VMware vSphere Update Manager - 6.5 Installation Manual

Download

Page 1

vSphere Update Manager Installation

and Administration Guide

Update 1

Modiﬁed on 04 OCT 2017

VMware vSphere 6.5

vSphere Update Manager 6.5

Page 2

vSphere Update Manager Installation and Administration Guide

You can ﬁnd the most up-to-date technical documentation on the VMware Web site at:

hps://docs.vmware.com/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.

Page 3

About Installing and Administering VMware vSphere Update Manager 9

Updated Information 11

Understanding Update Manager 13

Overview of the Update Manager Interface 14

About the Update Manager Process 15

Conguring the Update Manager Download Source 16

Downloading Updates and Related Metadata 16

Importing ESXi Images 18

Creating Baselines and Baseline Groups 18

Aaching Baselines and Baseline Groups to vSphere Objects 20

Scanning Selected vSphere Objects 20

Reviewing Scan Results 21

Staging Patches and Extensions to Hosts 21

Remediating Selected vSphere Objects 22

Installing Update Manager on Windows 25

System Requirements 26

Update Manager Hardware Requirements 26

Supported Windows Operating Systems and Database Formats 26

Update Manager Compatibility with vCenter Server and vSphere Web Client 27

Required Database Privileges 27

Preparing the Update Manager Database 28

Create a 64-Bit DSN 29

About the Bundled Microsoft SQL Server 2012 Express Database Package 29

Maintaining Your Update Manager Database 29

Congure a Microsoft SQL Server Database Connection 29

Congure an Oracle Database 31

Prerequisites for Installing the Update Manager Server on Windows 33

Obtain the Update Manager Installer 34

Install the Update Manager Server 35

Enable the Update Manager Web Client Plug-In 37

VMware, Inc.

Uninstalling Update Manager that Runs on Windows 39

Uninstall the Update Manager Server 39

Upgrading Update Manager that Runs on Windows 41

Upgrade the Update Manager Server 42

Upgrade the Update Manager Java Components 43

Page 4

vSphere Update Manager Installation and Administration Guide

Using Update Manager with the vCenter Server Appliance 45

Start, Stop, or Restart Update Manager Service in the vCenter Server Appliance 45

Migrating Update Manager from Windows to the vCenter Server Appliance 47

Download and Run VMware Migration Assistant on the Source Update Manager Machine 48

Roll Back a Migration of vCenter Server Appliance with Update Manager 48

Best Practices and Recommendations for Update Manager Environment 51

Update Manager Deployment Models and Their Usage 52

Installing, Seing Up, and Using Update Manager Download Service 53

Compatibility Between UMDS and the Update Manager Server 54

Installing UMDS on a Windows Operating System 54

Install UMDS on a Windows Operating System 54

Installing and Upgrading UMDS on a Linux-Based Operating System 56

Supported Linux-Based Operating Systems and Databases for Installing UMDS 56

Congure PostgreSQL Database for UMDS on Linux 56

Install UMDS on a Linux OS 58

Uninstall UMDS from a Linux OS 59

Seing Up and Using UMDS 59

Set Up the Data to Download with UMDS 59

Change the UMDS Patch Repository Location 60

Congure URL Addresses for Hosts 61

Download the Specied Data Using UMDS 61

Export the Downloaded Data 62

Conguring Update Manager 65

Update Manager Network Connectivity Seings 66

Change the Update Manager Network Seings 67

Conguring the Update Manager Download Sources 68

Congure Update Manager to Use the Internet as a Download Source 69

Add a New Download Source 70

Use a Shared Repository as a Download Source 71

Import Patches Manually 72

Congure the Update Manager Proxy Seings 73

Congure Checking for Updates 73

Conguring and Viewing Notications 74

Congure Notications Checks 75

View Notications and Run the Notication Checks Task Manually 76

Types of Update Manager Notications 76

Conguring Host and Cluster Seings 77

Congure Host Maintenance Mode Seings 78

Congure Cluster Seings 79

Enable Remediation of PXE Booted ESXi Hosts 80

Take Snapshots Before Remediation 81

Congure Smart Rebooting 82

Congure the Update Manager Patch Repository Location 82

Restart the Update Manager Service 83

4 VMware, Inc.

Page 5

Run the VMware vSphere Update Manager Update Download Task 83

Update Manager Privileges 84

Contents

Working with Baselines and Baseline Groups 85

Creating and Managing Baselines 87

Create and Edit Patch or Extension Baselines 87

Create and Edit Host Upgrade Baselines 92

Create and Edit a Virtual Appliance Upgrade Baseline 95

Delete Baselines 97

Creating and Managing Baseline Groups 97

Create a Host Baseline Group 98

Create a Virtual Machine and Virtual Appliance Baseline Group 98

Edit a Baseline Group 99

Add Baselines to a Baseline Group 100

Remove Baselines from a Baseline Group 100

Delete Baseline Groups 101

Aach Baselines and Baseline Groups to Objects 101

Detach Baselines and Baseline Groups from Objects 102

Scanning vSphere Objects and Viewing Scan Results 103

Manually Initiate a Scan of ESXi Hosts 103

Manually Initiate a Scan of Virtual Machines and Virtual Appliances 104

Manually Initiate a Scan of a Container Object 104

Schedule a Scan 105

Viewing Scan Results and Compliance States for vSphere Objects 105

View Compliance Information for vSphere Objects 106

Review Compliance with Individual vSphere Objects 107

Compliance View 107

Compliance States for Updates 110

Baseline and Baseline Group Compliance States 111

Viewing Patch Details 112

Viewing Extension Details 113

Viewing Upgrade Details 113

Host Upgrade Scan Messages in Update Manager 115

Host Upgrade Scan Messages When Cisco Nexus 1000V Is Present 117

VMware Tools Status 118

Remediating vSphere Objects 119

Orchestrated Upgrades of Hosts and Virtual Machines 119

Remediating Hosts 120

Remediation Specics of ESXi Hosts 122

Remediating Hosts That Contain Third-Party Software 122

Remediating ESXi 5.5 or ESXi 6.0 Hosts Against ESXi 6.5 Image 123

Remediation Specics of Hosts That Are Part of a vSAN Cluster 124

Remediating vSAN Clusters Against System Managed Baselines 124

Stage Patches and Extensions to ESXi Hosts 125

Remediate Hosts Against Patch or Extension Baselines 126

Remediate Hosts Against an Upgrade Baseline 129

VMware, Inc. 5

Page 6

vSphere Update Manager Installation and Administration Guide

Remediate Hosts Against Baseline Groups 132

Cluster Remediation Options Report 134

Remediating Virtual Machines and Virtual Appliances 135

Rolling Back to a Previous Version 136

Remediate Virtual Machines and Virtual Appliances 136

Upgrade VMware Tools on Power Cycle 137

Scheduling Remediation for Hosts, Virtual Machines, and Virtual Appliances 138

View Update Manager Events 139

Patch Repository and Virtual Appliance Upgrades 141

Add or Remove Patches From a Baseline 141

Troubleshooting 143

Update Manager Web Client Remains Visible in the vSphere Web Client After Uninstalling

Update Manager Server 143

Connection Loss with Update Manager Server or vCenter Server in a Single vCenter Server System 144

Gather Update Manager Log Bundles 144

Gather Update Manager and vCenter Server Log Bundles 145

Log Bundle Is Not Generated 145

Host Extension Remediation or Staging Fails Due to Missing Prerequisites 146

No Baseline Updates Available 146

All Updates in Compliance Reports Are Displayed as Not Applicable 147

All Updates in Compliance Reports Are Unknown 147

VMware Tools Upgrade Fails if VMware Tools Is Not Installed 147

ESXi Host Scanning Fails 148

ESXi Host Upgrade Fails 148

The Update Manager Repository Cannot Be Deleted 148

Incompatible Compliance State 149

Updates Are in Conict or Conicting New Module State 150

Updates Are in Missing Package State 150

Updates Are in Not Installable State 151

Updates Are in Unsupported Upgrade State 151

Database Views 153

VUMV_VERSION 154

VUMV_UPDATES 154

VUMV_HOST_UPGRADES 154

VUMV_VA_UPGRADES 155

VUMV_PATCHES 155

VUMV_BASELINES 155

VUMV_BASELINE_GROUPS 156

VUMV_BASELINE_GROUP_MEMBERS 156

VUMV_PRODUCTS 156

VUMV_BASELINE_ENTITY 157

VUMV_UPDATE_PATCHES 157

VUMV_UPDATE_PRODUCT 157

VUMV_ENTITY_SCAN_HISTORY 157

6 VMware, Inc.

Page 7

VUMV_ENTITY_REMEDIATION_HIST 158

VUMV_UPDATE_PRODUCT_DETAILS 158

VUMV_BASELINE_UPDATE_DETAILS 158

VUMV_ENTITY_SCAN_RESULTS 159

VUMV_VMTOOLS_SCAN_RESULTS 159

VUMV_VMHW_SCAN_RESULTS 159

VUMV_VA_APPLIANCE 160

VUMV_VA_PRODUCTS 160

Index 161

Contents

VMware, Inc. 7

Page 8

vSphere Update Manager Installation and Administration Guide

8 VMware, Inc.

Page 9

About Installing and Administering VMware vSphere Update Manager

Installing and Administering VMware vSphere Update Manager provides information about installing,

conguring, and using VMware® vSphere Update Manager to scan and remediate the objects in your vSphere environment. It also describes the tasks that you can perform to update your vSphere inventory objects and make them compliant against aached baselines and baseline groups.

For scanning and remediation, Update Manager works with the following ESXi versions:

For VMware Tools and virtual machine hardware upgrade operations, Update Manager works with 5.5,

ESXi 6.0, and ESXi 6.5.

For ESXi host patching operations, Update Manager works with ESXi 5.5, ESXi 6.0, and ESXi 6.5.

For ESXi host upgrade operations, Update Manager works withESXi 5.5, ESXi 6.0, and their respective

Update releases.

Intended Audience

This information is intended for anyone who wants to install, upgrade, migrate, or use Update Manager. The information is wrien for experienced Windows or Linux system administrators who are familiar with virtual machine technology and data center operations.

VMware, Inc.

Page 10

vSphere Update Manager Installation and Administration Guide

10 VMware, Inc.

Page 11

Updated Information

This Installing and Administering VMware vSphere Update Manager documentation is updated with each release of the product or when necessary.

This table provides the update history of the Installing and Administering VMware vSphere Update Manager.

Revision Description

04 OCT 2017

EN-002609-00 Initial release.

Added prerequisite information about Administrator access requirement for using UMDS on

Windows to download patches. The updated topics are following: Chapter 8, “Installing, Seing Up,

and Using Update Manager Download Service,” on page 53, “Seing Up and Using UMDS,” on

page 59, “Download the Specied Data Using UMDS,” on page 61, “Export the Downloaded

Data,” on page 62.

VMware, Inc. 11

Page 12

vSphere Update Manager Installation and Administration Guide

12 VMware, Inc.

Page 13

Understanding Update Manager 1

Update Manager enables centralized, automated patch and version management for VMware vSphere and oers support for VMware ESXi hosts, virtual machines, and virtual appliances.

With Update Manager, you can perform the following tasks:

Upgrade and patch ESXi hosts.

Install and update third-party software on hosts.

Upgrade virtual machine hardware, VMware Tools, and virtual appliances.

Update Manager requires network connectivity with VMware vCenter Server. Each installation of Update Manager must be associated (registered) with a single vCenter Server instance.

The Update Manager module consists of a server component and of a client component.

You can use Update Manager with either vCenter Server that runs on Windows or with the vCenter Server Appliance.

If you want to use Update Manager with vCenter Server, you have to perform Update Manager installation on a Windows machine. You can install the Update Manager server component either on the same Windows server where the vCenter Server is installed or on a separate machine. To install Update Manager, you must have Windows administrator credentials for the computer on which you install Update Manager.

VMware, Inc.

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single Sign-On domain, and you want to use Update Manager for each vCenter Server system, you must install and register Update Manager instances with each vCenter Server system. You can use an Update Manager instance only with the vCenter Server system with which it is registered.

The vCenter Server Appliance delivers Update Manager as an optional service. Update Manager is bundled in the vCenter Server Appliance.

In vSphere 6.5, it is no longer supported to register Update Manager to a vCenter Server Appliance during installation of the Update Manager server on a Windows machine.

The Update Manager client component is a plug-in that runs on the vSphere Web Client. The Update Manager client component is automatically enabled after installation of the Update Manager server component on Windows, and after deployment of the vCenter Server Appliance.

You can deploy Update Manager in a secured network without Internet access. In such a case, you can use the VMware vSphere Update Manager Download Service (UMDS) to download update metadata and update binaries.

This chapter includes the following topics:

“Overview of the Update Manager Interface,” on page 14

“About the Update Manager Process,” on page 15

Page 14

vSphere Update Manager Installation and Administration Guide

Overview of the Update Manager Interface

The Update Manager server has a client interface for the vSphere Web Client.

The Update Manager Web Client is automatically enabled in the vSphere Web Client after you install the Update Manager server component on Windows, or deploy the vCenter Server Appliance.

The Update Manager Web Client appears as an Update Manager tab in vSphere Web Client. The Update

Manager tab is on the same level as the Monitor tab, the  tab, the Datacenters tab, the Host & Clusters tab, and so on.

To be able to see the Update Manager Web Client in vSphere Web Client you must have the View Compliance Status privilege.

The Update Manager client Interface have two main views, Administration view and Compliance view.

To access the Administration view for the Update Manager Web Client, navigate to Home > Update Manager and select the IP Address of the Update Manager instance you want to use.

In the Update Manager Administration view, you can do the following tasks:

Congure the Update Manager seings

Create and manage baselines and baseline groups

View Update Manager events

Review the patch repository and available virtual appliance upgrades

Review and check notications

Import ESXi images

To view Compliance view information for a selected inventory object with the Update Manager Web Client, select Hosts and Clusters or VMs and Templates inventory view of the vSphere Web Client, and click the Update Manager tab.

In the Update Manager Compliance view, you can do the following tasks:

View compliance and scan results for each selected inventory object

Aach and detach baselines and baseline groups from a selected inventory object

Scan a selected inventory object

Stage patches or extensions to hosts

Remediate a selected inventory object

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single Sign-On domain, and you have installed and registered more than one Update Manager instance, you can congure the seings for each Update Manager instance. Conguration properties that you modify are applied only to the Update Manager instance that you specify and are not propagated to the other instances in the group. You can specify an Update Manager instance by selecting the name of the vCenter Server system with which the Update Manager instance is registered from the navigation bar.

For a vCenter Server system that is connected to other vCenter Server systems by a common vCenter Single Sign-On domain, you can also manage baselines and baseline groups as well as scan and remediate only the inventory objects managed by the vCenter Server system with which Update Manager is registered.

14 VMware, Inc.

Page 15

About the Update Manager Process

Upgrading vSphere objects and applying patches or extensions with Update Manager is a multistage process in which procedures must be performed in a particular order. Following the suggested process helps ensure a smooth update with a minimum of system downtime.

The Update Manager process begins by downloading information (metadata) about a set of patches, extensions, and virtual appliance upgrades. One or more of these patches or extensions are aggregated to form a baseline. You can add multiple baselines to a baseline group. A baseline group is a composite object that consists of a set of nonconicting baselines. You can use baseline groups to combine dierent types of baselines, and scan and remediate an inventory object against all of them as a whole. If a baseline group contains both upgrade and patch or extension baselines, the upgrade runs rst.

A collection of virtual machines, virtual appliances, and ESXi hosts or individual inventory objects can be scanned for compliance with a baseline or a baseline group and later remediated. You can initiate these processes manually or through scheduled tasks.

Conguring the Update Manager Download Source on page 16

You can congure the Update Manager server to download patches, extensions, and virtual appliance upgrades either from the Internet or from a shared repository. You can also import patches and extensions manually from a ZIP le.

Chapter 1 Understanding Update Manager

Downloading Updates and Related Metadata on page 16

Downloading virtual appliance upgrades, host patches, extensions, and related metadata is a predened automatic process that you can modify. By default, at regular congurable intervals, Update Manager contacts VMware or third-party sources to gather the latest information (metadata) about available upgrades, patches, or extensions.

Importing ESXi Images on page 18

You can upgrade the hosts in your environment to ESXi 6.5 by using host upgrade baselines. To create a host upgrade baseline, you must rst upload at least one ESXi 6.5 .iso image to the Update Manager repository.

Creating Baselines and Baseline Groups on page 18

Baselines contain a collection of one or more patches, extensions, service packs, bug xes, or upgrades, and can be classied as patch, extension, or upgrade baselines. Baseline groups are assembled from existing baselines.

Aaching Baselines and Baseline Groups to vSphere Objects on page 20

To use baselines and baseline groups, you must aach them to selected inventory objects such as container objects, virtual machines, virtual appliances, or hosts.

Scanning Selected vSphere Objects on page 20

Scanning is the process in which aributes of a set of hosts, virtual machines, or virtual appliances are evaluated against all patches, extensions, and upgrades from an aached baseline or baseline group, depending on the type of scan you select.

Reviewing Scan Results on page 21

Update Manager scans vSphere objects to determine how they comply with baselines and baseline groups that you aach. You can lter scan results by text search, group selection, baseline selection, and compliance status selection.

Staging Patches and Extensions to Hosts on page 21

You can stage patches and extensions before remediation to ensure that the patches and extensions are downloaded to the host. Staging patches and extensions is an optional step that can reduce the time during which hosts are in maintenance mode.

VMware, Inc. 15

Page 16

vSphere Update Manager Installation and Administration Guide

Remediating Selected vSphere Objects on page 22

Remediation is the process in which Update Manager applies patches, extensions, and upgrades to ESXi hosts, virtual machines, or virtual appliances after a scan is complete.

Configuring the Update Manager Download Source

Conguring the Update Manager download source is an optional step.

If your deployment system is connected to the Internet, you can use the default seings and links for downloading upgrades, patches, and extensions to the Update Manager repository. You can also add URL addresses to download virtual appliance upgrades or third-party patches and extensions. Third-party patches and extensions are applicable only to hosts that are running ESXi 5.0 and later.

If your deployment system is not connected to the Internet, you can use a shared repository after downloading the upgrades, patches, and extensions by using Update Manager Download Service (UMDS).

For more information about UMDS, see Chapter 8, “Installing, Seing Up, and Using Update Manager

Download Service,” on page 53.

With Update Manager, you can import both VMware and third-party patches or extensions manually from a ZIP le, also called an oine bundle. Import of oine bundles is supported only for hosts that are running ESXi 5.0 and later. You download the oine bundle ZIP les from the Internet or copy them from a media drive, and save them on a local or a shared network drive. You can import the patches or extensions to the Update Manager patch repository later. You can download oine bundles from the VMware Web site or from the Web sites of third-party vendors.

N You can use oine bundles for host patching operations only. You cannot use third-party oine bundles or oine bundles that you generated from custom VIB sets for host upgrade from ESXi 5.5.x and ESXi 6.0.x to ESXi 6.5.

For detailed descriptions of the procedures, see “Conguring the Update Manager Download Sources,” on page 68.

Downloading Updates and Related Metadata

VMware provides information about patches for ESXi hosts and virtual appliance upgrades.

Update Manager downloads the following types of information:

Metadata about all ESXi 5.5 and ESXi 6.x patches regardless of whether you have hosts of such versions

in your environment.

Metadata about ESXi 5.5 and ESXi 6.x patches as well as about extensions from third-party vendor URL

addresses.

Notications, alerts, and patch recalls for ESXi 5.5 and ESXi 6.x hosts.

Metadata about upgrades for virtual appliances.

Downloading information about all updates is a relatively low-cost operation in terms of disk space and network bandwidth. The availability of regularly updated metadata lets you add scanning tasks for hosts or appliances at any time.

16 VMware, Inc.

Page 17

Chapter 1 Understanding Update Manager

Update Manager supports the recall of patches for hosts that are running ESXi 5.0 or later. A patch is recalled if the released patch has problems or potential issues. After you scan the hosts in your environment, Update Manager alerts you if the recalled patch has been installed on a certain host. Recalled patches cannot be installed on hosts with Update Manager. Update Manager also deletes all the recalled patches from the Update Manager patch repository. After a patch xing the problem is released, Update Manager downloads the new patch to its patch repository. If you have already installed the problematic patch, Update Manager noties you that a x was released and prompts you to apply the new patch.

