Community

Patching ArcGIS Enterprise

1454
4
01-14-2021 07:13 PM
by Anonymous User
Not applicable
4 4 1,454
‎01-14-2021 07:13 PM

As we all know, the ArcGIS Enterprise environment is constantly under development and being further improved by Esri.

Part of the application life cycle, for all software not just ArcGIS Enterprise, is the release of Security and Functionality patches that improve security, stability and functionality of the application but don’t warrant new version numbers.

Often times I will see a client deploy an ArcGIS Enteprise environment, forget to install patches, and revisit the deployment a year or two later to upgrade to a new version. This is not the most secure way to manage an environment nor is it the best way to utilise an Enterprise scale GIS.

 

When working with Enterprise scale systems, a good mentality is to patch regularly and upgrade often. This is the behaviour that we have grown used to with the growing use of smart phones and the applications we use them for, so why do we not keep this behaviour for software suites we manage for an enterprise.

A regular (maybe monthly) maintenance window means that users are less disturbed by work on a system and they are also more aware that the system is being maintained and looked after. Applying the latest patches during this maintenance window also means that bug fixes are applied, security flaws are resolved and the system gets a regular “refresh” with virtual machine reboots that are built into the maintenance window.

 

When it comes to ArcGIS Enterprise, Esri make patching easy for administrators by including the ArcGIS Enterprise Patch Notification utility in the install of all applications. More information on using this utility can be found here - https://enterprise.arcgis.com/en/server/latest/install/windows/check-for-software-patches-and-update... - but unfortunately, this method relies on an internet connection from the Server that is trying to download the patch. Not all servers have this connection in which case you will need to download the patches manually and install them using another method.

Some important things when working with a disconnected environment and looking to patch:

  • Download the patches.json file from here - https://downloads.esri.com/patch_notification/patches.json
  • Host the patches.json file on a web server with the same context as above (For IIS, make the following directory “C:\inetpub\wwwroot\patch_notification” (Or a virtual directory of the same name) and put the patches.json file in that folder

NicEverdell_0-1610680324493.png

 

  • Set up network routing (DNS or Host File change) so that when the Patch Notification calls the above URL, it finds your locally hosted version

Using this method, you will be given a list of patches that are currently installed and a list of newly released patches that you should apply to the system.

Once you have this list, download the new patches and install them using your preferred method (Personally, I use powershell to silently install the patches and log the start/end times of each install for my own record keeping)

 

 

Also of importance is that not all months will have dedicated work to perform, but even these windows should be utilised for a VM restart to clear any of the little issues and refreshes the ArcGIS Enterprise windows services.

4 Comments
SimonSchütte_ct
by
Occasional Contributor III
‎07-22-2022 04:17 AM

"Once you have this list, download the new patches and install them using your preferred method"

My preferred method would be to bulk download all the patches I need in one step.
Ideal would be a cli option for the patchnotification tool to download all patches for a specific version to a directory for later use in a disconnected environment.

What is the best way to automatically download all AGE10.9.1 patches for example?

NicholasEverdell
by
New Contributor II
‎05-09-2023 10:03 PM

This process is no longer able to be configured, I think this is due to the Patch Notification Tool being updated to use HTTPS over HTTP. Without a valid certificate for "downloads.esri.com" to secure that 443 binding the tool fails to connect successfully to the patches.json file.

0 Kudos
Scott_Tansley
by MVP Regular Contributor
MVP Regular Contributor
‎05-09-2023 10:09 PM

Nicholas,

I think this may be related to your network/Forward Proxy.  I have no issues hitting this and the certificate is valid:  

Scott_Tansley_0-1683695378309.png

 

0 Kudos
NicholasEverdell
by
New Contributor II
‎05-09-2023 10:54 PM

Hi Scott, i was referencing the offline configuration as per the article. This is pointing to an internal website that has been made to be accessible on the same URL within an AirGapped network. 

 

We are unable to configure a proxy to point to the real thing unfortunately.