You can add non-discoverable (can't be discovered using JetPatch Discovery Sources, on-prem and cloud) endpoints to JetPatch server from either the JetPatch server or from the Endpoint itself.
There are two ways to manage a non-discoverable endpoint for:
- Add Physical Server in JetPatch Console - if the endpoint is reachable from the JetPatch Manager.
Note - To deploy the JetPatch Agent (Connector) to dedicated server account .
- Create a single endpoint entry in JetPatch
- Upload multiple endpoint entries using JetPatch REST API
- Deploy Connector on the endpoint itself - When the communications available only from the endpoints to JetPatch (EP behind NAT).
- Using Connector binary
- Using Connector MSI (with additional configuration capabilities) - Windows only
Add Physical Server
Note - Newly-added endpoints appear in the endpoint list with the initial status of Untested. Upon first vAgent/Connector deployment or upon a manual Refresh status from the Servers tab, the connection status will be updated and JetPatch server will attempt to install the connector on the machine.
To add a single endpoint into JetPatch Console:
- In the Servers tab, go to Server Actions > Add Physical Server:
- Configure the following:
- The endpoint's Hostname and IP Address
- The endpoint's Operating System
- Access Credentials: If the credentials to this endpoint have already been provided, you can assign them to the endpoint here. Otherwise, you can do this later.
- Click Save.
- Configure endpoint user accounts.
When the need is to create multiple physical servers, the preferred why is to leverage the JetPatch API capabilities.
More information can be found in Adding Endpoints in Bulk via REST API
Deploy Connector on the Endpoint itself
Deploy JetPatch Connector binary
You can locally install the connector on any endpoint server. This is useful for connecting servers which are not otherwise accessible to the management server, and also for adding the connector to a base image that will be used to spawn multiple servers later.
To install the connector on a supported endpoint:
- Make sure organizational firewalls allow HTTPS (port 443) communication from the endpoint to the JetPatch server.
- Copy the Connector installation file into the endpoint. (can be found in the JetPatch server file system in /usr/share/intigua/bin/). Alternatively, download it here.
For Windows - vlink-win-win32_x64-<version>.exe
For Linux - vlink_installer_linux_x64_<version>_Release.bsx
- For Windows put the file in a tmp or download directory
- For Linux put the installation file in /tmp
- On the endpoint, run the following command (make sure to copy all quote signs and slashes correctly):
<connector> is the path and filename of the connector file executable, and
<host> is the IP address or DNS Name of the server host.
After that, the connector is installed and initiates communication with the JetPatch server. If the coreserverurl needs to be modified, see article. If there are still issues, generate connector logs from the endpoint.
- To test that the connector has been properly installed, check that the service is running:
- In Windows:
- Service name: vAgentManager
- Display Name: Intigua vAgentManager Service
- Process name: vlinkservice64.exe
- In Linux, run:
- /etc/init.d/intigua status
Deploy JetPatch Connector MSI
The Connector MSI installation is doing the listed below:
- Pulling the latest JetPatch Agent for Windows (Connector).
- Installing the Connector & Configuring the Connector to communicate with the JetPatch Manager
- Optional: Configuring the Windows Update Agent and the local Powershell Execution-Policy:
- Setup WSUS communication.
- Setup the appropriate Computer Group to be set in WSUS
- Changing the PowerShell Execution Policy to "Remote Signed" and enabling script execution.
- Configuring the endpoint to accept trusted published certificates (for 3rd party updates).
- Prioritizing IPv4 over IPv6
- Optional: Pulling & installing the WSUS and/or 3rd party updates certificates (if exist)
- Removing the MSI installation (Using the "Programs and Features" control panel) won't restore the previous Windows Update Agent configuration (But Connector will be removed.)
- The WSUS Computer Group assignment will work only if WSUS is configured to assign the computers to groups by configured it to "Use Group Policy or registry settings on computers". See Client-side Targeting in MS documentation.
- Connector MSI downloaded.
- The endpoint should have a connection to the JetPatch Manager in the installation time.
- The configuration file should be in the same directory as the MSI installation.
- JetPatch API key to connect to JetPatch and download the needed files.
- The initiating user that installs the MSI should have administrator privileges.
- Optional: The computer group in the settings file (wsus_group) should exist in WSUS.
- Optional: If there is a WSUS certificate located in the environment - check WSUS Certificate section. Only applicable if SSL is enabled on WSUS
- Optional: If you want to deploy the 3rd party certificate to the endpoints, make sure to do the preparation actions for Install 3rd Party Certificate using JetPatch Built-in Script.
Configuration File (vlink.settings)
When installing the Connector using MSI Installer the configuration file (vlink.settings) should exist in the same directory and with the following properties:
- manager_ip_hostname - The IP or full hostname of the manager server.
- username - The username for accessing the API of the manager.
- apikey - The API key for accessing the API of the manager.
- PreferIPv4 (default "no")- Prefer IPv4 communication over IPv6. yes/no.
- wsus_ip_hostname (optional) - The IP or full hostname of the WSUS server (if not applicable, delete this line).
If wsus_ip_hostname exist, the following configuration values are also available:
- wsus_cert (optional) - The filename of the WSUS certificate that’s located in the JetPatch Manager (if not applicable, delete this line).
- wpp_cert (optional) - The filename of the 3rd party patching certificate that’s located in the JetPatch Manager (if not applicable, delete this line).
- wsus_group (optional) - The name of the WSUS group we would like to associate the endpoint to (if not applicable, delete this line. Only required if using WSUS with SSL).
The endpoint should have a connection to the WSUS in the installation time. Necessary if you want to setup the WSUS group.
Installation, verification, and troubleshooting
- Generate the vlink.settings with the right properties, based on your environment.
- Put the MSI Installation and the vlink.properties in the same folder.
- Run the MSI installation
To verify the Connector was installed successfully -
- On the endpoint:
- check that the Connector root folder has been created - "%SystemDrive%:\program files\Intigua" (usually located in "C" drive).
- check that the Connector service - "Intigua vAgentManager Service" (service name = "vAgentManager") is running
- On the JetPatch Manager:
- The new endpoint should appear in JetPatch Console -> Platform Configuration -> Servers Tab, with a connected (green lighting) status.
In addition to that, the MSI is sending installation logs to JetPatch for troubleshooting purposes.
The logs can be found in /usr/share/intigua/installation-logs folder, inside the JetPatch file-system. The path can be change by putting a different path to installation-logs.path property inside the intigua.properties file.
Note - After any logs upload, JetPatch will trigger clean-up operation that will check:
- If the number of logs exist in the folder is more than installation-logs.clean-up.number (in intigua.properties file) - old logs will be deleted. (default = 100)
- If the age of existing logs are more than installation-logs.clean-up.old.days (in intigua.properties file) - they will be deleted. (default = 120)