If Update Manager cannot download upgrades, patches, or extensions—for example, if it is deployed on an internal network segment that does not have Internet access—you must use UMDS to download and store the data on the machine on which UMDS is installed. The Update Manager server can use the upgrades, patches, and extensions that UMDS downloaded after you export them.

For more information about UMDS, see Chapter 8, “Installing, Seing Up, and Using Update Manager

Download Service,” on page 53.

You can congure Update Manager to use an Internet proxy to download upgrades, patches, extensions, and related metadata.

You can change the time intervals at which Update Manager downloads updates or checks for notications. For detailed descriptions of the procedures, see “Congure Checking for Updates,” on page 73 and

“Congure Notications Checks,” on page 75.

Types of Software Updates and Related Terms

Update Manager downloads software updates and metadata from Internet depots or UMDS-created shared repositories. You can import oine bundles and host upgrade images from a local storage device into the local Update Manager repository.

Bulletin

Depot

Host upgrade image

A grouping of one or more VIBs. Bulletins are dened within metadata.

A logical grouping of VIBs and associated metadata that is published online.

An ESXi image that you can import in the Update Manager repository and use for upgrading ESXi 5.5 or ESXi 6.0 hosts to ESXi 6.5.

Extension

A bulletin that denes a group of VIBs for adding an optional component to an ESXi host. An extension is usually provided by a third party that is also responsible for patches or updates to the extension.

Metadata

Extra data that denes dependency information, textual descriptions, system requirements, and bulletins.

Offline bundle ZIP

An archive that encapsulates VIBs and corresponding metadata in a selfcontained package that is useful for oine patching. You cannot use thirdparty oine bundles or oine bundles that you generated from custom VIB sets for host upgrade from ESXi 5.5 or ESXi 6.0 to ESXi 6.5.

Patch

A bulletin that groups one or more VIBs together to address a particular issue or enhancement.

Roll-up

A collection of patches that is grouped for ease of download and deployment.

VA upgrade

VIB

VMware, Inc. 17

Updates for a virtual appliance, which the vendor considers an upgrade.

A VIB is a single software package.

Page 18

vSphere Update Manager Installation and Administration Guide

Importing ESXi Images

With Update Manager 6.5 you can upgrade hosts that are running ESXi 5.5 or ESXi 6.0 to ESXi 6.5. Host upgrades to ESXi 5.0, ESXi 5.1, ESXi 5.5, or ESXi 6.0 are not supported.

Before uploading ESXi images, obtain the image les from the VMware Web site or another source. You can create custom ESXi images that contain third-party VIBs by using vSphere ESXi Image Builder. For more information, see Customizing Installations with vSphere ESXi Image Builder.

You can upload and manage ESXi images from the ESXi Images tab of the Update Manager Administration view.

ESXi images that you import are kept in the Update Manager repository. You can include ESXi images in host upgrade baselines. To delete an ESXi image from the Update Manager repository, rst you must delete the upgrade baseline that contains it. After you delete the baseline, you can delete the image from the ESXi Images tab.

For more information about importing ESXi images and creating host upgrade baselines, see “Create a Host

Upgrade Baseline,” on page 93.

Creating Baselines and Baseline Groups

Host baseline groups can contain a single upgrade baseline, and various patch and extension baselines.

Virtual machine and virtual appliance baseline groups can contain up to three upgrade baselines: one VMware Tools upgrade baseline, one virtual machine hardware upgrade baseline, and one virtual appliance upgrade baseline.

When you scan hosts, virtual machines, and virtual appliances, you evaluate them against baselines and baseline groups to determine their level of compliance.

Update Manager includes two predened patch baselines and three predened upgrade baselines. You cannot edit or delete the predened virtual machine and virtual appliance upgrade baselines. You can use the predened baselines, or create patch, extension, and upgrade baselines that meet your criteria. Baselines you create, and predened baselines, can be combined in baseline groups. For more information about creating and managing baselines and baseline groups, see Chapter 10, “Working with Baselines and Baseline

Groups,” on page 85.

Baseline Types

Update Manager supports dierent types of baselines that you can use when scanning and remediating objects in your inventory.

Update Manager provides upgrade, patch, and extension baselines.

18 VMware, Inc.

Page 19

Chapter 1 Understanding Update Manager

Upgrade Baselines

Baseline Description

Host Upgrade Baseline

Virtual Appliance Upgrade Baseline

Virtual Machine Upgrade Baseline

Denes to which version to upgrade the hosts in your environment. With Update Manager 6.5, you can upgrade ESXi hosts from version 5.5 and 6.0 to ESXi 6.5.

Denes to which version to upgrade a selected virtual appliance. For example, you can upgrade to the latest released virtual appliance version by using the predened VA Upgrade to Latest

(Predened) baseline.

Denes to which version to upgrade virtual hardware or VMware Tools. With

Update Manager 6.5 you can upgrade to hardware version vmx-13 and to the latest VMware Tools version on hosts that are running ESXi 6.5.

Patch Baselines

Patch baselines dene a number of patches that must be applied to a given host. Patch baselines can be either dynamic or xed.

Baseline Description

Dynamic Patch Baseline

Fixed Patch Baseline You manually specify which patches to include in the xed patch baseline from the total set of

The contents of a dynamic baseline are based on available patches that meet the specied criteria. As the set of available patches changes, dynamic baselines are updated as well. You can explicitly include or exclude any patches.

patches available in the Update Manager repository.

Extension Baselines

Baseline Description

Extension Baseline

Contains extensions (additional software such as third-party device drivers) that must be applied to a given host. Extensions are installed on hosts that do not have such software installed on them, and patched on hosts that already have the software installed. All third-party software for ESXi hosts is classied as a host extension, although host extensions are not restricted to just third-party software.

Update Manager Default Baselines

Update Manager includes default baselines that you can use to scan any virtual machine, virtual appliance, or host to determine whether the hosts in your environment are updated with the latest patches, or whether the virtual appliances and virtual machines are upgraded to the latest version.

Critical Host Patches (Predefined)

Non-Critical Host Patches (Predefined)

VMware Tools Upgrade to Match Host (Predefined)

VM Hardware Upgrade to Match Host (Predefined)

Checks ESXi hosts for compliance with all critical patches.

Checks ESXi hosts for compliance with all optional patches.

Checks virtual machines for compliance with the latest VMware Tools version on the host. Update Manager supports upgrading of VMware Tools for virtual machines on hosts that are running ESXi 5.5.x and later.

Checks the virtual hardware of a virtual machine for compliance with the latest version supported by the host. Update Manager supports upgrading to virtual hardware version vmx-13 on hosts that are running ESXi 6.5 .

VA Upgrade to Latest (Predefined)

VMware, Inc. 19

Checks virtual appliance compliance with the latest released virtual appliance version.

Page 20

vSphere Update Manager Installation and Administration Guide

Baseline Groups

Baseline groups can contain patch, extension, and upgrade baselines. The baselines that you add to a baseline group must be non-conicting.

A baseline group is limited to a combination of patches, extensions, and upgrades. The following are valid combinations of baselines that can make up a baseline group:

Multiple host patch and extension baselines.

One upgrade baseline, multiple patch and extension baselines.

For example, one ESXi upgrade baseline and multiple ESXi patch or extension baselines.

Multiple upgrade baselines, but only one upgrade baseline per upgrade type (like VMware Tools,

virtual machine hardware, virtual appliance, or host).

For example, VMware Tools Upgrade to Match Host baseline, VM Hardware Upgrade to Match Host baseline and one VA Upgrade to Latest baseline. You cannot create a baseline group containing two virtual appliance upgrade baselines.

Attaching Baselines and Baseline Groups to vSphere Objects

To use baselines and baseline groups, you must aach them to selected inventory objects such as container objects, virtual machines, virtual appliances, or hosts.

Although you can aach baselines and baseline groups to individual objects, a more ecient method is to aach them to container objects, such as folders, vApps, clusters, and data centers. Individual vSphere objects inherit baselines aached to the parent container object. Removing an object from a container removes the inherited baselines from the object.

For a detailed description of the procedure, see “Aach Baselines and Baseline Groups to Objects,” on page 101.

Scanning Selected vSphere Objects

You can scan a host installation to determine whether the latest patches or extensions are applied, or you can scan a virtual machine to determine whether it is up to date with the latest virtual hardware or VMware Tools version.

Update Manager supports the following types of scan:

Host patch scan

Host extensions scan

Host upgrade scan

VMware Tools scan

You can perform patch scans on ESXi 5.5 and later.

You can scan ESXi 5.5 and later for extensions (additional software modules).

You can scan ESXi 5.5 and ESXi 6.0 for upgrading to ESXi 6.5.

You can scan virtual machines running Windows or Linux for the latest VMware Tools version. You can perform VMware Tools scans on online or oine virtual machines and templates. You must power on the virtual machine at least once before performing a VMware Tools scan.

20 VMware, Inc.

Page 21

Chapter 1 Understanding Update Manager

Virtual machine hardware upgrade scan

Virtual appliance upgrade scan

You can use VMware Studio 2.0 and later to automate the creation of ready-to-deploy vApps with prepopulated application software and operating systems. VMware Studio adds a network agent to the guest so that vApps bootstrap with minimal eort. Conguration parameters specied for vApps appear as OVF properties in the vCenter Server deployment wizard. For more information about VMware Studio, see the VMware SDK and API documentation for VMware Studio. For more information about vApp, you can also check the VMware blog site. You can download VMware Studio from the VMware website.

You can initiate scans on container objects, such as data centers, clusters, vApps, or folders, to scan all the ESXi hosts or virtual machines and appliances in that container object.

You can congure Update Manager to scan virtual machines, virtual appliances, and ESXi hosts against baselines and baseline groups by manually initiating or scheduling scans to generate compliance information. Schedule scan tasks at a data center or vCenter Server system level to make sure that scans are up to date.

For manual and scheduled scanning procedures, see Chapter 11, “Scanning vSphere Objects and Viewing

Scan Results,” on page 103.

You can scan virtual machines running Windows or Linux for the latest virtual hardware supported on the host. You can perform hardware-upgrade scans on online or oine virtual machines and templates.

You can scan powered-on virtual appliances that are created with VMware Studio 2.0 and later.

Reviewing Scan Results

When you select a container object, you view the overall compliance status of the container against the aached baselines as a group. You also see the individual compliance statuses of the objects in the selected container against all baselines. If you select an individual baseline aached to the container object, you see the compliance status of the container against the selected baseline.

If you select an individual virtual machine, appliance, or host, you see the overall compliance status of the selected object against all aached baselines and the number of updates. If you select an individual baseline aached to this object, you see the number of updates grouped by the compliance status for that baseline.

The compliance information is displayed on the Update Manager tab. For more information about viewing compliance information, see “Viewing Scan Results and Compliance States for vSphere Objects,” on page 105.

Staging Patches and Extensions to Hosts

Staging patches and extensions to hosts that are running ESXi 5.0 or later lets you download the patches and extensions from the Update Manager server to the ESXi hosts without applying the patches or extensions immediately. Staging patches and extensions speeds up the remediation process because the patches and extensions are already available locally on the hosts.

I Update Manager can stage patches to PXE booted ESXi hosts.

For more information about staging patches, see “Stage Patches and Extensions to ESXi Hosts,” on page 125.

VMware, Inc. 21

Page 22

vSphere Update Manager Installation and Administration Guide

Remediating Selected vSphere Objects

Remediation is the process in which Update Manager applies patches, extensions, and upgrades to ESXi hosts, virtual machines, or virtual appliances after a scan is complete.

Remediation makes the selected vSphere objects compliant with patch, extension, and upgrade baselines.

As with scanning, you can remediate single hosts, virtual machines, or virtual appliances. You can also initiate remediation on a folder, a cluster, or a data center level.

Update Manager supports remediation for the following inventory objects:

Powered on, suspended, or powered o virtual machines and templates for VMware Tools and virtual

machine hardware upgrade.

Powered on virtual appliances that are created with VMware Studio 2.0 and later, for virtual appliance

upgrade.

ESXi hosts for patch, extension, and upgrade remediation.

You can remediate the objects in your vSphere inventory by using either manual remediation or scheduled remediation. For more information about manual and scheduled remediation, see Chapter 12, “Remediating

vSphere Objects,” on page 119.

Remediating Hosts

Update Manager 6.5 supports upgrade from ESXi 5.5.x and ESXi 6.0.x to ESXi 6.5.

I If you enable the seing from the ESX Host/Cluster  page of the  tab, or from the Remediate wizard, you can patch PXE booted ESXi hosts.

After you upload ESXi images, upgrades for ESXi hosts are managed through baselines and baseline groups.

Typically, if the update requires it, hosts are put into maintenance mode before remediation. Virtual machines cannot run when a host is in maintenance mode. To ensure a consistent user experience, vCenter Server migrates the virtual machines to other hosts within a cluster before the host is put in maintenance mode. vCenter Server can migrate the virtual machines if the cluster is congured for vMotion and if VMware Distributed Resource Scheduler (DRS) and VMware Enhanced vMotion Compatibility (EVC) are enabled. EVC is not a prerequisite for vMotion. EVC guarantees that the CPUs of the hosts are compatible. For other containers or individual hosts that are not in a cluster, migration with vMotion cannot be performed.

I After you have upgraded your host to ESXi 6.5, you cannot roll back to your version ESXi 5.5.x or ESXi 6.0.x software. Back up your host conguration before performing an upgrade. If the upgrade fails, you can reinstall the ESXi 5.5.x or ESXi 6.0.x software that you upgraded from, and restore your host

conguration. For more information about backing up and restoring your ESXi conguration, see vSphere Upgrade.

Remediation of ESXi 5.5 and 6.0 hosts to their respective ESXi update releases is a patching process, while the remediation of ESXi hosts from version 5.5 or 6.0 to 6.5 is an upgrade process.

Remediating Virtual Machines and Virtual Appliances

You can upgrade virtual appliances, VMware Tools, and the virtual hardware of virtual machines to a later version. Upgrades for virtual machines are managed through the Update Manager default virtual machine upgrade baselines. Upgrades for virtual appliances can be managed through both the Update Manager default virtual appliance baselines and custom virtual appliance upgrade baselines that you create.

N Update Manager 6.5 does not support virtual machines patch baselines.

22 VMware, Inc.

Page 23

Chapter 1 Understanding Update Manager

Orchestrated Upgrades

With Update Manager, you can perform orchestrated upgrades of hosts and virtual machines. With orchestrated upgrades, you can upgrade hosts and virtual machines in your vSphere inventory by using baseline groups.

You can perform an orchestrated upgrade of hosts by using a baseline group that contains a single host upgrade baseline and multiple patch or extension baselines. Update Manager rst upgrades the hosts and then applies the patch or extension baselines.

You can perform an orchestrated upgrade of virtual machines by using a virtual machine baseline group that contains the following baselines:

VM Hardware Upgrade to Match Host

VMware Tools Upgrade to Match Host

You can use orchestrated upgrades to upgrade the virtual hardware and VMware Tools of virtual machines in the inventory at the same time. The VMware Tools upgrade baseline runs rst, followed by the virtual machine hardware upgrade baseline.

Orchestrated upgrades can be performed at a cluster, folder, or a data center level.

VMware, Inc. 23

Page 24

vSphere Update Manager Installation and Administration Guide

24 VMware, Inc.

Page 25

Installing Update Manager on

Windows 2

The Update Manager server is a 64-bit application. You can install the Update Manager server for Windows only on 64-bit Windows machines.

You can install the Update Manager server component either on the same machine where the vCenter Server is installed or on a separate machine. For optimal performance, especially in large-scale environments, install the Update Manager server component on a dierent Windows machine.

The Update Manager 6.5 installer for Windows generates a 2048-bit key and self-signed certicate. To replace the self-signed SSL certicate after installation, you can use the Update Manager Utility.

You can install vCenter Server and the Update Manager server in a heterogeneous network environment, where one of the machines is congured to use IPv6 and the other is congured to use IPv4.

To run and use Update Manager, you must use a local system account for the machine on which Update Manager is installed.

During installation, you cannot connect an Update Manager server that is installed on a Windows server to a vCenter Server Appliance. The vCenter Server Appliance facilitates Update Manager server as a service.

After you install the Update Manager server component, the Update Manager Web Client plug-in is automatically enabled on the vSphere Web Client, and appears as an Update Manager tab. The Update

Manager tab is on the same level as the Monitor tab, the  tab, the Datacenters tab, the Host & Clusters tab, and so on.

VMware, Inc.

VMware uses designated ports for communication. The Update Manager server connects to vCenter Server, ESXi hosts, and the Update Manager Web Client plug-in on designated ports. If a rewall exists between any of these elements and Windows rewall service is in use, the installer opens the ports during the installation. For custom rewalls, you must manually open the required ports.

You can run Update Manager in deployments that you protect using SRM. Use caution before connecting the Update Manager server to a vCenter Server instance to which the SRM server is connected. Connecting the Update Manager server to the same vCenter Server instance as SRM might cause problems when you upgrade SRM or vSphere, and when you perform daily tasks. Check the compatibility and interoperability of Update Manager with SRM before you install the Update Manager server.

This chapter includes the following topics:

“System Requirements,” on page 26

“Preparing the Update Manager Database,” on page 28

“Prerequisites for Installing the Update Manager Server on Windows,” on page 33

“Obtain the Update Manager Installer,” on page 34

“Install the Update Manager Server,” on page 35

“Enable the Update Manager Web Client Plug-In,” on page 37

Page 26

vSphere Update Manager Installation and Administration Guide

System Requirements

To run and use the Update Manager server, you must ensure that your environment satises certain conditions. You also must ensure that the vCenter Server, vSphere Web Client, and Update Manager are of compatible versions.

Before you install Update Manager on Windows, you must set up an Oracle or Microsoft SQL Server database. If your deployment is relatively small and contains up to 5 hosts and 50 virtual machines, you can use the bundled Microsoft SQL Server 2012 Express database, which you can select to install from the Update Manager installation wizard.

You can install Update Manager on a physical server or on a virtual machine. You can install the Update Manager server component on the same Windows machine as vCenter Server or on a dierent machine. After you install the Update Manager server component, to use Update Manager, the Update Manager client is automatically enabled on the vSphere Web Client.

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single Sign-On domain, you can install and register Update Manager instances with each vCenter Server system.

Update Manager Hardware Requirements

You can run Update Manager on any system that meets the minimum hardware requirements.

Minimum hardware requirements for Update Manager vary depending on how Update Manager is deployed. If the database is installed on the same machine as Update Manager, requirements for memory size and processor speed are higher. To ensure acceptable performance, verify that your system meets the minimum hardware requirements.

Table 2‑1. Minimum Hardware Requirements

Hardware Requirements

Processor Intel or AMD x86 processor with two or more logical cores, each with a speed of 2GHz

Network 10/100 Mbps

For best performance, use a Gigabit connection between Update Manager and the ESXi hosts

Memory 2GB RAM if Update Manager and vCenter Server are on dierent machines

8GB RAM if Update Manager and vCenter Server are on the same machine

Update Manager uses a SQL Server or Oracle database. You should use a dedicated database for Update Manager, not a database shared with vCenter Server, and should back up the database periodically. Best practice is to have the database on the same computer as Update Manager or on a computer in the local network.

Depending on the size of your deployment, Update Manager requires a minimum amount of free space per month for database usage. For more information about space requirements, see the VMware vSphere Update Manager Sizing Estimator.

Supported Windows Operating Systems and Database Formats

Update Manager works with specic databases and operating systems.

The Update Manager server requires a 64-bit Windows system.

26 VMware, Inc.

Page 27

Chapter 2 Installing Update Manager on Windows

To see a list of the supported Windows operating systems on which you can install the Update Manager server and the UMDS, see Supported host operating systems for VMware vCenter Server installation. The supported Windows operating systems for vCenter Server installation listed in the article also apply for installation of the respective versions of the Update Manager server and the UMDS.

N Make sure the Windows system on which you are installing the Update Manager server is not an Active Directory domain controller.

The Update Manager server that you install on Windows requires a SQL Server or an Oracle database. Update Manager can handle small-scale environments using the bundled in the installer SQL Server 2012 Express database. For environments with more than 5 hosts and 50 virtual machines, create either an Oracle or a SQL Server database for Update Manager. For large-scale environments, set up the Update Manager database on a dierent computer than the Update Manager server and the vCenter Server database.

To see a list of database formats that are compatible with the Update Manager server and the UMDS, select the Solution/Database Interoperability option from the VMware Product Interoperability Matrixes at

hp://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

Update Manager Compatibility with vCenter Server and vSphere Web Client

Update Manager is compatible with vCenter Server and vSphere Web Client of the same version.

