes from here
        • Common Used Policy
          • Access Protection Policy
            • When enabled, Restricts access to specified ports, registry keys and values
              • Prevent users from stopping McAfee process
            • It is recommended to disable this policy when  installing process software, such as Yokogawa applications
          • General Option Policy
            • Configure user access on system tray options
        • Policy needs to be done on Server and workstation.
        • To allow the policy to take effect, the server needs to run ‘Wakeup Agent’
      • Definition File (DAT)
        • The McAfee virus definition file is a file about a few 100MB in size, which holds all virus definitions
        • The file is in a .DAT format
        • McAfee EPO will download the whole file on each Pull, there is no incremental update.
    • Setting up McAfee (The following setup is based on EPO version 4.6.6)
      • Setup EPO on DMZ
        • Run EPO Setup ==> Setup
        • If the following error comes out
          • image
          • Run ‘fsutil.exe 8dot3name set 0’
        • Install SQL Server Express
        • Change IP Address if required (typically port 80 to 8080)
        • image
        • After complete, the EPO can be launched from the windows start menu
          • Note : EPO uses tomcat5
        • Install FTP Server
          • The FTP Server is required so that the Virus definitions and packages are stored in here.
            • It will be accessible by the PCN ePO Server
          • Create server site name ‘EPO’
          • May use any FTP Server client but, the FTP Path must be:
            • C:\Program Files\McAfee\ePolicy Orchestrator\DB\Software\
        • CheckIn the Virus Scan Enterprise Package
          • CheckIn is the process of putting in latest McAfee packages into the epO system
            • Alternatively, you can just use pull in packages.
          • Go to Menu ==> Master Repository ==> CheckIn Package
          • The packages are zip files which can be downloaded from McAfee website
            • Go to McAfee website==> Support
            • Key in Grant Number
              • Grant Number is given upon purchase of McAfee Software
              • image
          • The important package to check in here would be the
            • McAfee VirusScan Enterprise Package
              • 1-VSE880LMLRP3.Zip
          • After CheckIn
            • The VirusScan Enterprise Package will appear
            • image
        • Add Extensions
          • Extensions are additional configurations on the packages
          • Go to Menu ==> Software ==> Extensions ==> Install Extensions
          • The Extensions are zip files, which can be downloaded from the internet
          • THe extension needed here is the VirusScan Enterprise Extension
            • 1-2VIRUSCAN8800(348)
          • After installing extensions, the extension associated can be seen in
            • Menu ==> Software ==> Extensions ==> Policy Catalog
              • image
              • Under Product : 'VirusScan Enterprise’
        • Export Security Key
          • Security key is like an ID when used to communicate between PCN and DMZ servers.
          • Menu ==> Configuration ==> Server Settings ==> Security Keys ==> Edit
          • Under Local Master Repository key pairs, click ‘Export Key Pair’
          • image
          • The secrurity key will be a zip file which you save and bring it to the PCN EPO Server
        • Pull (Obtain) packages from McAfee Server
          • Menu ==> Software ==> Master Repository ==> Pull Now
          • Before pulling packages
            • image
          • After pulling packages
            • image
            • Note that the DAT file is the virus definition file
      • Setup EPO on PCN
        • Install EPO
        • Setup Source Site to Connect to the DMZ FTP Server
          • Menu ==> Configuration ==> Server Settings ==> Source Sites
        • Install Security Keys
          • Menu ==> Configuration ==> Server Settings ==> Security Keys ==> Edit ==> Import
          • Import the security key zip file obtained from the DMZ PCN
        • Pull the definitions and all packages
          • Menu ==> Software ==> Master Repository ==> Pull Now
          • image
        • Setup the clients from EPO Server
          • On the PCN EPO Server, System Tree ==> System Tree Actions ==> New Systems
          • You can browse the network. To do this, make sure Computer Browser Service is started
            • image
          • Deploy Agent on clients
            • In this process, the EPO server will attempt to install a program on the Client Machine. This requires administrator account.
            • This would be done during  adding new system, but if need to be done manually can be accessed from System Tree ==> Tick the Computer Name ==> Actions ==> Agent ==> Deploy Agents
            • Make sure the credentials for deploying agent on client is correct
              • image
            • The Server task logs should say completed
              • image
            • After successful deployment, the mcafee agent should be seen in the client
              • image
          • Create Task to Deploy Virus Scanner
            • From the DMZ EPO Server, Menu ==> Policy ==> Client Task Catalog ==> Actions ==> New Task
            • Select Task Type "as ‘Product Deployment’
            • image
          • Run The Task which deploys the virus scanner
            • System Tree ==> Tick Machine ==> Assigned Client Task (tab) ==> Action ==> New Client task Assignment
            • In Schedule type, choose run immediately
            • System Tree ==> Tick Machine ==> WakeUpAgent
            • Once deployment complete, on the Client’s McAfee Agent Monitor
              • image
          • Adding Policies
            • Policies are important to use to control the features and restriction on VirusScan consoles
            • Policies are a bit confusing as they are hierarchical
              • Category
                • Policy Group
                  • Policy
                    • Server
                    • Workstation
            • By default EPO does not have all policy parameters. These policy parameters need to be obtained from an Extension Package
              • The Extension package can either be pulled or checked in
            • When a policy is created it needs to be assigned to a group (easy to just assign in to My group (whish is the root group and effects all machines)
              • The wakeup agent command needs to be run to immediately pass out the policies
            • Category
              • Is the main branch which is the function of the policy
              • e.g.:
                • General Option Policies
                  • Used to prevent users from disabling certain files
                • On Access Default Processes Policies
                  • Used to scan only certain files
                  • Used to exclude certain folders to be scan
                • On Access General Policies
                  • Select whether to scan boot sector only or etc
                • Unwanted Program Policies
                  • Used to remove unwanted programs
            • Policy Group
              • Is used so that user can just replicate some setting from a default policy group, so that users do not disturb the template settings
              • There are 2 default policy group
                • McAfee Default
                • My Default
              • Typically one will duplicate from My Default, call it with a policy name, and assign groups to the policy.
              • ONLY ONE POLICY group can be assigned to a CATEGORY.
                • NOTE : THIS IS A VERY IMPORTANT CONCEPT
                  • ALL Groups in the System Tree branch will have ALL Policy categories. and By default the policy category will be using the MyDefault Policy Group. We CREATE AND SELECT a different policy if we do not wish to implement the default.
                  • In the screenshot below, all Policy categories exist in the My Organization node BUT the policy applied is different.
                  • image
            • Typical Policies
              • Lockdown Policy
                • Prevents users from disabling a virus scan
              • Exclusion Policy
                • Prevents the scanning of certain files.
                • image
          • Adding Client Tasks
            • This is normally important to make the computer run full scans at certain intervals
            • Menu ==> Policy ==> Client Task Catalog ==>Virus Scan Enterprise ==> On Demand Scan ==> New Task ==> Select On Demand Scan
              • Then Assign the Task to as group