Update Manager 6.5 is compatible only with vCenter Server 6.5.

During installation you connect the Update Manager 6.5 server to a vCenter Server 6.5 system that runs on Windows OS. After the Update Manager server installation, the Update Manager Web Client 6.5 is automatically enabled on the vSphere Web Client 6.5 that you use to connect to this vCenter Server system.

During installation you cannot connect the Update Manager 6.5 server to a vCenter Server Appliance 6.5. The vCenter Server Appliance runs its own instance of Update Manager as a service.

To see more information about the Update Manager compatibility with vCenter Server and vSphere Web Client, select the Solution Interoperability option from the VMware Product Interoperability Matrixes at hp://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

Required Database Privileges

The set of database privileges needed for the Update Manager installation and upgrade diers from the set of privileges needed for the Update Manager administration.

Before installing or upgrading Update Manager, you must grant adequate privileges to the database user.

VMware, Inc. 27

Page 28

vSphere Update Manager Installation and Administration Guide

Table 2‑2. Database Privileges Needed for Installation or Upgrade of Update Manager

Database Privileges

Oracle Either assign the DBA role, or grant the following set of privileges to the Update Manager Oracle

database user.

connect

execute on dbms_lock

create view

create procedure

create table

create sequence

create any sequence

create any table

create type

unlimited tablespace

Microsoft SQL Server

Make sure that the database user has either a sysadmin server role or the db_owner xed database role on the Update Manager database and the MSDB database. Although the db_owner role is required for the upgrade, SQL jobs are not created as part of the Update Manager installation or upgrade.

To run Update Manager, you must grant a set of minimum privileges to the database user.

Table 2‑3. Database Privileges Needed for Using Update Manager

Database Privileges

Oracle The minimum required privileges of the Oracle database user are the following:

create session

create any table

drop any table

Microsoft SQL Server

The database user must have either a sysadmin server role or the db_owner xed database role on the Update Manager database and the MSDB database.

Preparing the Update Manager Database

The Update Manager server and Update Manager Download Service (UMDS) that you install on Windows require a database to store and organize server data. Update Manager supports Oracle, Microsoft SQL Server databases.

Before installing the Update Manager server on a Windows machine, you must create a database instance and congure it to ensure that all Update Manager database tables can be created in it. You can install and congure the Microsoft SQL Server 2012 Express database that is embedded with Update Manager. Microsoft SQL Server 2012 Express is recommended for small deployments of up to 5 hosts and 50 virtual machines.

Update Manager 6.5 server is a 64-bit application, and you can install it only on 64-bit machines. Update Manager requires a 64-bit DSN.

To use Microsoft SQL Server and Oracle databases, you must congure a 64-bit system DSN and test it with ODBC.

The Update Manager database you use can be the same as the vCenter Server database. You can also use a separate type of database, or you can use existing database clusters. For optimal results in a large-scale environment, use a dedicated Update Manager database that runs on a dierent machine than the vCenter Server system database.

28 VMware, Inc.

Page 29

Chapter 2 Installing Update Manager on Windows

The Update Manager server requires administrative credentials to connect to the database. If the database user name and password change after you install the Update Manager server or UMDS on Windows, you can recongure Update Manager and UMDS without the need to reinstall them. See the Reconguring VMware vSphere Update Manager documentation.

Before you begin the database setup, review the supported databases. If you create an ODBC connection to a database server that is not supported, a DSN for the unsupported database might be displayed in the dropdown menu of the Update Manager installation wizard. For more information about the supported database patches, see the Solution/Database Interoperability option from the VMware Product Interoperability Matrixes at hp://www.vmware.com/resources/compatibility/sim/interop_matrix.php. If you do not prepare your database correctly, the Update Manager installer might display error or warning messages.

Create a 64-Bit DSN

The Update Manager 6.5 system must have a 64-bit DSN. This requirement applies to all supported databases.

Procedure

1 From the Windows Start menu, select Control Panel > Administrative Tools > Data Sources (ODBC).

2 Create a system DSN.

If you have a Microsoft SQL database, create the system DSN by using SQL Native Client version 10 or

11.

3 Test the connectivity.

The system now has a DSN that is compatible with Update Manager. When the Update Manager installer prompts you for a DSN, select the 64-bit DSN.

About the Bundled Microsoft SQL Server 2012 Express Database Package

The Microsoft SQL Server 2012 Express database package is installed and congured when you select Microsoft SQL Server 2012 Express as your database during the Update Manager installation or upgrade.

No additional conguration is required.

Maintaining Your Update Manager Database

After your Update Manager database instance and Update Manager server are installed and operational, perform standard database maintenance processes.

Maintaining your Update Manager database involves several tasks:

Monitoring the growth of the log le and compacting the database log le, as needed. See the

documentation for the database type that you are using.

Scheduling regular backups of the database.

Backing up the database before any Update Manager upgrade.

See your database documentation for information about backing up your database.

Configure a Microsoft SQL Server Database Connection

When you install Update Manager, you can establish an ODBC connection with a SQL Server database.

If you use SQL Server for Update Manager, do not use the master database.

See your Microsoft SQL ODBC documentation for specic instructions on conguring the SQL Server ODBC connection.

VMware, Inc. 29

Page 30

vSphere Update Manager Installation and Administration Guide

Procedure

1 Create a SQL Server database by using SQL Server Management Studio on SQL Server.

The Update Manager installer creates all tables, procedures, and user-dened functions (UDF) within the default schema of the database user that you use for Update Manager. This default schema does not necessarily have to be dbo schema.

2 Create a SQL Server database user with database operator (DBO) rights.

Make sure that the database user has either a sysadmin server role or the db_owner xed database role on the Update Manager database and the MSDB database.

The db_owner role on the MSDB database is required for installation and upgrade only.

Create a New Data Source (ODBC)

To prepare a Microsoft SQL Server database to work with Update Manager, you have to create a data source (ODBC).

Procedure

1 On your Update Manager server system, select Control Panel > Administrative Tools > Data Sources

(ODBC).

2 Click the System DSN tab.

3 Create or modify an ODBC system data source.

Option Action

Create an ODBC system data source

Modify an existing ODBC system data source

a Click Add.

b For Microsoft SQL Server 2008, Microsoft SQL Server 2008 R2 Express,

Microsoft SQL Server 2012, or Microsoft SQL Server 2014 select SQL Native Client, and click Finish.

Double-click the ODBC system data source that you want to modify.

To see a detailed list of all Microsoft SQL Server database versions that are compatible with the Update Manager server and the UMDS, select the Solution/Database Interoperability option from the VMware Product Interoperability Matrixes at

hp://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

4 In the Microsoft SQL Server DSN Conguration window, enter the necessary information and click

Next.

a Type an ODBC DSN in the Name text eld.

For example, type VUM.

b (Optional) Type an ODBC DSN description in the Description text eld.

c Select the SQL Server name from the Server drop-down menu.

Type the SQL Server machine name in the text eld if you cannot nd it in the drop-down menu.

30 VMware, Inc.

Page 31

Chapter 2 Installing Update Manager on Windows

5 Congure the SQL Server authentication, and click Next.

If you are using a local SQL Server, you can select Integrated Windows NT authentication.

If you are using a remote SQL Server, you must use the SQL Server authentication method.

If you use the SQL Server authentication method, in the Update Manager installation wizard supply the same user name, password, and ODBC DSN that you used to congure the ODBC.

I Update Manager does not support Windows authentication of the database when the database is located on a dierent machine because of local system account issues. Make sure that if the Update Manager database is on a remote machine, the database, and the system DSN use SQL Server authentication.

6 Select a database from the Change the default database to drop-down menu, specify the ANSI seings,

and click Next.

7 Specify the language and translation seings, where to save the log les, and click Finish.

What to do next

To test the data source, in the ODBC Microsoft SQL Server Setup window, click Test Data Source, and click OK. Ensure that SQL Agent is running on your database server by double-clicking the SQL Server icon in

the system tray.

Identify the SQL Server Authentication Type

You can identify whether your SQL Server is using Windows NT or SQL Server authentication.

Procedure

1 Open SQL Server Enterprise Manager.

2 Click the Properties tab.

3 Check the connection type.

Configure an Oracle Database

To use an Oracle database for Update Manager, you must rst set up the database.

Procedure

1 Download Oracle 11g or Oracle 12c from the Oracle Web site, install it, and create a database (for

example, VUM).

Make sure that the TNS Listener is up and running, and test the database service to be sure it is working.

2 Download Oracle ODBC from the Oracle Web site.

3 Install the corresponding Oracle ODBC driver through the Oracle Universal Installer.

4 Increase the number of open cursors for the database.

Add the entry open_cursors = 300 to the ORACLE_BASE\ADMIN\VUM\pfile\init.ora le.

In this example, ORACLE_BASE is the root of the Oracle directory tree.

VMware, Inc. 31

Page 32

vSphere Update Manager Installation and Administration Guide

Configure an Oracle Connection to Work Locally

You can congure an Oracle connection to work locally with Update Manager.

Prerequisites

Verify that the ODBC data source that you use is a 64-bit system DSN. See “Create a 64-Bit DSN,” on page 29.

Procedure

1 Create a tablespace specically for Update Manager by using the following SQL statement:

CREATE TABLESPACE "VUM" DATAFILE 'ORACLE_BASE\ORADATA\VUM\VUM.dat' SIZE 1000M AUTOEXTEND ON

NEXT 500K;

In this example, ORACLE_BASE is the root of the Oracle directory tree.

2 Create a user, such as vumAdmin, for accessing this tablespace through ODBC.

CREATE USER vumAdmin IDENTIFIED BY vumadmin DEFAULT TABLESPACE “vum”;

3 Either grant the dba permission to the user, or grant the following specic permissions to the user.

grant connect to vumAdmin

grant resource to vumAdmin

grant create any job to vumAdmin

grant create view to vumAdmin

grant create any sequence to vumAdmin

grant create any table to vumAdmin

grant lock any table to vumAdmin

grant create procedure to vumAdmin

grant create type to vumAdmin

grant execute on dbms_lock to vumAdmin

grant unlimited tablespace to vumAdmin

# To ensure space limitation is not an issue

4 Create an ODBC connection to the database.

See the following example seings:

Data Source Name: VUM

TNS Service Name: VUM

User ID: vumAdmin

Configure an Oracle Database to Work Remotely

You can congure your Oracle database to work with Update Manager remotely.

Prerequisites

Verify that the ODBC data source that you use is a 64-bit system DSN. See “Create a 64-Bit DSN,” on

page 29.

Set up a database as described in “Congure an Oracle Database,” on page 31.

Procedure

1 Install the Oracle client on the Update Manager server machine.

32 VMware, Inc.

Page 33

Chapter 2 Installing Update Manager on Windows

2 Use the Net Conguration Assistant tool to add the entry to connect to the managed host.

VUM =

(DESCRIPTION =

(ADDRESS_LIST =

(ADDRESS=(PROTOCOL=TCP)(HOST=host_address)(PORT=1521))

)

(CONNECT_DATA =(SERVICE_NAME = VUM)

)

In this example, host_address is the managed host to which the client needs to connect.

3 (Optional) Edit the tnsnames.ora le located in ORACLE_HOME\network\admin\, as appropriate.

Here, ORACLE_HOME is located under C:\ORACLE_BASE, and it contains subdirectories for Oracle software executable and network les.

4 Create an ODBC connection to the database.

These are example seings.

Data Source Name: VUM

TNS Service Name: VUM

User Id: vumAdmin

Prerequisites for Installing the Update Manager Server on Windows

Before you install the Update Manager server, review the installation prerequisites.

Update Manager Database Requirements

Update Manager requires an Oracle or SQL Server database. Update Manager can handle small-scale environments using the bundled Microsoft SQL Server 2012 Express. For environments with more than 5 hosts and 50 virtual machines, you must create either an Oracle or SQL Server database.

hp://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

For large-scale environments, set up the database on a machine dierent than the machines on which the Update Manager server is installed and the vCenter Server database is located. For more information about seing up the Update Manager database, see “Preparing the Update Manager Database,” on page 28.

Create a database and 64-bit DSN, unless you are using the bundled Microsoft SQL Server 2012 Express.

Make sure that if the Update Manager database is located on a remote machine, the database and the

system DSN use SQL Server authentication.

Update Manager does not support Windows authentication of the database when the database is located on a dierent machine because of local system account problems.

If you plan to use the bundled Microsoft SQL Server 2012 Express database, make sure that you install

Microsoft Windows Installer version 4.5 (MSI 4.5) on your system.

Make sure that the database privileges meet the requirements listed in “Required Database Privileges,”

on page 27.

Create the 64-bit ODBC connection to a supported database server version by using a supported

database client version.

VMware, Inc. 33

Page 34

vSphere Update Manager Installation and Administration Guide

If you create an ODBC connection to a database server that is of an unsupported version, and your database client is of a supported version, a DSN for the unsupported database might be displayed in the drop-down menu of the Update Manager installation wizard.

vCenter Server Installation

Install vCenter Server.

If prompted, you must restart the machine on which vCenter Server is installed. Otherwise, you might not be able to register Update Manager with vCenter Server, and the Update Manager installation might fail.

For more information about installing vCenter Server, see vSphere Installation and Setup.

Gather the following networking information for the vCenter Server system.

User name and password for the vCenter Server system.

During the Update Manager installation process, you must register the Update Manager server with the vCenter Server system. To register Update Manager with vCenter Server, you must provide the credentials of the vCenter Server user that has the Register extension privilege. For more information about managing users, groups, roles, and permissions, see vSphere Security.

Port numbers. In most cases, the default Web service port 80 is used.

IP address.

If the IP address of the vCenter Server system or Update Manager changes, you can re-register the Update Manager server with the vCenter Server system. For more information about conguring the Update Manager server after installation, see Reconguring VMware vSphere Update Manager.

Update Manager System Requirements

Make sure that your system meets the requirements specied in “System Requirements,” on page 26.

I You can install the Update Manager 6.5 server component only on a 64-bit machine. Make sure the Windows system on which you are installing the Update Manager server is not an Active Directory domain controller.

Obtain the Update Manager Installer

You install the Update Manager server for Windows from the vCenter Server installer for Windows.

Update Manager for Windows runs only on a 64-bit Windows operating system.

Prerequisites

Create a My VMware account at hps://my.vmware.com/web/vmware/.

Procedure

1 Download the vCenter Server installer from the VMware website at

hps://my.vmware.com/web/vmware/downloads.

vCenter Server is part of VMware vCloud Suite and of VMware vSphere, listed under Datacenter & Cloud Infrastructure.

a Under Datacenter & Cloud Infrastructure, select VMware vCloud Suite or VMware vSphere, and

click Download Product.

b From the Select Version drop-down menu, select the version you want.

34 VMware, Inc.

Page 35

c Locate VMware vCenter Server on the page, and select Go to Downloads.

d Download the ISO le of the VMware vCenter Server <product version> and Modules for Windows.

2 Conrm that the md5sum is correct.

See the VMware website topic Using MD5 Checksums at

hp://www.vmware.com/download/md5.html.

3 Mount the ISO image to the Windows virtual machine or physical server on which you want to install

the Update Manager server or the UMDS.

Install the Update Manager Server

The Update Manager installation requires a connection with a single vCenter Server instance. You can install Update Manager on the same computer on which vCenter Server is installed or on a dierent computer.

Prerequisites

See installation prerequisites in “Prerequisites for Installing the Update Manager Server on Windows,”

on page 33.

Check the compatibility and interoperability of the vCenter Server server with VMware Site Recovery

Manager®. Use caution when connecting the Update Manager server to a vCenter Server instance to which the Site Recovery Manager server is also connected. Connecting the Update Manager server to the same vCenter Server instance as Site Recovery Manager might cause problems when you upgrade the Site Recovery Manager or the vCenter Server, or when you perform daily operations.

Chapter 2 Installing Update Manager on Windows

Procedure

1 In the software installer directory, double-click the autorun.exe le and select vSphere Update

Manager > Server.

If you cannot run autorun.exe, browse to the UpdateManager folder and run VMware-UpdateManager.exe.

2 (Optional) Select the option to Use Microsoft SQL Server 2012 Express as the embedded database, and

click Install.

N Skip this step only if you plan to use another supported Oracle or SQL Server database.

If the Microsoft SQL Server 2012 Express is not present on your system from previous Update Manager installations, the installation wizard for the Microsoft SQL Server 2012 Express opens.

3 Click Install.

4 Select a language for the installer and click OK.

5 Review the Welcome page and click Next.

6 Read and accept the license agreement, and click Next.

7 Accept the terms in the license agreement and click Next.

8 Review the support information, select whether to download updates from the default download

sources immediately after installation, and click Next.

If you deselect Download updates from default sources immediately after installation, Update Manager downloads updates once daily according to the default download schedule or immediately after you click the Download Now buon on the Download Seings page. You can modify the default download schedule after the installation is complete.

VMware, Inc. 35

Page 36

vSphere Update Manager Installation and Administration Guide

9 Type the vCenter Server IP address or name, HTTP port, and the administrative account that the

Update Manager server will use to connect to the vCenter Server system, and click Next.

You can provide an IP address to a vCenter Server instance running on Windows, or a vCenter Server Appliance.

In vSphere 6.5, the default administrative user account is administrator@vsphere.local.

10 (Optional) Select the database, and click Next.

If you selected to use the embedded Microsoft SQL Server 2012 Express database, the installation wizard skips this page.

a Use an existing supported database, by selecting your database from the list of DSNs. If the DSN

does not use Windows NT authentication, enter the user name and password for the DSN and click

Next.

I The DSN must be a 64-bit DSN.

11 (Optional) Select the database options.

If the system DSN you specify points to an existing Update Manager database with the current

schema, you can either retain your existing database or replace it with an empty one.

If the system DSN you specify points to an existing Update Manager database with a dierent

schema, on the Database Upgrade page, select Yes, I want to upgrade my Update Manager database and I have taken a backup of the existing Update Manager database, and click Next.

12 From the drop-down menu, select the IP address or the host name of your Update Manager instance.

If the computer on which you install Update Manager has one NIC, the Update Manager installer automatically detects the IP address. If the computer has multiple NICs, you must select the correct IP address or use a DNS name. The DNS name must be resolved from all hosts that this Update Manager instance will manage.

13 Specify the Update Manager port seings, select whether you want to congure the proxy seings, and

click Next.

N Use caution when you specify the Update Manager port seings, as you cannot modify them after installation.

For the SOAP port, you have no limitations to the range of ports used, as long as there are no conicts.

For the Server port, you can use the following range: 80, 9000-9100. Update Manager automatically opens ESXi rewall ports in this range to allow outbound HTTP trac to the patch store.

14 (Optional) Provide information about the proxy server, the port, and whether the proxy should be

authenticated, and click Next.

15 Select the Update Manager installation and patch download directories, and click Next.

If you do not want to use the default locations, you can click Change to browse to a dierent directory.

16 (Optional) In the warning message about the disk free space, click OK.

This message appears when you try to install Update Manager on a computer that has less than 120 GB free space.

17 Click Install to begin the installation.

18 Click Finish.

The Update Manager server component is installed, and the Update Manager Web Client plug-in is automatically enabled in the vSphere Web Client.

36 VMware, Inc.

Page 37

Enable the Update Manager Web Client Plug-In

You can use the Update Manager Web Client plug-in for the vSphere Web Client to perform upgrade operations on the hosts and update operations the virtual machines in your environment. With the Update Manager Web Client, you can perform the full set of operations that Update Manager oers.

For more information, see “Overview of the Update Manager Interface,” on page 14.

Prerequisites

Verify that you have the View Compliance Status privilege, otherwise you cannot see and use the Update Manager Web Client in vSphere Web Client.

The Update Manager Web Client plug-in is automatically enabled in the vSphere Web Client after you install the Update Manager server.

The Update Manager Web Client appears as an Update Manager tab in vSphere Web Client. The Update

Manager tab is on the same level as the Monitor tab, the  tab, the Datacenters tab, the Host & Clusters tab, and so on.

Chapter 2 Installing Update Manager on Windows

VMware, Inc. 37

Page 38

vSphere Update Manager Installation and Administration Guide

38 VMware, Inc.

Page 39

Uninstalling Update Manager that

Runs on Windows 3

Update Manager has a relatively small impact on computing resources such as disk space. Unless you are certain that you want to remove Update Manager, leave an existing installation in place.

If you uninstall the Update Manager server, the Update Manager Web Client is automatically removed from the vSphere Web Client.

Uninstall the Update Manager Server

You can uninstall the Update Manager server component.

Procedure

1 From the Windows Start menu, select  > Control Panel > Add or Remove Programs.

2 Select VMware vSphere Update Manager and click Remove.

The Update Manager server component is uninstalled from your system. All downloaded metadata and binaries, as well as log data remain on the machine where Update Manager was installed.

The Update Manager Web Client is automatically removed from the vSphere Web Client.

VMware, Inc.

Page 40

vSphere Update Manager Installation and Administration Guide

40 VMware, Inc.

Page 41

Upgrading Update Manager that Runs

on Windows 4

You can upgrade to Update Manager 6.5 only from Update Manager versions 5.5 or 6.0 that are installed on a 64-bit Windows operating system.

If you are switching from using a vCenter Server system of version 5.5 or version 6.0 that runs on Windows to a vCenter Server Appliance 6.5, this is a migration process. For detailed information on Update Manager migration process, read Chapter 6, “Migrating Update Manager from Windows to the vCenter Server

Appliance,” on page 47, or see the Migration chapter in vSphere Upgrade documentation.

If you are running Update Manager of a version earlier than 5.5, or Update Manager that runs on a 32-bit platform, you cannot perform a direct upgrade to Update Manager 6.5. You must use the data migration tool that is provided with Update Manager 5.0 installation media to upgrade your Update Manager system to Update Manager 5.0 running on a 64-bit operating system, and then perform an upgrade from version 5.0 or version 5.1 to version 5.5 before upgrading to version 6.5. For detailed information how to use the data migration tool, see the Installing and Administering VMware vSphere Update Manager documentation for Update Manager 5.0.

When you upgrade Update Manager, you cannot change the installation path and patch download location. To change these parameters, you must install a new version of Update Manager rather than upgrade.

Previous versions of Update Manager use a 512-bit key and self-signed certicate and these are not replaced during upgrade. If you require a more secure 2048-bit key, you can either perform a new installation of Update Manager 6.5, or use the Update Manager Utility to replace the existing certicate. For more information about how to use the Update Manager Utility, see the Reconguring VMware vSphere Update Manager documentation.

Scheduled tasks for virtual machine patch scan and remediation are retained during the upgrade. After the upgrade, you can edit and remove scheduled scan tasks that exist from previous releases. You can remove existing scheduled remediation tasks but you cannot edit them.

You must upgrade the Update Manager database during the Update Manager upgrade. You can select whether to keep your existing data in the database or to replace it during the upgrade.

The Java Components (JRE) required by Update Manager are installed or upgraded silently on the system when you install or upgrade Update Manager. You can upgrade the Java Components separately from an Update Manager upgrade procedure to a version of the Java Components that is released asynchronously from the Update Manager releases.

This chapter includes the following topics:

“Upgrade the Update Manager Server,” on page 42

“Upgrade the Update Manager Java Components,” on page 43

VMware, Inc.

Page 42

vSphere Update Manager Installation and Administration Guide

Upgrade the Update Manager Server

To upgrade an instance of Update Manager that is installed on a 64-bit machine, you must rst upgrade vCenter Server to a compatible version.

The Update Manager 6.5 release allows upgrades from Update Manager 5.5 or later.

Prerequisites

Grant the database user the required set of privileges. For more information, see “Preparing the Update

Manager Database,” on page 28.

Stop the Update Manager service and back up the Update Manager database. The installer upgrades

the database schema, making the database irreversibly incompatible with previous Update Manager versions.

If you are upgrading Update Manager instance that uses Oracle database, “Create a 64-Bit DSN,” on

page 29. If you are upgrading Update Manager instance that uses Microsoft SQL database, the creation of 64-bit DSN is managed by the installer.

Procedure

1 Upgrade vCenter Server to a compatible version.

N The vCenter Server installation wizard warns you that Update Manager is not compatible when vCenter Server is upgraded.

If prompted, you must restart the machine that is running vCenter Server. Otherwise, you might not be able to upgrade Update Manager.

2 In the software installer directory, double-click the autorun.exe le and select vSphere Update

Manager > Server.

If you cannot run autorun.exe, browse to the UpdateManager folder and run VMware-UpdateManager.exe.

3 Select a language for the installer and click OK.

4 In the upgrade warning message, click OK.

5 Review the Welcome page and click Next.

6 Read and accept the license agreement, and click Next.

7 Review the support information, select whether to download updates from the default download

sources immediately after installation, and click Next.

If you deselect Download updates from default sources immediately after installation, Update Manager downloads updates once daily according to the default download schedule or immediately after you click Download Now on the Download Seings page. You can modify the default download schedule after the installation is complete.

8 Type the vCenter Server system credentials and click Next.

To keep the Update Manager registration with the original vCenter Server system valid, keep the vCenter Server system IP address and enter the credentials from the original installation.

9 Type the database password for the Update Manager database and click Next.

The database password is required only if the DSN does not use Windows NT authentication.

10 On the Database Upgrade page, select Yes, I want to upgrade my Update Manager database and I

have taken a backup of the existing Update Manager database, and click Next.

42 VMware, Inc.

Page 43

Chapter 4 Upgrading Update Manager that Runs on Windows

11 (Optional) On the Database re-initialization warning page, select to keep your existing remote database

if it is already upgraded to the latest schema.

If you replace your existing database with an empty one, you lose all of your existing data.

12 Specify the Update Manager port seings, select whether you want to congure the proxy seings, and

click Next.

Congure the proxy seings if the computer on which Update Manager is installed has access to the Internet.

13 (Optional) Provide information about the proxy server and port, specify whether the proxy should be

authenticated, and click Next.

14 Click Install to begin the upgrade.

15 Click Finish.

You upgraded the Update Manager server.

Upgrade the Update Manager Java Components

The required Update Manager Java Components (JRE) are installed or upgraded silently when you install or upgrade Update Manager. By using a vCenter Server Java components patch, you can also upgrade Update Manager Java Components separately from Update Manager installer.

By using the separate installer, you can upgrade JRE to a version that is released asynchronously from Update Manager releases. If an earlier version of JRE is present on the system, this procedure upgrades it.

When Update Manager runs on the same system as the vCenter Server, if an earlier version of vCenter Server tc Server is present on that system, this procedure also upgrades the vCenter Server tc Server component.

During the patch process, the Update Manager undergoes a downtime as the vCenter Server Java Components patch restarts the Update Manager service.

Prerequisites

Download the vCenter Server Java Components patch from VMware downloads page at

hps://my.vmware.com/web/vmware/downloads. The name format is VMware-VIMPatch-6.5.0-

build_number-YYYYMMDD.iso.

Stop any running Update Manager operations, such as scanning, staging, or remediation.

Procedure

1 On the system where Update Manager is installed, mount the ISO of the vCenter Server Java

Components patch.

2 In Windows Explorer, double-click the le ISO_mount_directory/autorun.exe.

A vCenter Server Java Components Update opens.

3 Click Patch All.

If the Java components on the Update Manager system are up to date, a status message that conrms that is displayed.

If the Java components on the Update Manager system are not up to date, they are silently upgraded.

When clicking the Patch All buon, if vCenter Server, vCenter Single Sign-On, vCenter Inventory Service, or vSphere Web Client are also installed on the system where Update Manager is installed, the Java components for all thesevCenter Server components are also silently upgraded.

The Java components are upgraded on the Update Manager system.

VMware, Inc. 43

Page 44

vSphere Update Manager Installation and Administration Guide

44 VMware, Inc.

Page 45

Using Update Manager with the

vCenter Server Appliance 5

You can use the Update Manager 6.5 as a service of the vCenter Server Appliance 6.5. The Update Manager server and client components are part of the vCenter Server Appliance.

When you deploy the vCenter Server Appliance, the VMware vSphere Update Manager Extension service starts automatically.

Starting with the vSphere 6.5 release, you cannot connect an Update Manager 6.5 instance that runs on Windows to a vCenter Server Appliance 6.5. Aempts to connect Update Manager during installation on a Windows operating system to a vCenter Server Appliance fail with an error.

The Update Manager extension for the vCenter Server Appliance uses a PostgreSQL database that is bundled with the Appliance. Although the Update Manager and the vCenter Server Appliance share the same PostgreSQL database server, they have separate database instances. If you must reset the Update Manager database, the vCenter Server Appliance database remains intact.

Unlike the Update Manager instance that runs on Windows, with the Update Manager instance that runs in the vCenter Server Appliance you can make certain congurations changes directly from the vSphere Web Client. You can change the values for Download patches on service start, Log Level, SOAP Port, Web Server Port, and Web SSL Port. You can access these seings from System  > Services, under vSphere Web Client Administration. After you change these seings, restart the VMware vSphere Update Manager service for the changes to take eect.

For Update Manager that runs in the vCenter Server Appliance the only conguration you cannot change from the vSphere Web Client is the certicate that Update Manager uses to authenticate to vCenter Server. You can change the certicate by using the Update Manager Utility.

The Update Manager Utility is also bundled with the vCenter Server Appliance. You can access the Update Manager Utility from the Bash Shell of the vCenter Server Appliance.

Start, Stop, or Restart Update Manager Service in the vCenter Server Appliance

If you make conguration changes to Update Manager seings, you might need restart the Update Manager service in the vCenter Server Appliance.

N Starting with vSphere 6.5, all vCenter Server services and some Platform Services Controller services run as child processes of the VMware Service Lifecycle Manager service.

Prerequisites

Verify that the user you use to log in to the vCenter Server instance is a member of the SystemConguration.Administrators group in the vCenter Single Sign-On domain.

VMware, Inc.

Page 46

vSphere Update Manager Installation and Administration Guide

Procedure

1 Log in to the vCenter Server by using the vSphere Web Client.

2 On the vSphere Web Client Home page, click System .

3 Under System Conguration, click Services.

4 From the Services list, select the VMware vSphere Update Manager service.

5 From the Actions menu, select an operation name.

Restart

Start

Stop

46 VMware, Inc.

Page 47

Migrating Update Manager from Windows to the

vCenter Server Appliance 6

For vSphere 6.0 and earlier releases, 64-bit Windows operating systems are the only supported host operating systems for Update Manager. In vSphere 6.5, Update Manager is provided as an optional service in the vCenter Server Appliance 6.5. VMware provides supported paths for migrating Update Manager from a Windows operating system to a vCenter Server Appliance 6.5.

You can migrate Update Manager in the following vCenter Server deployments:

Table 6‑1. Supported Migration Paths for Update Manager That Runs on Windows to a vCenter Server Appliance

Source Configuration Target Configuration

vCenter Server and Update Manager run on the same Windows machine

vCenter Server and Update Manager run on dierent Windows machines

Update Manager run on a Windows machine and is connected to a vCenter Server Appliance

vCenter Server Appliance 6.5 with embedded Update Manager

You can use a GUI method or a CLI method to upgrade or migrate your vCenter Server deployment that uses external Update Manager instance. If you use the GUI method, you need to perform manual steps on the Update Manager Windows system. If you use the CLI method, you need to add conguration parameters about Update Manager in your JSON template.

For detailed information about the GUI method or the CLI upgrade or migration conguration parameters, see the vSphere Upgrade documentation.

I Verify that the Update Manager source machine does not run additional extensions that are connected to other vCenter Server systems, which are not part of your migration.

Before the migration, Update Manager might use any of the supported Microsoft SQL Server, or Oracle, or the Embedded database solution. After the migration to the vCenter Server Appliance, Update Manager starts to use the PostgreSQL Database.

After the migration, you can shut down the Update Manager machine. You might need to keep the Update Manager machine for roll back purposes to the earlier version before the migration.

This chapter includes the following topics:

“Download and Run VMware Migration Assistant on the Source Update Manager Machine,” on

page 48

“Roll Back a Migration of vCenter Server Appliance with Update Manager,” on page 48

VMware, Inc.

Page 48

vSphere Update Manager Installation and Administration Guide

Download and Run VMware Migration Assistant on the Source Update Manager Machine

Before running a migration from vCenter Server that runs on Windows, or upgrading vCenter Server Appliance that use an external Update Manager, you must download and run the VMware Migration Assistant on the source Windows physical server or the Windows virtual machine where Update Manager runs. The VMware Migration Assistant facilitates the migration of the Update Manager server and database to the vCenter Server Appliance 6.5.

Alternatively, if you plan to perform the CLI method for upgrading your vCenter Server Appliance or migrating your vCenter Server that runs on Windows, you can skip this procedure, and add the source.vum

section section and run.migration.assistant subsection to your JSON template. For information about

the CLI upgrade or migration conguration parameters, see the vSphere Upgrade documentation.

C It is important to run the VMware Migration Assistant on the source Update Manager machine before migrating other of the vCenter Server components.

Prerequisites

Download the vCenter Server Appliance Installer. For more information, see the vSphere Installation and

Setup documentation.

Procedure

1 From the vCenter Server Appliance installer package, copy the migration-assistant folder to the

source Update Manager machine.

2 From the migration-assistant directory, double-click VMware-Migration-Assistant.exe, and provide

the vCenter Single Sign-On administrator password.

N Leave the Migration Assistant window open during the migration process. Closing the Migration Assistant causes the migration process to stop.

The VMware Migration Assistant runs pre-upgrade checks and prompts you to resolve any errors it nds before starting the upgrade.

When the pre-checks are nished and any errors are addressed, your source Update Manager system is ready for the migration to the vCenter Server Appliance.

What to do next

Use VMware Migration Assistant to migrate vCenter Server and all its components to vCenter Server Appliance 6.5.

Roll Back a Migration of vCenter Server Appliance with Update Manager

You can roll back a vCenter Server Appliance with Update Manager after a migration.

Rolling back to the vCenter Server version before the upgrade or migration requires to shut down the new appliance and revert to the source appliance or vCenter Server on Windows.

Prerequisites

You must have access to the source vCenter Server Appliance.

48 VMware, Inc.

Page 49

Chapter 6 Migrating Update Manager from Windows to the vCenter Server Appliance

You must have access to the Update Manager source machine on Windows.

Procedure

1 Power o the newly upgraded or migrated vCenter Server Appliance.

2 Power on the vCenter Server Appliance that Update Manager was connected to before the migration.

3 Start the Windows source machine where Update Manager ran before the migration, and rejoin it to the

Active Directory domain.

If the source machine was aached to an Active Directory domain and migration failed before

network migration, you do not need to perform any additional steps.

If the source machine was aached to an Active Directory domain and the migration failed after

network migration, log in with the local administrator after the machine powers up and rejoin the machine to the Active Directory domain.

VMware, Inc. 49

Page 50

vSphere Update Manager Installation and Administration Guide

50 VMware, Inc.

Page 51

Best Practices and Recommendations for

Update Manager Environment 7

You can install Update Manager on the server on which vCenter Server runs or on a dierent server.

The Update Manager server and client plug-ins must be the same version. Update Manager and vCenter Server, and the vSphere Web Client must be of a compatible version. For more information about compatibility, see “Update Manager Compatibility with vCenter Server and vSphere Web Client,” on page 27.

Update Managerr has two deployment models:

Internet-connected model

Air-gap model

Outside of DRS clusters, you might not be able to remediate the host running the Update Manager or vCenter Server virtual machines by using the same vCenter Server instance, because the virtual machines cannot be suspended or shut down during remediation. You can remediate such a host by using separate vCenter Server and Update Manager instances on another host. Inside DRS clusters, if you start a remediation task on the host running the vCenter Server or Update Manager virtual machines, DRS aempts to migrate the virtual machines to another host, so that the remediation succeeds. If DRS cannot migrate the virtual machine running Update Manager or vCenter Server, the remediation fails. Remediation also fails if you have selected the option to power o or suspend the virtual machines before remediation.

The Update Manager server is connected to the VMware patch repository, and third-party patch repositories (for ESXi 5.x and ESXi 6.0 hosts, as well as for virtual appliances). Update Manager works with vCenter Server to scan and remediate the virtual machines, appliances, hosts, and templates.

Update Manager has no connection to the Internet and cannot download patch metadata. In this model, you can use UMDS to download and store patch metadata and patch binaries in a shared repository. To scan and remediate inventory objects, you must congure the Update Manager server to use a shared repository of UMDS data as a patch datastore. For more information about using UMDS, see Chapter 8, “Installing, Seing Up, and

Using Update Manager Download Service,” on page 53.

VMware, Inc.

Page 52

vSphere Update Manager Installation and Administration Guide

Update Manager Deployment Models and Their Usage

You can use the dierent Update Manager deployment models in dierent cases, depending on the size of your system.

You can use one of several common host-deployment models for Update Manager server:

All-in-one model

Medium deployment model

Large deployment model

vCenter Server and Update Manager server are installed on one host and their database instances are on the same host. This model is most reliable when your system is relatively small.

vCenter Server and Update Manager server are installed on one host and their database instances are on two separate hosts. This model is recommended for medium deployments, with more than 300 virtual machines or 30 hosts.

vCenter Server and Update Manager server run on dierent hosts, each with its dedicated database server. This model is recommended for large deployments when the datacenters contain more than 1,000 virtual machines or 100 hosts.

52 VMware, Inc.

Page 53

Installing, Setting Up, and Using

Update Manager Download Service 8

VMware vSphere Update Manager Download Service (UMDS) is an optional module of Update Manager. UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notications that would not otherwise be available to the Update Manager server.

For security reasons and deployment restrictions, vSphere, including Update Manager, might be installed in a secured network that is disconnected from other local networks and the Internet. Update Manager requires access to patch information to function properly. If you are using such an environment, you can install UMDS on a computer that has Internet access to download upgrades, patch binaries, and patch metadata, and then export the downloads to a portable media drive so that they become accessible to the Update Manager server.

In a deployment where the machine on which Update Manager is installed has no Internet access, but is connected to a server that has Internet access, you can automate the export process and transfer les from UMDS to the Update Manager server by using a Web server on the machine on which UMDS is installed.

UMDS 6.5 supports patch recalls and notications. A patch is recalled if the released patch has problems or potential issues. After you download patch data and notications with UMDS, and export the downloads so that they become available to the Update Manager server, Update Manager deletes the recalled patches and displays the notications on the Update Manager  tab. For more information about patch recalls and notications, see “Conguring and Viewing Notications,” on page 74.

VMware, Inc.

With Update Manager release 6.5, the UMDS is available for installation on Windows and Linux-based operating systems. The machine on which you install UMDS must have Internet access.

For UMDS that runs on Windows, only Administrator or users that are part of the Administrators group can download patches. Administrator access is not a requirement for downloading patches with UMDS that runs on Linux.

This chapter includes the following topics:

“Compatibility Between UMDS and the Update Manager Server,” on page 54

“Installing UMDS on a Windows Operating System,” on page 54

“Installing and Upgrading UMDS on a Linux-Based Operating System,” on page 56

“Seing Up and Using UMDS,” on page 59

Page 54

vSphere Update Manager Installation and Administration Guide

Compatibility Between UMDS and the Update Manager Server

UMDS must be of a version that is compatible with the Update Manager server.

Update Manager can work with a certain UMDS version if the metadata and structure of the patch store that UMDS exports is compatible with Update Manager, and if the data can be imported and used by the Update Manager server.

UMDS 6.5 is compatible and can work only with Update Manager 6.5.

Installing UMDS on a Windows Operating System

You can install and use UMDS to download virtual appliance upgrades, patch binaries, patch metadata, and notications if Update Manager does not have access to the Internet. The machine on which you install UMDS must have Internet access.

N You cannot upgrade UMDS 5.5 or UMDS 6.0 to UMDS 6.5. You can perform a fresh installation of UMDS 6.5 according to all system requirements, and use an existing patch store from UMDS 5.5 or UMDS

6.0. You can install UMDS only on 64-bit machines.

Before installing UMDS, you must create a supported database instance, congure a 64-bit DSN, and test the DSN from ODBC. If you are using the bundled Microsoft SQL Server 2012 Express, you can install and congure the database when you install UMDS.

Installing UMDS 6.5 in an Environment With Update Manager 6.5 Instances Only

In the UMDS 6.5 installation wizard for Windows, you can select the patch store to be an existing download directory from an earlier UMDS 5.5 or UMDS 6.0 installation and reuse the applicable downloaded updates in UMDS 66.5. You must uninstall existing UMDS 5.5 or UMDS 6.0 instances before reusing the patch store. Once you associate an existing download directory with UMDS 6.5, you cannot use it with earlier UMDS versions.