WSUS (Windows Server Update Services)

  • Is installed by Adding Roles
    • Must either be connected to the internet or can download the installed from microsoft
  • WSUS Server is an IIS application
  • Used to patch microsoft products e.g.
    • Windows
    • Office
    • SQL Server
  • How WSUS Works in Process Environment
    • WSUS Main Server is installed on the corporate network and downloads patches from Microsoft
    • WSUS PCN server are installed on the PCN Network
    • The WSUS PCN Server communicates with the WCS Main Server on the Corporate Network. This process is called synchronization
      • The WSUS PCN Server must change the source in the WSUS Update Service Utility
    • The PCN WSUS Server Administrative will go to the Control System Vendors website OR contact the Vendor to see with patches are approved to be distributed
    • The PCN WSUS Administrator approves the patches and the approved patches will be available for the clients
    • The approval is based on groups, the Administrative will approve a patch to an entire group
    • Once approved, the clients in the group will start downloading the patch when it scheduled update starts. By default this is every 22 hours
    • The patch will be applied manually by the client’s administrator.
  • Typically, Microsoft releases patch generally on every 2nd Tuesday of each month
    • if its urgent, the patch is released immediately
  • Free
  • OS Patch management tool
  • WSUS Client
    • Yellow shield appear in desktop
    • Only Administrator Group user can view the Icon
  • Client Server Application
  • 30GB for WSUS
  • One key use for Microsoft patch is to prevent virus attacks due to software vulnerabilities
  • Architecture
    • Server is installed on every network architecture
      • Corporate Domain
      • DMZ
      • PCN
      • Why? to avoid opening too many port links from client machine to port 80
  • Synchronization
    • Process in which WSUS server connects to Microsoft Update or Dowstream server connects to Upstream Server
    • Is found under Update Services==>Synchronization
    • Is typically set to synchronize daily
  • Patch Approval
    • Approval is done on the server which allows the patches to be released to all clients connecting to the Server
    • Approval Is done in groups. Groups are set in the Update Services
  • Reports
    • Produced on the Server
    • Produced by WSUS detailing its activities
    • Reports Available
      • Update Reports
      • Computer Reports
      • Synchronization Reports
  • Ports Used
    • Upstream Server
      • Should be set to Port 8530
      • However, typically listens to Port 80 as it is configured by IT department
    • DMZ/Downstream Server
      • Port 8530
    • PCN/Management Server
      • Port 8530
  • Client Configuration
    • Checks by default every 22 hours and download approved patches
    • To connect to a server, the following setting are required
      • Go to run ==> gpedit.msc (Local group Policy) (must be administrator) (Does not work in Windows Home)
        • Configure Automatic Update
          • Generally set to automatic download and notify for install.
        • Specify Microsoft Update Service Location
          • Specify IP Address of WSUS Server
        • Automatic Updates Detection Frequency
          • Should be enabled, by Default is 22 hours.
      • image
      • After changing the settings, remember to runthe Group Policy Update
        • gpupdate /force
          • This applies the settings
        • wuauclt.exe /detectnow
          • This forces the client to connect to the server and inform it that it exists
          • This should cause the computer to appear under the WSUS Server unassigned computer
          • This process may take some time before it takes effect
        • wuauclt.exe /resetauthorization
          • If detectnow doesn’t work, use this one.
  • Isolated Networks
    • Can use WSUSutil.exe to import and export files
  • Database
    • WSUS uses Windows Internal Database (A variant of MS SQL Server Express)
    • Option for using SQL 2005 is also possible
  • Server Cleanup Wizard
    • Removes unnecessary updates
  • Old WSUS servers are able to download versions of patches for newer version of windows cause essentially, it is just a file
Open-Plant is a revolutionary Industrial IOT Platform software, used to create and deploy Industrial IT apps/solutions. It is an all-encompassing solution offering both back-end and front-end components i.e. the full stack. From our user's experience, creating and deploying Industrial IT apps became 10x faster and 10x less cost. We serve the mining, energy, oil & gas, construction and manufacturing industry. 

OPEN-PLANT PTY LTD

Perth, Australia

EMAIL

info@open-plant.com