If you install UMDS with an existing download directory, make sure that you perform at least one download by using UMDS 6.5 before you export updates.

Installing UMDS 6.5 in an Environment With Both Update Manager 6.0 and Update Manager 6.5 Instances

You must not install UMDS 6.5 with an existing UMDS 6.0 download directory if your environment contains both Update Manager 6.0 and Update Manager 6.5 instances. In such a case, you need a UMDS 6.0 and a UMDS 6.5 installation on two separate machines, so that you can export updates for the respective Update Manager versions.

Regardless of the version, you must not install the UMDS on the same machine as the Update Manager server.

Install UMDS on a Windows Operating System

Install UMDS if the machine on which Update Manager is installed does not have access to the Internet.

Prerequisites

Verify that the machine on which you install UMDS has Internet access, so that UMDS can download

upgrades, patch metadata, and patch binaries.

Uninstall any 6.0 or earlier instance of UMDS if it is installed on the machine. If such a version of UMDS

is already installed, the installation wizard displays an error message and the installation cannot proceed.

54 VMware, Inc.

Page 55

Chapter 8 Installing, Setting Up, and Using Update Manager Download Service

Before you install UMDS, create a database instance and congure it. If you install UMDS on a 64-bit

machine, you must congure a 64-bit DSN and test it from ODBC. The database privileges and preparation steps are the same as the ones used for Update Manager. For more information, see

“Preparing the Update Manager Database,” on page 28.

If you plan to use the bundled Microsoft SQL Server 2012 Express database, make sure that you install

Microsoft Windows Installer version 4.5 (MSI 4.5) on your system.

UMDS and Update Manager must be installed on dierent machines.

To ensure optimal performance, install UMDS on a system with requirements same as the ones for the

Update Manager server listed in “System Requirements,” on page 26.

Procedure

1 In the software installer directory, double-click the autorun.exe le and select vSphere Update

Manager > Download Service.

If you cannot run autorun.exe, browse to the umds folder and run VMware-UMDS.exe.

2 (Optional) Select the option to Use Microsoft SQL Server 2012 Express as the embedded database, and

click Install.

N Skip this step only if you plan to use another supported Oracle or SQL Server database.

If the Microsoft SQL Server 2012 Express is not present on your system from previous Update Manager installations, the installation wizard for the Microsoft SQL Server 2012 Express opens.

3 Click Install.

4 Select the language for the installation and click OK.

5 (Optional) If the wizard prompts you, install the required items such as Windows Installer 4.5.

This step is required only if Windows Installer 4.5 is not present on your machine and you must perform it the rst time you install a vSphere 5.x product. After the system restarts, the installer starts again.

6 Review the Welcome page and click Next.

7 Read and accept the license agreement, and click Next.

8 Accept the terms in the license agreement and click Next.

9 (Optional) Select the database, and click Next.

If you selected to use the embedded Microsoft SQL Server 2012 Express database, the installation wizard skips this page.

a Use an existing supported database, by selecting your database from the list of DSNs. If the DSN

does not use Windows NT authentication, enter the user name and password for the DSN and click

Next.

I The DSN must be a 64-bit DSN.

10 Enter the Update Manager Download Service proxy seings and click Next.

11 Select the Update Manager Download Service installation and patch download directories and click

Next.

If you do not want to use the default locations, you can click Change to browse to a dierent directory. You can select the patch store to be an existing download directory from a previous UMDS 5.5 or UMDS 6.0 installation and reuse the applicable downloaded updates in UMDS 6.5. After you associate an existing download directory with UMDS 6.5, you cannot use it with earlier UMDS versions.

VMware, Inc. 55

Page 56

vSphere Update Manager Installation and Administration Guide

12 (Optional) In the warning message about the disk free space, click OK.

13 Click Install to begin the installation.

14 Click OK in the Warning message notifying you that .NET Framework 4.0 is not installed.

The UMDS installer installs the prerequisite before the actual product installation.

15 Click Finish.

UMDS is installed.

Installing and Upgrading UMDS on a Linux-Based Operating System

In vSphere 6.5 release, the UMDS 6.5 is bundled with the vCenter Server Appliance 6.5. You can use the UMDS bundle from the vCenter Server Appliance to install UMDS 6.5 on a separate Linux-based system.

UMDS is a 64-bit application and requires a 64-bit Linux-based system.

You cannot upgrade UMDS that runs on a Linux-based operating system. You can uninstall the current version of UMDS, perform a fresh installation of UMDS according to all system requirements, and use the existing patch store from the UMDS that you uninstalled.

A UMDS that you install on a Linux-based operating system requires PostgreSQL database.

Supported Linux-Based Operating Systems and Databases for Installing UMDS

The Update Manager Download Service (UMDS) can run on a limited number of Linux-based operating systems in combination with a particular database format.

The supported combinations of a Linux-based operating system and a database that can run UMDS are as follows:

Ubuntu 14.0.4 with PostgreSQL database 9.3.11.

Red Hat Enterprise Linux 7.0 with PostgreSQL database 9.2.

Configure PostgreSQL Database for UMDS on Linux

Install and congure a PostgreSQL database instance on the Linux-based machine where you plan to install Update Manager Download Service (UMDS).

Prerequisites

Verify PostgreSQL database instance of a supported version is installed on the system, and that the

Linux system is also of a supported type. See “Supported Linux-Based Operating Systems and

Databases for Installing UMDS,” on page 56

Verify you have PostgreSQL database user credentials.

Verify that the UMDS installation directory is dierent from the patch store directory.

Procedure

1 In the Linux machine, open the Command Shell.

2 Log in as a PostgreSQL user, and create a database instance and a database user, by running the

following commands:

su - postgres

createdb <database_name>

createuser -d -e -r <database_username> -P

Pwd: <database_password>

56 VMware, Inc.

Page 57

Chapter 8 Installing, Setting Up, and Using Update Manager Download Service

3 Navigate to the folder that contains the PostgreSQL conguration le pg_hba.conf.

Linux system Default Location

Ubuntu 14.0.4

Red Hat Enterprise Linux 7.0

/etc/postgresql/<postgres_version>/main/pg_hba.conf

/var/lib/pgsql/<postgres_version>/data/pg_hba.conf

4 In the PostgreSQL conguration le, enable password authentication for the database user by inserting

the following line right above local all all peer.

#TYPE DATABASE USER ADDRESS METHOD

local <database_name> <database_username> md5

5 Log out as a PostgreSQL user, by running the following command:

logout

6 Create a conguration le /etc/odbcinst.ini.

7 Depending on the Linux system, navigate to the ODBC driver les psqlodbcw.so or libodbcpsqlS.so.

Linux system Default Location

Ubuntu 14.0.4

Red Hat Enterprise Linux 7.0

/usr/lib/x86_64-linux-gnu/odbc/psqlodbcw.so

/usr/lib64/libodbcpsqlS.so

8 Add driver paths les to /etc/odbcinst.ini.

Linux system Command

Ubuntu 14.0.4

Red Hat Linux 7.0

[PostgreSQL] Description=PostgreSQL ODBC driver (Unicode version) Driver=/usr/lib/x86_64-linux-gnu/odbc/psqlodbcw.so Debug=0 CommLog=1 UsageCount=1

[PostgreSQL] Description=PostgreSQL ODBC driver (Unicode version) Driver64=<path>/psqlodbcw.so Setup64=<path>/libodbcpsqlS.so Debug=0 CommLog=1 UsageCount=1

9 Create a system le /etc/odbc.ini.

10 Add the following content to /etc/odbc.ini.

[UMDS_DSN]

;DB_TYPE = PostgreSQL

;SERVER_NAME = localhost

;SERVER_PORT = 5432

;TNS_SERVICE = <database_name>

;USER_ID = <database_username>

Driver = PostgreSQL

DSN = UMDS_DSN

ServerName = localhost

PortNumber = 5432

Server = localhost

VMware, Inc. 57

Page 58

vSphere Update Manager Installation and Administration Guide

Port = 5432

UserID = <database_username>

User = <database_username>

Database = <database_name>

11 Create a symbolic link between the UMDS and the PostgreSQL, by running the following command:

ln -s /var/run/postgresql/.s.PGSQL.5432 /tmp/.s.PGSQL.5432

What to do next

When installing UMDS on a Linux-based system, use the PostgreSQL database instance that you congured here.

Install UMDS on a Linux OS

If the vCenter Server Appliance 6.5 in which Update Manager runs does not have access to the Internet, you can install UMDS on a Linux-based operating system to download patch binaries and metadata.

Prerequisites

Verify you have administrative privileges on the Linux machine where you install the UMDS.

Install and congure a PostgreSQL database on the Linux machine.

Mount the ISO le of the vCenter Server Appliance 6.5 to the Linux machine.

Procedure

1 In the Linux machine, open the Command Shell.

2 From the vCenter Server Appliance ISO that you mounted to the Linux machine, copy the VMware-

UMDS-6.5.0.-build_number.tar.gz le to the Linux machine.

3 Unarchive the VMware-UMDS-6.5.0.-build_number.tar.gz le, and navigate to the newly extracted

directory /vmware-umds-distrib.

For example, if you unarchived the VMware-UMDS-6.5.0.-build_number.tar.gz le, to a directory you created with the name umds, your navigation path is /umds/vmware-umds-distrib.

4 Run the le UMDS installation script.

The script has the following lename: vmware-install.pl.

5 Read and accept the EULA.

6 Select a directory where to install the UMDS.

7 Enter the UMDS proxy seings.

You can also change proxy conguration after you install UMDS by using the following command:

vmware-umds -S --proxy <proxyAddress:port>

8 Select a directory where to store the patches.

I The patch store directory must be dierent from the UMDS installation directory.

9 Select the database.

a Provide the database DSN.

b Provide the database user name.

c Provide the database password.

The database is overridden with tables required by the Update Manager Download Service.

58 VMware, Inc.

Page 59

Chapter 8 Installing, Setting Up, and Using Update Manager Download Service

UMDS is installed.

Uninstall UMDS from a Linux OS

To use the latest version of the Update Manager Download Service (UMDS) on your Linux-based system, rst you must uninstall the current version of UMDS. No direct upgrade path is available to a later version of UMDS, which runs on a Linux-based system.

Prerequisites

Verify you have administrative privileges on the Linux machine where UMDS runs.

Procedure

1 In the Linux machine, open the Command Shell.

2 Navigate to the UMDS installation directory, and locate the le vmware-uninstall-umds.pl.

3 Run the following command:

./vmware-uninstall-umds.pl

4 To conrm that you want to uninstall UMDS from the system, enter Yes.

The UMDS uninstallation procedure starts.

UMDS is uninstalled from the Linux system.

What to do next

You can upgrade your Linux OS, and install a later compatible version of UMDS.

Setting Up and Using UMDS

You can set up UMDS to download upgrades for virtual appliances, or patches and notications for ESXi hosts. You can also set up UMDS to download ESXi 5.5, ESXi 6.0, and ESXi 6.5 patch binaries, patch metadata, and notications from third-party portals.

After you download the upgrades, patch binaries, patch metadata, and notications, you can export the data to a Web server or a portable media drive and set up Update Manager to use a folder on the Web server or the media drive (mounted as a local disk) as a shared repository.

You can also set up UMDS to download ESXi 5.5, ESXi 6.0, and ESXi 6.5 patches and notications from third-party portals.

To use UMDS, the machine on which you install it must have Internet access. After you download the data you want, you can copy it to a local Web server or a portable storage device, such as a CD or USB ash drive.

The best practice is to create a script to download the patches manually and set it up as a Windows Scheduled Task that downloads the upgrades and patches automatically.

Set Up the Data to Download with UMDS

By default UMDS downloads patch binaries, patch metadata, and notications for hosts. You can specify which patch binaries and patch metadata to download with UMDS.

Procedure

1 Log in to the machine where UMDS is installed, and open a Command Prompt window.

VMware, Inc. 59

Page 60

vSphere Update Manager Installation and Administration Guide

2 Navigate to the directory where UMDS is installed.

The default location in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update

Manager.

The default location in 64-bit Linux is /usr/local/vmware-umds.

3 Specify the updates to download.

To set up a download of all ESXi host updates and all virtual appliance upgrades, run the following

command:

vmware-umds -S --enable-host --enable-va

To set up a download of all ESXi host updates and disable the download of virtual appliance

upgrades, run the following command:

vmware-umds -S --enable-host --disable-va

To set up a download of all virtual appliance upgrades and disable the download of host updates,

run the following command:

vmware-umds -S --disable-host --enable-va

What to do next

Download the selected data.

Change the UMDS Patch Repository Location

UMDS downloads upgrades, patch binaries, patch metadata, and notications to a folder that you can specify during the UMDS installation.

The default folder to which UMDS downloads patch binaries and patch metadata on a Windows machine is

C:\Documents and Settings\All Users\Application Data\VMware\VMware Update Manager\Data.

The default folder to which UMDS downloads patch binaries and patch metadata on a Linux machine is /var/lib/vmware-umds .

You can change the folder in which UMDS downloads data after you install UMDS.

If you have already downloaded any virtual appliances upgrades, or host updates, make sure that you copy all the les and folders from the old location to the new patch store location. The folder in which UMDS downloads patch binaries and patch metadata must be located on the machine on which UMDS is installed.

Procedure

1 Log in as an administrator to the machine where UMDS is installed, and open a Command Prompt

window.

2 Navigate to the directory where UMDS is installed.

The default location in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update

Manager.

The default location in 64-bit Linux is /usr/local/vmware-umds.

3 Change the patch repository directory by running the command:

vmware-umds -S --patch-store your_new_patchstore_folder

In this example, your_new_patchstore_folder is the path to the new folder in which you want to download the patch binaries and patch metadata.

You successfully changed the directory in which UMDS stores patch data.

60 VMware, Inc.

Page 61

Chapter 8 Installing, Setting Up, and Using Update Manager Download Service

What to do next

Download data using UMDS.

Configure URL Addresses for Hosts

You can congure UMDS to connect to the websites of third-party vendors to download ESXi 5.5, ESXi 6.0, and ESXi 6.5 host patches and notications.

Procedure

1 Log in to the machine where UMDS runs, and open a Command Prompt window.

2 Navigate to the directory where UMDS is installed.

The default location in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update

Manager.

The default location in 64-bit Linux is /usr/local/vmware-umds.

3 Congure UMDS to download data from the new URL address.

To add a new URL address for downloading patches and notications for ESXi 5.5, ESXi 6.0, or

ESXi 6.5 hosts, run the following command:

vmware-umds -S --add-url https://host_URL/index.xml --url-type HOST

4 (Optional) Remove a URL address, so that UMDS does not download data from it anymore.

Downloaded data is retained and can be exported.

If you are using UMDS on a Windows machine, use the following command:

vmware-umds.exe -S --remove-url https://URL_to_remove/index.xml

If you are using UMDS on a Linux machine, use the following command:

vmware-umds -S --remove-url https://URL_to_remove/index.xml

You congured UMDS to download host patches and notications from specic URL addresses.

What to do next

Download the patches and notications by using UMDS.

Download the Specified Data Using UMDS

After you set up UMDS, you can download upgrades, patches and notications to the machine on which UMDS is installed.

Prerequisites

If you are using UMDS on Windows, log in as an Administrator, or a user that belongs to the

Administrators group. Administrator level access is not a requirement for downloading data with UMDS that runs on Linux.

Procedure

1 Log in to the machine where UMDS is installed, and open a Command Prompt window.

2 Navigate to the directory where UMDS is installed.

The default location in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update

Manager.

VMware, Inc. 61

Page 62

vSphere Update Manager Installation and Administration Guide

The default location in 64-bit Linux is /usr/local/vmware-umds.

3 Download the selected updates.

vmware-umds -D

This command downloads all the upgrades, patches and notications from the congured sources for the rst time. Subsequently, it downloads all new patches and notications released after the previous UMDS download.

4 (Optional) If you have already downloaded upgrades, patches, and notications and want to download

them again, you can include the start and end times to restrict the data to download.

The command to re-download patches and notications deletes the existing data from the patch store (if present) and re-downloads it.

To re-download the upgrades, patches and notications that were downloaded in November 2010, for example, run the following command:

vmware-umds -R --start-time 2010-11-01T00:00:00 --end-time 2010-11-30T23:59:59

The data previously downloaded for the specied period is deleted and downloaded again.

What to do next

Export the downloaded upgrades, patches, and notications.

Export the Downloaded Data

You can export downloaded upgrades, patches, and notications to a specic location that serves as a shared repository for Update Manager. You can congure Update Manager to use the shared repository as a patch download source. The shared repository can also be hosted on a Web server.

Prerequisites

If you are using UMDS on Windows, log in as an Administrator, or a user that belongs to the

Administrators group. Administrator level access is not a requirement for exporting the downloaded data with UMDS that runs on Linux.

If you installed UMDS with an existing download directory, make sure that you perform at least one

download by using UMDS 6.5 before you export updates.

Procedure

1 Log in to the machine where UMDS is installed and open a Command Prompt window.

2 Navigate to the directory where UMDS is installed.

The default location in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update

Manager.

The default location in 64-bit Linux is /usr/local/vmware-umds.

3 Specify the export parameters and export the data.

vmware-umds -E --export-store repository_path

In the command, you must specify the full path of the export directory.

If you are working in a deployment in which the Update Manager server is installed on a machine connected to the machine on which UMDS is installed, repository_path can be the path to the folder on the Web server that serves as a shared repository.

If the Update Manager server is installed on a machine in an isolated and secure environment, repository_path can be the path to a portable media drive. Export the downloads to the portable media drive to physically transfer the patches to the machine on which Update Manager is installed.

62 VMware, Inc.

Page 63

Chapter 8 Installing, Setting Up, and Using Update Manager Download Service

The data you downloaded by using UMDS is exported to the path you specify. Make sure that all les are exported. You can periodically perform export from UMDS and populate the shared repository so that Update Manager can use the new patch binaries and patch metadata.

4 (Optional) You can export the ESXi patches that you downloaded during a specied time window.

For example, to export the patches downloaded in November 2010, run the following command:

vmware-umds -E --export-store repository-path --start-time 2010-11-01T00:00:00 --end-time

2010-11-30T23:59:59

What to do next

Congure Update Manager to use a shared repository as a patch download source. For more information, see “Use a Shared Repository as a Download Source,” on page 71.

VMware, Inc. 63

Page 64

vSphere Update Manager Installation and Administration Guide

64 VMware, Inc.

Page 65

Configuring Update Manager 9

Update Manager runs with the default conguration properties if you have not modied them during the installation. You can modify the Update Manager seings later from the Update Manager Administration view.

You can congure and modify the Update Manager seings only if you have the privileges to congure the Update Manager seings and service. These permissions must be assigned on the vCenter Server system with which Update Manager is registered. For more information about managing users, groups, roles and permissions, see vSphere Security documentation. For a list of Update Manager privileges and their descriptions, see “Update Manager Privileges,” on page 84.

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single Sign-On domain, and you have installed and registered more than one Update Manager instance, you can congure the seings for each Update Manager instance. Conguration properties you modify are applied only to the Update Manager instance you specify and are not propagated to the other instances in the group. You can specify an Update Manager instance by selecting the name of the vCenter Server system with which the Update Manager instance is registered from the navigation bar.

This chapter includes the following topics:

“Update Manager Network Connectivity Seings,” on page 66

“Change the Update Manager Network Seings,” on page 67

VMware, Inc.

“Conguring the Update Manager Download Sources,” on page 68

“Congure the Update Manager Proxy Seings,” on page 73

“Congure Checking for Updates,” on page 73

“Conguring and Viewing Notications,” on page 74

“Conguring Host and Cluster Seings,” on page 77

“Take Snapshots Before Remediation,” on page 81

“Congure Smart Rebooting,” on page 82

“Congure the Update Manager Patch Repository Location,” on page 82

“Restart the Update Manager Service,” on page 83

“Run the VMware vSphere Update Manager Update Download Task,” on page 83

“Update Manager Privileges,” on page 84

Page 66

vSphere Update Manager Installation and Administration Guide

Update Manager Network Connectivity Settings

The port, IP, and DNS seings are congured during the installation of Update Manager and do not depend on your deployment model.

Default Network Ports

The network port seings are congured during installation but you can change them later to avoid conicts with other programs installed on the same machine.

Table 9‑1. Update Manager Default Network Ports

TCP Port Number Description

80 The port used by Update Manager to connect to vCenter Server.

9084 The port used by ESXi hosts to access host patch downloads over

HTTP.

902 The port used by Update Manager to push host upgrade les.

8084 The port used by Update Manager Client plug-in to connect to the

Update Manager SOAP server.

9087 The HTTPS port used by Update Manager Client plug-in to

upload host upgrade les.

IP Address and DNS Name

The Update Manager network seings include the IP address or DNS name that the update utility on hosts uses to retrieve the patch metadata and binaries from the Update Manager server (through HTTP). The IP address is congured during installation, but you can change it later from the IP address or host name for

the patch store drop-down menu on the Network Connectivity page of the  tab.

I To avoid any potential DNS resolution problems, use an IP address whenever possible. If you

must use a DNS name instead of an IP address, ensure that the DNS name you specify can be resolved from all hosts managed by Update Manager as well as by vCenter Server.

Update Manager supports Internet Protocol version 6 (IPv6) environments for scanning and remediating hosts running ESXi 5.0 and later. Update Manager does not support IPv6 for scanning and remediation of virtual machines and virtual appliances.

vCenter Server, Update Manager, and your ESXi hosts might exist in a heterogeneous IPv6 and IPv4 network environment. In such an environment, if you use IP addresses, and no dual stack IPv4 or IPv6 DNS servers exist, the ESXi hosts congured to use only IPv4 address cannot access the IPv6 network resources. The hosts congured to use only IPv6 cannot access the IPv4 network resources either.

You can install Update Manager on a machine on which both IPv4 and IPv6 are enabled. During host operations such as scanning, staging, and remediation, Update Manager provides the address of its patch store location to the ESXi hosts. If Update Manager is congured to use an IP address, it provides an IP address of either IPv4 or IPv6 type, and can be accessed only by some of the hosts. For example, if Update Manager provides an IPv4 address, the hosts that use only an IPv6 address cannot access the Update Manager patch store. In such a case, consider the following conguration.

66 VMware, Inc.

Page 67

Table 9‑2. Update Manager Configuration

Host IP Version Action

IPv4 Congure Update Manager to use either an IPv4 address

or a host name. Using a host name lets all hosts rely on the DNS server to resolve to an IPv4 address.

IPv6 Congure Update Manager to use either an IPv6 address

or a host name. Using a host name lets hosts rely on the DNS server to resolve to an IPv6 address.

IPv4 and IPv6 Congure Update Manager to use either IPv4 or IPv6.

Change the Update Manager Network Settings

The network ports are congured during installation. In the Network Seings for Update Manager, you can only edit the seing to use IP address or host name for the patch store in the Update Manager network connectivity seings.

Prerequisites

If any remediation or scan tasks are running, cancel them or wait until they complete.

To obtain metadata for the patches, Update Manager must have access to hps://www.vmware.com,

and requires outbound ports 80 and 443.

Chapter 9 Configuring Update Manager

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Manage tab.

4 Click , and select Network Connectivity.

5 See information about the network connectivity seings for Update Manager.

Option Description

SOAP port Update Manager client uses this port to communicate

with the Update Manager server.

Server port (range: 80, 9000–9100) Listening port for the Web server that provides access to

the patch depot for ESXi hosts.

IP address or host name for the patch store The IP address or name of the host where patches are

downloaded and stored.

You can only edit the IP address or host name for the patch store. The ports are dened during installation.

6 Click Edit, and select an IP address or host name for the patch store.

I Use an IP address whenever possible to avoid any potential DNS resolution problems. If you must use a DNS name instead of an IP address, ensure that the DNS name you specify can be resolved from vCenter Server, and all hosts and virtual appliances managed by Update Manager.

7 Click OK.

VMware, Inc. 67

Page 68

vSphere Update Manager Installation and Administration Guide

What to do next

Restart the Update Manager service for network changes to take eect.

Configuring the Update Manager Download Sources

You can congure the Update Manager server to download patches and extensions for ESXi hosts or upgrades for virtual appliances either from the Internet or from a shared repository of UMDS data. You can also import patches and extensions for ESXi hosts manually from a ZIP le.

Downloading host patches from the VMware Web site is a secure process.

Patches are cryptographically signed with the VMware private keys. Before you try to install a patch on

a host, the host veries the signature. This signature enforces the end-to-end protection of the patch itself, and can also address any concerns about patch download.

Update Manager downloads patch metadata and patch binaries over SSL connections. Update Manager

downloads patch metadata and patch binaries only after verication of both the validity of the SSL certicates and the common name in the certicates. The common name in the certicates must match

the names of the servers from which Update Manager downloads patches.

If your deployment system is not connected to the Internet, you can use a shared repository after downloading the upgrades, patches, and extensions by using Update Manager Download Service (UMDS).

For more information about UMDS, see Chapter 8, “Installing, Seing Up, and Using Update Manager

Download Service,” on page 53.

Changing the download source from a shared repository to Internet, and the reverse, is a change in the Update Manager conguration. Both options are mutually exclusive. You cannot download updates from the Internet and a shared repository at the same time. To download new data, you must run the VMware vSphere Update Manager Download task. You can start the task by clicking the Download Now buon at the boom of the Download Sources pane.

If the VMware vSphere Update Manager Update Download task is running when you apply the new conguration seings, the task continues to use the old seings until it completes. The next time the task to download updates starts, it uses the new seings.

Oine bundles contain one metadata.zip le, one or more VIB les, and optionally two .xml les, index.xml and vendor-index.xml. When you import an oine bundle to the Update Manager patch repository, Update Manager extracts it and checks whether the metadata.zip le has already been imported. If the

metadata.zip le has never been imported, Update Manager performs sanity testing, and imports the les

successfully. After you conrm the import, Update Manager saves the les into the Update Manager database and copies the metadata.zip le, the VIBs, and the .xml les, if available, into the Update Manager patch repository.

68 VMware, Inc.

Page 69

Chapter 9 Configuring Update Manager

Congure Update Manager to Use the Internet as a Download Source on page 69

If your deployment system is connected to the Internet, you can directly download ESXi patches and extensions, and virtual appliance upgrades.

Add a New Download Source on page 70

If you use the Internet as a download source for updates, you can add a third-party URL address to download virtual appliance upgrades, and patches and extensions for hosts that are running ESXi 5.5 and later.

Use a Shared Repository as a Download Source on page 71

You can congure Update Manager to use a shared repository as a source for downloading virtual appliance upgrades, as well as ESXi patches, extensions, and notications.

Import Patches Manually on page 72

Instead of using a shared repository or the Internet as a download source for patches and extensions, you can import patches and extensions manually by using an oine bundle.

Configure Update Manager to Use the Internet as a Download Source

If your deployment system is connected to the Internet, you can directly download ESXi patches and extensions, and virtual appliance upgrades.

Prerequisites

Required privileges: VMware vSphere Update Manager.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Manage tab.

4 Click , and select Download Setings.

5 In the Download Sources pane, click Edit.

An Edit Download Sources dialog box opens.

6 Select the option Use direct connection to Internet.

7 Select a download source from the list, and click Enable or Disable depending on whether you want to

download updates from that source.

You can choose to download virtual appliance upgrades and host patches and extensions. You cannot edit the download source location of the default ESXi patches and extensions. You can only enable or disable downloading.

8 (Optional) Add an extra third-party download source for virtual appliances or hosts that are running

ESXi 5.5 and later.

9 Click OK to close the Edit Download Sources dialog box.

10 In the Download Sources pane, click Download Now to run the Download patch denitions task.

All notications and updates are downloaded immediately even if the Enable scheduled download check box is selected in  >  Check Schedule or  > Download Schedule, respectively.

VMware, Inc. 69

Page 70

vSphere Update Manager Installation and Administration Guide

Add a New Download Source

Prerequisites

Required privileges: VMware vSphere Update Manager.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Manage tab.

4 Click , and select Download Setings.

5 In the Download Sources pane, click Edit.

An Edit Download Sources dialog box opens.

6 Select the option Use direct connection to Internet.

7 Click Add.

An Add Download Source dialog box opens.

8 Enter a URL to a new download source.

Update Manager supports both HTTP and HTTPS URL addresses. Use HTTPS URL addresses, so that the data is downloaded securely. The URL addresses that you add must be complete and contain the

index.xml le, which lists the vendor and the vendor index.

N The proxy seings for Update Manager are applicable to third-party URL addresses too. You can congure the proxy seings from the Proxy Seings pane.

9 Type a short description for the URL, and click OK.

The vSphere Web Client performs validation of the URL.

10 Click OK to close the Edit Download Sources dialog box.

11 In the Download Sources pane, click Download Now to run the Download patch denitions task.

The location is added to the list of Internet download sources.

70 VMware, Inc.

Page 71

Chapter 9 Configuring Update Manager

Use a Shared Repository as a Download Source

You can congure Update Manager to use a shared repository as a source for downloading virtual appliance upgrades, as well as ESXi patches, extensions, and notications.

Prerequisites

Create a shared repository using UMDS, and host it on a Web server or a local disk. The UMDS version

you use must be of a version compatible with your Update Manager installation. For more information about the compatibility, see “Compatibility Between UMDS and the Update Manager Server,” on page 54. You can nd the detailed procedure about exporting the upgrades, patch binaries, patch metadata, and notications in “Export the Downloaded Data,” on page 62.

Required privileges: VMware vSphere Update Manager..

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Manage tab.

4 Click , and select Download Setings.

5 In the Download Sources pane, click Edit.

An Edit Download Sources dialog box opens.

6 Select the option Use a shared repository.

7 Enter the path or the URL to the shared repository.

For example, C:\repository_path\, https://repository_path/, or http://repository_path/

In these examples, repository_path is the path to the folder to which you have exported the downloaded upgrades, patches, extensions, and notications. In an environment where the Update Manager server does not have direct access to the Internet, but is connected to a machine that has Internet access, the folder can be on a Web server.

You can specify an HTTP or HTTPS address, or a location on the disk on which Update Manager is installed. HTTPS addresses are supported without any authentication.

I You cannot use folders located on a network drive as a shared repository. Update Manager does not download updates from folders on a network share either in the Microsoft Windows Uniform Naming Convention form (such as \\Computer_Name_or_Computer_IP\Shared), or on a mapped network drive (for example, Z:\).

8 Click OK to close the Edit Download Sources dialog.

The vSphere Web Client performs validation of the URL.

I If the updates in the folder you specify are downloaded with a UMDS version that is not compatible with the Update Manager version you use, the validation fails and you receive an error message.

You must make sure that the validation is successful. If the validation fails, Update Manager reports a reason for the failure. You can use the path to the shared repository only when the validation is successful.

VMware, Inc. 71

Page 72

vSphere Update Manager Installation and Administration Guide

9 In the Download Sources pane, click Download Now to run the Download patch denitions task.

The shared repository is used as a source for downloading upgrades, patches, and notications.

Example: Using a Folder or a Server as a Shared Repository

You can use a folder or a Web server as a shared repository.

When you use a folder as a shared repository, repository_path is the top-level directory where patches

and notications exported from UMDS are stored.

For example, export the patches and notications using UMDS to F:\ drive, which is a drive mapped to a plugged-in USB device on the machine on which UMDS is installed. Then, plug in the USB device to the machine on which Update Manager is installed. On this machine the device is mapped as E:\. The folder to congure as a shared repository in the Update Manager is E:\.

When you use a Web server as a shared repository, repository_path is the top-level directory on the Web

server where the patches exported from UMDS are stored.

For example, export the patches and notications from UMDS to C:\docroot\exportdata. If the folder is congured on a Web server and is accessible from other machines at the URL

https://umds_host_name/exportdata, the URL to congure as a shared repository in Update Manager is https://umds_host_name/exportdata.

Import Patches Manually

Instead of using a shared repository or the Internet as a download source for patches and extensions, you can import patches and extensions manually by using an oine bundle.

You can import oine bundles only for hosts that are running ESXi 5.5 or later.

Prerequisites

The patches and extensions you import must be in ZIP format.

Required privileges: VMware vSphere Update Manager.Upload File.Upload File.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Manage tab.

4 Click , and select Download Setings.

5 In the Download Sources pane, click Import Patches.

The Import Patches wizard opens.

6 On the Import Patches page, browse and select the .zip le containing the patches you want to import.

7 Click Upload  and wait until the le upload completes successfully.

In case of upload failure, check whether the structure of the .zip le is correct, or whether the Update Manager network seings are set up correctly.

8 On the Ready to complete page, review the patches that you have selected to import into the repository.

72 VMware, Inc.

Page 73

9 Click Finish.

You imported the patches into the Update Manager patch repository. You can view the imported patches on the Update Manager Patch Repository tab.

Configure the Update Manager Proxy Settings

You can congure Update Manager to download updates from the Internet using a proxy server.

Prerequisites

Required privileges: VMware vSphere Update Manager.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Manage tab.

4 Click , and select Download Setings.

Chapter 9 Configuring Update Manager

5 In the Proxy Seings pane, click Edit.

6 Select Use proxy, and change the proxy information.

7 If the proxy requires authentication, select Proxy requires authentication, and provide a user name and

password.

8 (Optional) Click Test Connection to test that you can connect to the Internet through the proxy.

9 Click OK.

You congured Update Manager to use an Internet proxy to download upgrades, patches, extensions, and related metadata.

Configure Checking for Updates

Update Manager checks for virtual appliance upgrades, host patches, and extensions at regular intervals. Generally, the default schedule seings are sucient, but you can change the schedule if your environment requires more or less frequent checks.

In some cases you might want to decrease the duration between checks for updates. If you are not concerned about the latest updates and want to reduce network trac, or if you cannot access the update servers, you can increase the duration between checks for updates.

By default the task to download update metadata and binaries is enabled and is called VMware vSphere Update Manager Update Download task. By modifying this task, you can congure checking for updates.You can modify the VMware vSphere Update Manager Check Notication task in one of the following ways:

The  tab of the Update Manager Administration view.

In the vSphere Web Client, navigate to Monitor tab, select the Tasks & Events tab, and select

Scheduled Tasks.

Prerequisites

Required privileges: VMware vSphere Update Manager.

To download update data, the machine on which Update Manager is installed must have Internet access.

VMware, Inc. 73

Page 74

vSphere Update Manager Installation and Administration Guide

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Manage tab.

4 Click , and select Download Schedule.

5 Click Edit.

The Edit Download Schedule wizard opens.

6 Select Enable scheduled task check box, and click Next.

If you deselect the check box, the scheduled task that checks for notications is disabled. However, you can still force a check and download notications by clicking the Download Now buon in Download  pane.

7 Specify a task name and, optionally, a description, or keep the defaults.

8 Click Change to specify the time when notication checks run, and click OK.

The Congure Scheduler dialog box opens.

Option Description

Run this action now

Schedule this option to run later

Setup a recurring schedule for this action

Runs the notication check immediately.

Runs the notication check at the time that you schedule for the task.

Runs the notication check recurrently at the frequency, interval, and start time that you schedule for the task.

9 (Optional) Specify one or more email addresses where notications about patch recalls or email alerts

are sent, and click Next.

You must congure mail seings for the vSphere Web Client system to enable this option. For more information, see vCenter Server and Host Management.

10 Review the Ready to Complete page, and click Finish.

The task runs according to the time you specied.

Configuring and Viewing Notifications

At regular time intervals, Update Manager contacts VMware to download information (notications) about patch recalls, new xes, and alerts.

In case patches with issues or potential issues are released, the patch metadata is updated, and Update Manager marks the patches as recalled. If you try to install a recalled patch, Update Manager noties you that the patch is recalled and does not install it on the host. Update Manager noties you if a recalled patch is already installed on certain hosts. Update Manager also deletes all the recalled patches from the patch repository.

When a patch xing the problem is released, Update Manager downloads the new patch and prompts you to install it to x the issues that the recalled patch might cause. If you have already installed a recalled patch, Update Manager alerts you that the patch is recalled and that there is a x you must install.

74 VMware, Inc.

Page 75

Chapter 9 Configuring Update Manager

Update Manager supports patch recalls for oine bundles that you have imported. Patches from an imported oine bundle are recalled when you import a new oine bundle. The metadata.zip le contains information about the patches that must be recalled. Update Manager removes the recalled patches from the patch repository, and after you import a bundle containing xes, Update Manager noties you about the xes and sends email notications if you have enabled them.

If you use a shared repository as a source for downloading patches and notications, Update Manager downloads recall notications from the shared repository to the Update Manager patch repository, but does not send recall email alerts. For more information about using a shared repository, see “Use a Shared

Repository as a Download Source,” on page 71.

N After a download of patch recall notications, Update Manager ags recalled patches but their compliance state does not refresh automatically. You must perform a scan to view the updated compliance state of patches aected by the recall.

Configure Notifications Checks

By default Update Manager checks for notications about patch recalls, patch xes, and alerts at certain time intervals. You can modify this schedule.

Prerequisites

Required privileges: VMware vSphere Update Manager.

To congure notication checks, make sure that the machine on which Update Manager is installed has Internet access.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Manage tab.

4 Click , and select  Check Schedule.

5 Click Edit.

The Edit Notications Check Schedule wizard opens.

6 Select Enable scheduled task check box, and click Next.

7 Specify a task name and, optionally, a description, or keep the defaults.

8 Click Change to specify the time when notication checks run, and click OK.

The Congure Scheduler dialog box opens.

Option Description

Run this action now

Schedule this option to run later

Setup a recurring schedule for this action

Runs the notication check immediately.

Runs the notication check at the time that you schedule for the task.

Runs the notication check recurrently at the frequency, interval, and start time that you schedule for the task.

VMware, Inc. 75

Page 76

vSphere Update Manager Installation and Administration Guide

9 (Optional) Specify one or more email addresses where notications about patch recalls or email alerts

are sent, and click Next.

You must congure mail seings for the vSphere Web Client system to enable this option. For more information, see vCenter Server and Host Management.

10 Review the Ready to Complete page, and click Finish.

The task runs according to the time you specied.

View Notifications and Run the Notification Checks Task Manually

Notications that Update Manager downloads are displayed on the  tab of the Update Manager Administration view.

Prerequisites

Connect thevSphere Web Client to a vCenter Server system with which Update Manager is registered, and on the Home page, click Update Manager icon.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Monitor tab.

4 Click the  tab.

5 To view the notication details, double-click a notication.

6 To check for notications immediately, click Check  on the upper right of the notications

list.

You immediately download all new notications that are available on the VMware website. The

notications are downloaded even if the Enable scheduled download check box is not selected in Manage >  >  Check Schedule.

Types of Update Manager Notifications

Update Manager downloads all notications that are available on the VMware Web site. Some notications can trigger an alarm. By using the Alarm Denitions wizard, you can congure automated actions to be taken when an alarm is triggered.

Notications appear in the  tab that is located under the Monitor tab in the Update Manager Admin View.

Information notifications

Warning notifications

Information notications do not trigger an alarm. Clicking an information notication opens the Notication Details window.

Warning notications trigger an alarm, which appears in the vSphere Web Client Alarms pane. Warning notications are typically xes for patch recalls. Clicking a warning notication opens the Patch Recall Details window.

Alert notifications

76 VMware, Inc.

Alert notications trigger an alarm, which appears in the vSphere Web Client

Alarms pane. Alert notications are typically patch recalls. Clicking an alert notication opens the Patch Recall Details window.

Page 77

Configuring Host and Cluster Settings

When you update vSphere objects in a cluster with vSphere Distributed Resource Scheduler (DRS), vSphere High Availability (HA), and vSphere Fault Tolerance (FT) enabled, you can temporarily disable vSphere Distributed Power Management (DPM), HA admission control, and FT for the entire cluster. When the update completes, Update Manager restores these features.

Updates might require the host to enter maintenance mode during remediation. Virtual machines cannot run when a host is in maintenance mode. To ensure availability, vCenter Server can migrate virtual machines to other ESXi hosts within a cluster before the host is put into maintenance mode. vCenter Server migrates the virtual machines if the cluster is congured for vSphere vMotion, and if DRS is enabled.

Еnable Enhanced vMotion Compatibility (EVC) to help ensure vSphere vMotion compatibility between the hosts in the cluster. EVC ensures that all hosts in a cluster present the same CPU feature set to virtual machines, even if the actual CPUs on the hosts dier. Use of EVC prevents migrations with vSphere vMotion from failing because of incompatible CPUs. You can enable EVC only in a cluster where host CPUs meet the compatibility requirements. For more information about EVC and the requirements that the hosts in an EVC cluster must meet, see vCenter Server and Host Management.

If a host has no running virtual machines, DPM might put the host in standby mode and interrupt an Update Manager operation. To make sure that scanning and staging complete successfully, Update Manager disables DPM during these operations. To ensure a successful remediation, have Update Manager disable DPM and HA admission control before the remediation operation. After the operation completes, Update Manager restores DPM and HA admission control. Update Manager disables HA admission control before staging and remediation but not before scanning.

Chapter 9 Configuring Update Manager

If DPM has already put hosts in standby mode, Update Manager powers on the hosts before scanning, staging, and remediation. After the scanning, staging, or remediation is complete, Update Manager turns on DPM and HA admission control and lets DPM put hosts into standby mode, if needed. Update Manager does not remediate powered o hosts.

If hosts are put into standby mode and DPM is manually disabled for a reason, Update Manager does not remediate or power on the hosts.

Within a cluster, temporarily disable HA admission control to let vSphere vMotion to proceed. This action prevents downtime of the machines on the hosts that you remediate. After the remediation of the entire cluster, Update Manager restores HA admission control seings.

If FT is turned on for any of the virtual machines on hosts within a cluster, temporarily turn o FT before performing any Update Manager operations on the cluster. If FT is turned on for any of the virtual machines on a host, Update Manager does not remediate that host. Remediate all hosts in a cluster with the same updates, so that FT can be reenabled after the remediation. A primary virtual machine and a secondary virtual machine cannot reside on hosts of dierent ESXi version and patch levels.

As you remediate hosts that are part of a vSAN cluster, be aware of the following behavior:

The host remediation process might take an extensive amount of time to complete.

By design, only one host from a vSAN cluster can be in a maintenance mode at any time.

Update Manager remediates hosts that are part of a vSAN cluster sequentially even if you set the option

to remediate the hosts in parallel.

If a host is a member of a vSAN cluster, and any virtual machine on the host uses a VM storage policy

with a seing for "Number of failures to tolerate=0", the host might experience unusual delays when entering maintenance mode. The delay occurs because vSAN has to migrate the virtual machine data from one disk to another in the vSAN datastore cluster. Delays might take up to hours. You can work around this by seing the "Number of failures to tolerate=1" for the VM storage policy, which results in creating two copies of the virtual machine les in the vSAN datastore.

VMware, Inc. 77

Page 78

vSphere Update Manager Installation and Administration Guide

Configure Host Maintenance Mode Settings

ESXi host updates might require that the host enters maintenance mode before they can be applied. Update Manager puts the ESXi hosts in maintenance mode before applying these updates. You can congure how Update Manager responds if the host fails to enter maintenance mode.

For hosts in a container dierent from a cluster or for individual hosts, migration of the virtual machines with vMotion cannot be performed. If vCenter Server cannot migrate the virtual machines to another host, you can congure how Update Manager responds.

Hosts that are part of a vSAN cluster can enter maintenance mode only one at a time. This is a specicity of the vSAN clusters.

If a host is a member of a vSAN cluster, and any virtual machine on the host uses a VM storage policy with a seing for "Number of failures to tolerate=0", the host might experience unusual delays when entering maintenance mode. The delay occurs because vSAN has to migrate the virtual machine data from one disk to another in the vSAN datastore cluster. Delays might take up to hours. You can work around this by seing the "Number of failures to tolerate=1" for the VM storage policy, which results in creating two copies of the virtual machine les in the vSAN datastore.

Prerequisites

Required privileges: VMware vSphere Update Manager.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Manage tab.

4 Click , and select Host/Cluster .

5 Click Edit.

The Edit Host/Cluster Seings dialog box opens.

6 Under Host Seings, select an option from the VM Power state drop-down menu to determine the

change of the power state of the virtual machines and appliances that run on the host to be remediated.

The option that you select determines how the power state changes for the virtual machines and appliances that run on the host when the host enters maintenance mode before remediation.

Option Description

Power Off virtual machines

Suspend virtual machines

Do Not Change VM Power State

Powers o all virtual machines and virtual appliances before remediation.

Suspends all running virtual machines and virtual appliances before remediation.

Leaves virtual machines and virtual appliances in their current power state. This is the default seing.

7 (Optional) Select Retry entering maintenance mode in case of failure, and specify the retry delay, and

the number of retries.

If a host fails to enter maintenance mode before remediation, Update Manager waits for the retry delay period and retries puing the host into maintenance mode as many times as you indicate in Number of retries.

78 VMware, Inc.

Page 79

Chapter 9 Configuring Update Manager

8 (Optional) Select Temporarily disable any removable media devices that might prevent a host from

entering maintenance mode.

Update Manager does not remediate hosts on which virtual machines have connected CD/DVD or oppy drives. All removable media drives that are connected to the virtual machines on a host might prevent the host from entering maintenance mode and interrupt remediation.

After remediation, Update Manager reconnects the removable media devices if they are still available.

9 Click OK.

These seings become the default failure response seings. You can specify dierent seings when you congure individual remediation tasks.

Configure Cluster Settings

For ESXi hosts in a cluster, the remediation process can run either in a sequence or in parallel. Certain features might cause remediation failure. If you have VMware DPM, HA admission control, or Fault Tolerance enabled, you should temporarily disable these features to make sure that the remediation is successful.

N Remediating hosts in parallel can improve performance signicantly by reducing the time required for cluster remediation. Update Manager remediates hosts in parallel without disrupting the cluster resource constraints set by DRS. Avoid remediating hosts in parallel if the hosts are part of a vSAN cluster. Due to the specics of the vSAN cluster, a host cannot enter maintenance mode while other hosts in the cluster are currently in maintenance mode.

Prerequisites

Required privileges: VMware vSphere Update Manager.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Manage tab.

4 Click , and select Host/Cluster .

5 Click Edit.

The Edit Host/Cluster Seings dialog box opens.

VMware, Inc. 79

Page 80

vSphere Update Manager Installation and Administration Guide

6 Under Cluster Seings, select the check boxes for options that you want to disable or enable.

Option Description

Distributed Power Management (DPM)

High Availability (HA) admission control

Fault Tolerance (FT)

Enable parallel remediation for hosts in cluster

Migrate powered off and suspended virtual machines to other hosts in the cluster, if a host must enter maintenance mode

7 Click OK.

VMware DPM monitors the resource use of the running virtual machines in the cluster. If sucient excess capacity exists, VMware DPM recommends moving virtual machines to other hosts in the cluster and placing the original host into standby mode to conserve power. If the capacity is insucient, VMware DPM might recommend returning standby hosts to a powered-on state.

If you do not choose to disable DPM, Update Manager skips the cluster on which VMware DPM is enabled. If you choose to temporarily disable VMware DPM, Update Manager disables DPM on the cluster, remediates the hosts in the cluster, and re-enables VMware DPM after remediation is complete.

Admission control is a policy used by VMware HA to ensure failover capacity within a cluster. If HA admission control is enabled during remediation, the virtual machines within a cluster might not migrate with vMotion.

If you do not choose to disable HA admission control, Update Manager skips the cluster on which HA admission control is enabled. If you choose to temporarily disable HA admission control, Update Manager disables HA admission control, remediates the cluster, and re-enables HA admission control after remediation is complete.

FT provides continuous availability for virtual machines by automatically creating and maintaining a secondary virtual machine that is identical to the primary virtual machine. If you do not choose to turn o FT for the virtual machines on a host, Update Manager does not remediate that host.

Update Manager can remediate hosts in clusters in a parallel manner. Update Manager continuously evaluates the maximum number of hosts it can remediate in parallel without disrupting DRS seings. If you do not select the option, Update Manager remediates the hosts in a cluster sequentially.

By design only one host from a vSAN cluster can be in a maintenance mode at any time. Update Manager remediates hosts that are part of a vSAN cluster sequentially even if you select the option to remediate them in parallel.

Update Manager migrates the suspended and powered o virtual machines from hosts that must enter maintenance mode to other hosts in the cluster. You can select to power o or suspend virtual machines before remediation in the Maintenance Mode Seings pane.

These seings become the default failure response seings. You can specify dierent seings when you congure individual remediation tasks.

Enable Remediation of PXE Booted ESXi Hosts

You can congure Update Manager to let other software initiate remediation of PXE booted ESXi hosts. The remediation installs patches and software modules on the hosts, but typically the host updates are lost after a reboot.

The global seing in the Update Manager  tab enables solutions such as ESX Agent Manager or Cisco Nexus 1000V to initiate remediation of PXE booted ESXi hosts. In contrast, the Enable patch remediation of powered on PXE booted ESXi hosts seing in the Remediate wizard enables Update Manager to patch PXE booted hosts.

80 VMware, Inc.

Page 81

Chapter 9 Configuring Update Manager

To retain updates on stateless hosts after a reboot, use a PXE boot image that contains the updates. You can update the PXE boot image before applying the updates with Update Manager, so that the updates are not lost because of a reboot. Update Manager itself does not reboot the hosts because it does not install updates requiring a reboot on PXE booted ESXi hosts.

Prerequisites

Required privileges: VMware vSphere Update Manager.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Manage tab.

4 Click , and select Host/Cluster .

5 Click Edit.

The Edit Host/Cluster Seings dialog box opens.

6 Under Host Seings, select Allow installation of additional software on PXE booted ESXi hosts.

Selecting this option enables installation of software for solutions on PXE booted ESXi hosts in the vSphere inventory that you manage with this Update Manager instance.

7 Click OK.

Take Snapshots Before Remediation

By default, Update Manager is congured to take snapshots of virtual machines before applying updates. If the remediation fails, you can use the snapshot to return the virtual machine to the state before the remediation.

Update Manager does not take snapshots of fault tolerant virtual machines and virtual machines that are running virtual machine hardware version 3. If you decide to take snapshots of such virtual machines, the remediation might fail.

You can choose to keep snapshots indenitely or for a xed period. Use the following guidelines when managing snapshots:

Keeping snapshots indenitely might consume a large amount of disk space and degrade virtual

machine performance.

Keeping no snapshots saves space, ensures best virtual machine performance, and might reduce the

amount of time it takes to complete remediation, but limits the availability of a rollback.

Keeping snapshots for a set period uses less disk space and oers a backup for a short time.

Prerequisites

Required privileges: VMware vSphere Update Manager.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

VMware, Inc. 81

Page 82

vSphere Update Manager Installation and Administration Guide

3 Click the Manage tab.

4 Click , and select VM .

5 Click Edit.

The Edit VM Seings dialog box opens.

6 To enable or disable taking of snapshots of virtual machines before remediating them, select the Take a

snapshot of the virtual machines before remediation to enable rollback check box.

The option to take snapshots is selected by default.

7 Congure snapshots to be kept indenitely or for a xed period.

8 Click Apply.

These seings become the default rollback option seings for virtual machines. You can specify dierent seings when you congure individual remediation tasks.

Configure Smart Rebooting

Smart rebooting selectively restarts the virtual appliances and virtual machines in the vApp to maintain startup dependencies. You can enable and disable smart rebooting of virtual appliances and virtual machines in a vApp after remediation.

A vApp is a prebuilt software solution, consisting of one or more virtual machines and applications, which are potentially operated, maintained, monitored, and updated as a unit.

Smart rebooting is enabled by default. If you disable smart rebooting, the virtual appliances and virtual machines are restarted according to their individual remediation requirements, disregarding existing startup dependencies.

Prerequisites

Required privileges: VMware vSphere Update Manager.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Manage tab.

4 Click , and click vApp .

5 Click Edit.

The vApp Seings dialog box opens.

6 Click the Enable smart reboot after remediation check box to enable or disable smart rebooting.

Configure the Update Manager Patch Repository Location

When you install Update Manager, you can select the location for storing the downloaded patches and upgrade binaries. To change the location after installation, you must manually edit the vci-integrity.xml

le.

Procedure

1 Log in as an administrator to the machine on where Update Manager server runs.

82 VMware, Inc.

Page 83

Chapter 9 Configuring Update Manager

2 Stop the Update Manager service.

a Right-click My Computer and click Manage.

b In the left pane, expand Services and Applications, and click Services.

c In the right pane, right-click VMware vSphere Update Manager Service and click Stop.

3 Navigate to the Update Manager installation directory and locate the vci-integrity.xml le.

The default location is C:\Program Files (x86)\VMware\Infrastructure\Update Manager.

4 (Optional) In case you want to revert to the previous conguration, create a backup copy of this le.

5 Edit the le by changing the following items:

<patchStore>your_new_location</patchStore>

The default patch download location is

C:\Documents and Settings\All Users\Application Data\VMware\VMware Update Manager\Data\.

The directory path must end with \.

6 Save the le in UTF-8 format, replacing the existing le.

7 Copy the contents from the old patch store directory to the new folder.

8 Start the Update Manager service by right-clicking VMware vSphere Update Manager Service in the

Computer Management window and selecting Start.

Restart the Update Manager Service

In certain cases, such as when you change the network connectivity seings, you must restart the Update Manager service.

Procedure

1 Log in as the administrator to the machine on which the Update Manager server component is installed.

2 Right-click My Computer and click Manage.

3 In the left pane of the Computer Management window, expand Services and Applications and click

Services.

4 In the right pane, right-click VMware vSphere Update Manager Service and select Restart.

The service restarts on the local computer.

Run the VMware vSphere Update Manager Update Download Task

If you change the patch download source seings, you must run the VMware vSphere Update Manager Update Download task to download any new patches, extensions, and notications.

Procedure

1 In the vSphere Web Client, select an inventory object, and select the Monitor tab.

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single Sign-On domain, specify the Update Manager instance to congure.

2 Click the Task & Events tab, and select Scheduled Tasks.

3 Right-click the VMware vSphere Update Manager Update Download task, and select Run.

You can see the running task listed in the Recent Tasks pane.

VMware, Inc. 83

Page 84

vSphere Update Manager Installation and Administration Guide

Update Manager Privileges

To congure Update Manager seings, to manage baselines, patches, and upgrades, you must have the proper privileges. You can assign Update Manager privileges to dierent roles from the vSphere Web Client.

Update Manager privileges cover distinct functionalities.

Table 9‑3. Update Manager Privileges

Privilege Group Privilege Description

Congure  Service Congure the Update Manager service and

Manage Baseline  Baseline Aach baselines and baseline groups to

Manage Baseline Create, edit, or delete baseline and baseline

Manage Patches and Upgrades Remediate to Apply Patches,

Extensions, and Upgrades

Scan for Applicable Patches, Extensions, and Upgrades

Stage Patches and Extensions Stage patches or extensions to hosts. In

View Compliance Status View baseline compliance information for

Upload File Upload File Upload upgrade images and oine patch

the scheduled patch download task.

objects in the vSphere inventory.

groups.

Remediate virtual machines, virtual appliances, and hosts to apply patches, extensions, or upgrades. In addition, this privilege allows you to view compliance status.

Scan virtual machines, virtual appliances, and hosts to search for applicable patches, extensions, or upgrades.

addition, this privilege allows you to view compliance status of the hosts.

an object in the vSphere inventory.

bundles.

For more information about managing users, groups, roles, and permissions, see vCenter Server and Host Management.

84 VMware, Inc.

Page 85

Working with Baselines and Baseline

Groups 10

Update Manager baselines are hosts baselines, virtual machine baselines, and virtual appliance baselines. To upgrade objects in your vSphere inventory, you can use predenes baselines, system-managed baselines, or custom baselines that you create.

When you scan hosts, virtual machines, and virtual appliances, you evaluate them against baselines and baseline groups to determine their level of compliance.

In the vSphere Web Client, the baselines and baseline groups are displayed on the Host Baselines and VMs/VAs Baselines tabs of the Update Manager Admin view.

Depending on the purpose for which you want to use them, host baselines can contain a collection of one or more patches, extensions, or upgrades. Therefore host baselines are upgrade, extension, or patch baselines. To update or upgrade your hosts you can use the Update Manager default baselines, or custom baselines that you create.

The VMs/VAs baselines are predened. You cannot create custom VMs/VAs baselines.

The default baselines are the predened and system managed baselines.

System Managed Baselines

The Update Manager displays system managed baselines that are generated by vSAN. These baselines appear by default when you use vSAN clusters with ESXi hosts of version 6.0 Update 2 and later in your vSphere inventory. If your vSphere environment does not contain any vSAN clusters, no system managed baselines are created.

The system managed baselines automatically update their content periodically, which requires Update Manager to have constant access to the Internet. The vSAN system baselines are typically refreshed every 24 hours.

You can use the system managed baselines to upgrade your vSAN clusters to recommended critical patches, drivers, updates or latest supported ESXi host version for vSAN.

Predefined Baselines

Predened baselines cannot be edited or deleted, you can only aach or detach them to the respective inventory objects.

VMware, Inc.

Page 86

vSphere Update Manager Installation and Administration Guide

Under the Host Baselines tab in Update Manager Admin view, you can see the following predened baselines:

Critical Host Patches (Predefined)

Non-Critical Host Patches (Predefined)

Under the VMs/VAs Baselines tab Update Manager Admin view, you can see the following predened baselines:

VMware Tools Upgrade to Match Host (Predefined)

VM Hardware Upgrade to Match Host (Predefined)

VA Upgrade to Latest (Predefined)

Custom Baselines

Custom baselines are the baselines you create.

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single Sign-On domain and you have an Update Manager instance for each vCenter Server system in the group, the baselines and baseline groups you create and manage are applicable only to inventory objects managed by the vCenter Server system with which the selected Update Manager instance is registered. You can use an Update Manager instance only with a vCenter Server system with which the instance is registered.

Checks ESXi hosts for compliance with all critical patches.

Checks ESXi hosts for compliance with all optional patches.

Checks virtual appliance compliance with the latest released virtual appliance version.

Baseline Groups

Baseline groups are assembled from existing baselines. A baseline group might contain one upgrade baseline, and one or more patch and extension baselines, or might contain a combination of multiple patch and extension baselines.

To create, edit, or delete baselines and baseline groups, you must have the Manage Baseline privilege. To aach baselines and baseline groups, you must have the  Baseline privilege. Privileges must be assigned on the vCenter Server system with which Update Manager is registered. For more information about managing users, groups, roles, and permissions, see vCenter Server and Host Management. For a list of Update Manager privileges and their descriptions, see “Update Manager Privileges,” on page 84.

This chapter includes the following topics:

“Creating and Managing Baselines,” on page 87

“Creating and Managing Baseline Groups,” on page 97

“Aach Baselines and Baseline Groups to Objects,” on page 101

“Detach Baselines and Baseline Groups from Objects,” on page 102

86 VMware, Inc.

Page 87

Creating and Managing Baselines

You can create custom patches, extensions, and upgrade baselines to meet the needs of your specic deployment by using the New Baseline wizard. You create and manage baselines in the Update Manager Client Administration view.

Update Manager also provides default baselines that you cannot edit or delete. Default baselines are the predened baselines that contain patches for hosts and updates for VMs and virtual appliances. The other type of default baselines is the system managed baselines that you can use to check if your vSAN clusters run the latest supported software.

Create and Edit Patch or Extension Baselines

You can remediate hosts against baselines that contain patches or extensions. Depending on the patch criteria you select, patch baselines can be either dynamic or xed.

Dynamic patch baselines contain a set of patches, which updates automatically according to patch availability and the criteria that you specify. Fixed baselines contain only patches that you select, regardless of new patch downloads.

Extension baselines contain additional software modules for ESXi hosts. This additional software might be VMware software or third-party software. You can install additional modules by using extension baselines, and update the installed modules by using patch baselines.

Chapter 10 Working with Baselines and Baseline Groups

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single Sign-On domain, and you have more than one Update Manager instance, patch and extension baselines that you create are not applicable to all inventory objects managed by other vCenter Server systems. Baselines are specic for the Update Manager instance you select.

Prerequisites

Ensure that you have the Manage Baseline privilege.

Create a Fixed Patch Baseline on page 88

Fixed baselines consist of a specic set of patches that do not change as patch availability changes.

Create a Dynamic Patch Baseline on page 88

Dynamic baselines consist of a set of patches that meet certain criteria. The contents of a dynamic baseline varies as the available patches change. You can also exclude or add specic patches. Patches you select to add or exclude do not change with new patch downloads.

Create a Host Extension Baseline on page 89

Extension baselines contain additional software for ESXi hosts. This additional software might be VMware software or third-party software. You create host extension baselines using the New Baseline wizard.

Filter Patches or Extensions in the New Baseline Wizard on page 90

When you create a patch or extension baseline, you can lter the patches and extensions available in the Update Manager repository to nd specic patches and extensions to exclude or include in the baseline.

Edit a Patch Baseline on page 91

You can edit an existing host patch baseline.

Edit a Host Extension Baseline on page 91

You can change the name, description, and composition of an existing extension baseline.

VMware, Inc. 87

Page 88

vSphere Update Manager Installation and Administration Guide

Create a Fixed Patch Baseline

Fixed baselines consist of a specic set of patches that do not change as patch availability changes.

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 On the Host Baselines tab, click New baseline.

6 Type a name, and optionally, a description of the baseline.

7 Under Baseline Type, select Host Patch, and click Next.

8 On the Patch Options page, select Fixed for the type of baseline, and click Next.

9 Select individual patches to include in the baseline.

10 (Optional) Click Advanced to nd specic patches to include in the baseline.

11 Click Next.

12 Review the Ready to Complete page, and click Finish.

The new baseline is displayed in the Baselines pane of the Baselines and Groups tab.

Create a Dynamic Patch Baseline

Prerequisites

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 On the Host Baselines tab, click Create a new baseline.

6 Type a name, and optionally, a description of the baseline.

7 Under Baseline Type select Host Patch, and click Next.

8 On the Patch Options page, select Dynamic as the type of baseline, and click Next.

88 VMware, Inc.

Page 89

Chapter 10 Working with Baselines and Baseline Groups

9 On the Criteria page, specify the criteria to dene the patches to include, and then click Next.

Option Description

Patch Vendor

Product

Severity

Create a Host Extension Baseline

Extensions can provide additional features, updated drivers for hardware, Common Information Model (CIM) providers for managing third-party modules on the host, improvements to the performance or usability of existing host features, and so on.

Host extension baselines that you create are always xed. You must carefully select the appropriate extensions for the ESXi hosts in your environment.

To perform the initial installation of an extension, you must use an extension baseline. After the extension is installed on the host, you can update the extension module with either patch or extension baselines.

N When applying extension baselines by using Update Manager, you must be aware of the functional implications of new modules to the host. Extension modules might alter the behavior of ESXi hosts. During installation of extensions, Update Manager only performs the checks and verications expressed at the package level.

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

VMware, Inc. 89

Page 90

vSphere Update Manager Installation and Administration Guide

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 On the Host Baselines tab, click New baseline.

6 Type a name, and optionally, a description of the baseline.

7 Under Baseline Type, select Host Extension, and click Next.

8 On the Extensions page, select individual extensions to include in the baseline.

9 (Optional) Select an extension, and click Show Patch Details to see additional information.

10 Click Next.

11 Review the Ready to Complete page, and click Finish.

The new baseline is displayed in the Baselines pane of the Baselines and Groups tab.

Filter Patches or Extensions in the New Baseline Wizard

Procedure

1 In the New Baseline wizard, click Advanced.

If you are creating a xed patch baseline, on the Patches page, click Advanced.

If you are creating a dynamic patch baseline, on the Patches to Exclude or Additional Patches page,

click Advanced.

If you are creating a host extension baseline, on the Extensions page, click Advanced.

2 On the Filter Patches or Filter Extensions page, specify the criteria to dene the patches or extensions to

include or exclude.

Option Description

Patch Vendor

Product

Severity

Edit a Patch Baseline

You can edit an existing host patch baseline.

In the vSphere Web Client, you edit patch baselines from the Update Manager Admin view.

Prerequisites

Ensure that you have the Manage Baseline privilege.

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 Click Host Baselines .

6 Select a patch baseline and click Edit above the Baselines pane.

7 Edit the name and description of the baseline and click Next.

8 Go through the Edit Baseline wizard to change the criteria, and select patches to include or exclude.

9 Review the Ready to Complete page, and click Finish.

Edit a Host Extension Baseline

You can change the name, description, and composition of an existing extension baseline.

In the vSphere Web Client, you edit patch baselines from the Update Manager Admin view.

Prerequisites

Required privileges: VMware vSphere Update Manager.Manage Baselines.Manage Baseline.

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 Click Host Baselines .

6 Select an extension baseline, and click Edit above the Baselines pane.

7 Edit the name and description of the baseline, and click Next.

8 Make your changes by going through the Edit Baseline wizard.

9 Review the Ready to Complete page, and click Finish.

VMware, Inc. 91

Page 92

vSphere Update Manager Installation and Administration Guide

Create and Edit Host Upgrade Baselines

You can create an ESXi host upgrade baseline by using the New Baseline wizard. You can create host baselines with already uploaded ESXi 6.5 images.

You can upload and manage ESXi images from the ESXi Images tab of the Update Manager Administration view.

Update Manager 6.5 supports upgrade from ESXi 5.5.x and ESXi 6.0.x to ESXi 6.5.

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single Sign-On domain, and you have more than one Update Manager instance, host upgrade les that you upload and baselines that you create are not applicable to the hosts managed by other vCenter Server systems. Upgrade les and baselines are specic for the Update Manager instance you select.

Import Host Upgrade Images and Create Host Upgrade Baselines on page 92

You can create upgrade baselines for ESXi hosts with ESXi 6.5 images that you import to the Update Manager repository.

Create a Host Upgrade Baseline on page 93

To upgrade the hosts in your vSphere environment, you must create host upgrade baselines.

Edit a Host Upgrade Baseline on page 94

You can change the name, description, and upgrade options of an existing host upgrade baseline. You cannot delete a host upgrade image by editing the host upgrade baseline.

Delete ESXi Images on page 94

You can delete ESXi images from the Update Manager repository if you no longer need them.

Import Host Upgrade Images and Create Host Upgrade Baselines

You can create upgrade baselines for ESXi hosts with ESXi 6.5 images that you import to the Update Manager repository.

You can use ESXi .iso images to upgrade ESXi 5.5.x hosts and ESXi 6.0.x hosts to ESXi 6.5 .

To upgrade hosts, use the ESXi installer image distributed by VMware with the name format VMware-

VMvisor-Installer-6.5.0-build_number.x86_64.iso or a custom image created by using vSphere ESXi

Image Builder.

Prerequisites

Required privileges: VMware vSphere Update Manager.Upload File.

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 Click ESXi Images, and click Import ESXi Image.

92 VMware, Inc.

Page 93

Chapter 10 Working with Baselines and Baseline Groups

6 On the Select ESXi Image page of the Import ESXi Image wizard, browse to and select the ESXi image

that you want to upload.

7 Click Next.

C Do not close the import wizard. Closing the import wizard stops the upload process.

8 (Optional) In the Security Warning window, select an option to handle the certicate warning.

A trusted certicate authority does not sign the certicates that are generated for vCenter Server and ESXi hosts during installation. Because of this, each time an SSL connection is made to one of these systems, the client displays a warning.

Option Action

Ignore

Cancel

Install this certificate and do not display any security warnings

Click Ignore to continue using the current SSL certicate and start the upload process.

Click Cancel to close the window and stop the upload process.

Select this check box and click Ignore to install the certicate and stop receiving security warnings.

9 After the le is uploaded, click Next.

10 (Optional) Create a host upgrade baseline.

a Leave the Create a baseline using the ESXi image selected.

b Specify a name, and optionally, a description for the host upgrade baseline.

11 Click Finish.

The ESXi image that you uploaded appears in the Imported ESXi Images pane. You can see more information about the software packages that are included in the ESXi image in the Software Packages pane.

If you also created a host upgrade baseline, the new baseline is displayed in the Baselines pane of the Baselines and Groups tab.

What to do next

To upgrade the hosts in your environment, you must create a host upgrade baseline if you have not already done so.

Create a Host Upgrade Baseline

To upgrade the hosts in your vSphere environment, you must create host upgrade baselines.

Prerequisites

Upload at least one ESXi image.

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

VMware, Inc. 93

Page 94

vSphere Update Manager Installation and Administration Guide

5 On the Host Baselines tab, click New baseline.

6 Type a name, and optionally, a description of the baseline.

7 Under Baseline Type, select Host Upgrade, and click Next.

8 On the ESXi Image page, select a host upgrade image and click Next.

9 Review the Ready to Complete page and click Finish.

The new baseline is displayed in the Baselines pane of the Baselines and Groups tab.

Edit a Host Upgrade Baseline

You can change the name, description, and upgrade options of an existing host upgrade baseline. You cannot delete a host upgrade image by editing the host upgrade baseline.

In the vSphere Web Client you can edit upgrade baselines from the Update Manager Client Administration view.

Prerequisites

Ensure that you have the Manage Baseline privilege.

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 Click Host Baselines .

6 Select an existing host upgrade baseline, and click Edit above the Baselines pane.

7 Edit the name and description of the baseline, and click Next.

8 Make your changes by going through the Edit Baseline wizard.

9 Review the Ready to Complete page, and click Finish.

Delete ESXi Images

You can delete ESXi images from the Update Manager repository if you no longer need them.

Connect thevSphere Web Client to a vCenter Server system with which Update Manager is registered, and on the Home page, click Update Manager icon.

Prerequisites

Verify that the ESXi images are not included in baselines. You cannot delete images that are included in a baseline.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

94 VMware, Inc.

Page 95

Chapter 10 Working with Baselines and Baseline Groups

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

3 Click the Manage tab.

4 Click the ESXi Images tab.

5 Under Imported ESXi Images, select the le you want to delete and click Delete.

6 Click Yes to conrm the deletion.

The ESXi image is deleted and no longer available.

Create and Edit a Virtual Appliance Upgrade Baseline

A virtual appliance upgrade baseline contains a set of updates to the operating system and to the applications installed in the virtual appliance. The virtual appliance vendor considers these updates an upgrade.

Virtual appliance baselines that you create consist of a set of user-dened rules. If you add rules that

conict, the Update Manager displays an Upgrade Rule Conict window so that you can resolve the conicts.

Virtual appliance baselines let you upgrade virtual appliances either to the latest available version or to a specic version number.

Create a Virtual Appliance Upgrade Baseline on page 95

You upgrade virtual appliances by using a virtual appliance upgrade baseline. You can either use the predened virtual appliance upgrade baseline, or create custom virtual appliance upgrade baselines.

Edit a Virtual Appliance Upgrade Baseline on page 96

You can change the name, description, and upgrade options of an existing upgrade baseline.

Create a Virtual Appliance Upgrade Baseline

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 On the VMs/VAs Baselines tab, click Create new baseline.

6 Type a name, and optionally, a description of the baseline.

7 Under Baseline Type, select VA Upgrade, and click Next.

VMware, Inc. 95

Page 96

vSphere Update Manager Installation and Administration Guide

8 On the Upgrade Options page, select Vendor and Appliance options from the respective drop-down

menus.

The options listed in these menus depend on the virtual appliance upgrades that are downloaded in the Update Manager repository. If no upgrades are downloaded in the repository, the available options are All Vendors and All Products, respectively.

9 Select an option from the Upgrade To drop-down menu.

Option Description

Latest

A specific version number

Do Not Upgrade

10 Click Add Rule.

11 (Optional) Add multiple rules.

a Click Add Multiple Rules.

b Select one or all vendors.

c Select one or all appliances.

Upgrades the virtual appliance to the latest version.

Upgrades the virtual appliance to a specic version. This option is available when you select a specic vendor and appliance name.

Does not upgrade the virtual appliance.

d Select one Upgrade To option to apply to the selected appliances, and click OK.

If you create multiple rules to apply to the same virtual appliance, only the rst applicable rule in the list is applied.

12 (Optional) Resolve any conicts within the rules you apply.

a In the Upgrade Rule Conict window, select whether to keep the existing rules, to use the newly

created rules, or to manually resolve the conict.

b Click OK.

13 Click Next.

14 Review the Ready to Complete page, and click Finish.

The new baseline is displayed in the Baselines pane of the Baselines and Groups tab.

Edit a Virtual Appliance Upgrade Baseline

You can change the name, description, and upgrade options of an existing upgrade baseline.

You can edit upgrade baselines from the Update Manager Admin view.

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 Click VMs/VAs Baselines .

6 Select an existing baseline and click Edit existing baseline .

96 VMware, Inc.

Page 97

Chapter 10 Working with Baselines and Baseline Groups

7 Edit the name and the description of the baseline, and click Next.

8 Edit the upgrade options, and click Next.

9 Review the Ready to Complete page, and click Finish.

Delete Baselines

You can delete baselines that you no longer need from Update Manager. Deleting a baseline detaches it from all the objects to which the baseline is aached.

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 On the VMs/VAs Baselines tab, select the baselines to remove, and click Delete the baseline .

6 In the conrmation dialog box, click Yes.

The baseline is deleted.

Creating and Managing Baseline Groups

A baseline group consists of a set of non-conicting baselines. Baseline groups allow you to scan and remediate objects against multiple baselines at the same time.

You can perform an orchestrated upgrade of the virtual machines by remediating the same folder or datacenter against a baseline group containing the following baselines:

VMware Tools Upgrade to Match Host

VM Hardware Upgrade to Match Host

You can perform an orchestrated upgrade of hosts by using a baseline group that contains a single host upgrade baseline and multiple patch or extension baselines.

You can create two types of baseline groups depending on the object type to which you want to apply them:

Baseline groups for hosts

Baseline groups for virtual machines and virtual appliances

Baseline groups that you create are displayed on the Baselines and Groups tab of the Update Manager Client Administration view.

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single Sign-On domain, and you have more than one Update Manager instance, baseline groups you create are not applicable to all inventory objects managed by other vCenter Server systems in the group. Baseline groups are specic for the Update Manager instance that you select.

VMware, Inc. 97

Page 98

vSphere Update Manager Installation and Administration Guide

Create a Host Baseline Group

You can combine one host upgrade baseline with multiple patch or extension baselines, or combine multiple patch and extension baselines in a baseline group.

N You can click Finish in the New Baseline Group wizard at any time to save your baseline group and add baselines to it at a later stage.

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 On the Host Baselines tab, click New Baseline Group above the Baseline Groups pane.

6 Enter a unique name for the baseline group and click Next.

7 Select a host upgrade baseline to include it in the baseline group.

8 (Optional) Create a new host upgrade baseline by clicking Create a new Host Upgrade Baseline at the

boom of the Upgrades page, and complete the New Baseline wizard.

9 Click Next.

10 Select the patch baselines that you want to include in the baseline group.

11 (Optional) Create a new patch baseline by clicking Create a new Host Patch Baseline at the boom of

the Patches page, and complete the New Baseline wizard.

12 Click Next.

13 Select the extension baselines to include in the baseline group.

14 (Optional) Create a new extension baseline by clicking Create a new Extension Baseline at the boom

of the Patches page, and complete the New Baseline wizard.

15 Review the Ready to Complete page, and click Finish.

The host baseline group is displayed in the Baseline Groups pane.

Create a Virtual Machine and Virtual Appliance Baseline Group

You can combine upgrade baselines in a virtual machine and virtual appliance baseline group.

N You can click Finish in the New Baseline Group wizard at any time to save your baseline group, and add baselines to it at a later stage.

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

98 VMware, Inc.

Page 99

Chapter 10 Working with Baselines and Baseline Groups

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 On the VMs/VAs Baselines tab, click Create new baseline  group.

6 Enter a name for the baseline group, and click Next.

7 For each type of upgrade (virtual appliance, virtual hardware, and VMware Tools), select one of the

available upgrade baselines to include in the baseline group.

N If you decide to remediate only virtual appliances, the upgrades for virtual machines are ignored, and the reverse. If a folder contains both virtual machines and virtual appliances, the appropriate upgrades are applied to each type of object.

8 Click Next.

9 Review the Ready to Complete page, and click Finish.

The new baseline group is displayed in the Baseline Groups pane.

Edit a Baseline Group

You can change the name and type of an existing baseline group. You can also edit a baseline group by adding or removing the upgrade and patch baselines a baseline group contains.

In the vSphere Web Client, you edit baseline groups from the Update Manager Admin view.

Prerequisites

Required privileges: VMware vSphere Update Manager.Manage Baselines.Manage Baseline.

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 Click VMs/VAs Baselines .

6 Select an existing baseline, and click Edit existing baseline .

7 Edit the name of the baseline group.

8 (Optional) Change the included upgrade baselines (if any).

9 (Optional) Change the included patch baselines (if any).

10 (Optional) Change the included extension baselines (if any).

11 Review the Ready to Complete page and click OK.

VMware, Inc. 99

Page 100

vSphere Update Manager Installation and Administration Guide

Add Baselines to a Baseline Group

You can add a patch, extension, or upgrade baseline to an existing baseline group.

In the vSphere Web Client, you can add baselines to baseline groups from the Update Manager Administration view.

Prerequisites

Required privileges: VMware vSphere Update Manager.Manage Baselines.Manage Baseline.

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 On the VMs/VAs Baselines tab, select an existing baseline group, and click Edit existing baseline

group .

6 From the Upgrades page, select a baseline group and expand it to view the included baselines.

7 Select or deselect the baselines from the list.

The baseline is added to the selected baseline group.

Remove Baselines from a Baseline Group

You can remove individual baselines from existing baseline groups.

In the vSphere Web Client, you can edit the contents of baseline groups from the Update Manager Admin view.

Prerequisites

Procedure

1 Use the vSphere Web Client to log in to a vCenter Server Appliance, or to a vCenter Server system with

which Update Manager is registered.

2 In the Home view of the vSphere Web Client, select the Update Manager icon.

3 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is connected.

4 Click the Manage tab.

5 On the VMs/VAs Baselines tab, select an existing baseline group, and expand it to view the included

baselines.

6 Select a baseline from the Baseline Groups pane on the right and click the left arrow.

The baseline is removed from the selected baseline group.

100 VMware, Inc.

VMware vSphere Update Manager - 6.5 Installation Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

About Installing and Administering VMware vSphere Update Manager

Updated Information

Understanding Update Manager 1

Overview of the Update Manager Interface

About the Update Manager Process

Configuring the Update Manager Download Source

Downloading Updates and Related Metadata

Importing ESXi Images

Creating Baselines and Baseline Groups

Baseline Types

Update Manager Default Baselines

Baseline Groups

Attaching Baselines and Baseline Groups to vSphere Objects

Scanning Selected vSphere Objects

Reviewing Scan Results

Staging Patches and Extensions to Hosts

Remediating Selected vSphere Objects

System Requirements

Update Manager Hardware Requirements

Supported Windows Operating Systems and Database Formats

Update Manager Compatibility with vCenter Server and vSphere Web Client

Required Database Privileges

Preparing the Update Manager Database

Create a 64-Bit DSN

About the Bundled Microsoft SQL Server 2012 Express Database Package

Maintaining Your Update Manager Database

Configure a Microsoft SQL Server Database Connection

Create a New Data Source (ODBC)

Identify the SQL Server Authentication Type

Configure an Oracle Database

Configure an Oracle Connection to Work Locally

Configure an Oracle Database to Work Remotely

Prerequisites for Installing the Update Manager Server on Windows

Obtain the Update Manager Installer

Install the Update Manager Server

Enable the Update Manager Web Client Plug-In

Uninstall the Update Manager Server

Upgrade the Update Manager Server

Upgrade the Update Manager Java Components

Start, Stop, or Restart Update Manager Service in the vCenter Server Appliance

Download and Run VMware Migration Assistant on the Source Update Manager Machine

Roll Back a Migration of vCenter Server Appliance with Update Manager

Update Manager Deployment Models and Their Usage

Compatibility Between UMDS and the Update Manager Server

Installing UMDS on a Windows Operating System

Install UMDS on a Windows Operating System

Installing and Upgrading UMDS on a Linux-Based Operating System

Supported Linux-Based Operating Systems and Databases for Installing UMDS

Configure PostgreSQL Database for UMDS on Linux

Install UMDS on a Linux OS

Uninstall UMDS from a Linux OS

Setting Up and Using UMDS

Set Up the Data to Download with UMDS

Change the UMDS Patch Repository Location

Configure URL Addresses for Hosts

Download the Specified Data Using UMDS

Export the Downloaded Data

Configuring Update Manager 9

Update Manager Network Connectivity Settings

Change the Update Manager Network Settings

Configuring the Update Manager Download Sources

Configure Update Manager to Use the Internet as a Download Source

Add a New Download Source

Use a Shared Repository as a Download Source

Import Patches Manually

Configure the Update Manager Proxy Settings

Configure Checking for Updates

Configuring and Viewing Notifications

Configure Notifications Checks

View Notifications and Run the Notification Checks Task Manually

Types of Update Manager Notifications

Configuring Host and Cluster Settings

Configure Host Maintenance Mode Settings

Configure Cluster Settings

Enable Remediation of PXE Booted ESXi Hosts