Want help with your product upgrades? Upgrades made easy

How to update GFI LanGuard if in a secure network

Article applies to:

  • GFI LanGuard 2015 (11.4)
  • GFI LanGuard 2014 R2 (11.3)

GFI LanGuard requires two different types of update files in order to scan and remediate:
  • Program Update Files: This encompasses update files for the GFI LanGuard program itself as well as update files required to update it's patch definition database. The patch definitions provide GFI LanGuard the ability to scan computers and contain the locations to download the second type of update files.
  • Update / Patch Installer Files: These files are downloaded from the application vendor (Microsoft or 3rd Party) update sites.
When GFI LanGuard is installed on a highly secure network that does not have access to the internet we must find a way to update this instance with Program Updates and Patch installers in another way. There are 2 methods depending on whether you need to scan and patch your computers or only scan your computers (some customers only use GFI LanGuard to scan for verification and reporting purposes). 
  • Scan and Patch Method: Install another instance of GFI LanGuard on a network that does have internet access. Update this internet facing instance and then transfer it's update files AND it's patch repository to the secure network to update the GFI LanGuard instance on the secure network and update the secure network instance specifying the "Update from an alternative location" option. 
  • Scan Only Method: If you are only scanning your computers and not deploying patches you can use either the Scan and Patch Method or the Scan Only Method. This method removes the requirement for a second LanGuard instance. With this method you download program update files manually or via a script, transfer the update files to the secure network instance of GFI LanGuard and run the program update utility specifying the "Update from an alternate location" option.
 

Scan and Patch Method 


Configure Instance 1 - Internet facing instance

  1. Install GFI LanGuard on a network that has access to the internet. It must be the same version as is installed on the secure network.
    • This instance must have access to the following sources on the internet:
      • *.software.gfi.com/lnsupdate/
      • *.download.microsoft.com
      • *.windowsupdate.com
      • *.update.microsoft.com
      • * All update servers of Third-Party Vendors supported by GFI LanGuard
  1. Perform a manual program update and choose the "Update all files (including the ones that have already been downloaded)" option. This will make sure you have ALL the update files the Secure Network Instance needs.
  2. If using the instance of GFI LanGuard on the secure network to remediate (patch) the systems on it's network you must also configure GFI LanGuard to download "ALL patches" to it's configured repository in Configuration -> Patch Auto-Download -> Edit patch auto-download options...
Notes:
  • For downloading patch installers you must choose the "All Patches" option. The other option - "Download only needed patches" relies on the scan results to tell GFI LanGuard which patches are needed. Since this instance of GFI LanGuard will not have access to the backend database of the internal secure network instance of GFI LanGuard, it will not "know" what patches have been discovered as missing on those systems.
  • When using this option GFI LanGuard will download every patch for every version of operating system and/or application that the patch is intended to  update. Therefore the patch repository must be very large (at least initially). 
  • It would be helpful if the repository is located on a removable drive to move it to the GFI LanGuard instance on the secure network.


Configure Instance 2 - Secure Network Instance

  1. Install  GFI LanGuard on the Secure Network if you have not done so already.
  2. In the GFI LanGuard console navigate to Configuration -> Program Updates -> Edit program updates options. Configure it NOT to automatically update by disabling the "Enable scheduled updates" setting.
  3. When you want to update instance 2, use the Update Procedure section below
 

Scan Only Method


Download program update files manually

  1. Connect to http://lnsupdate.gfi.com on machine that can access the internet (if prompted for a password contact GFI Support for the credentials)
  2. Download the list of files to a Program_Updates directory on the local machine.
  3. Also download the wsusscn2.cab file located at http://go.microsoft.com/fwlink/?LinkID=74689 to the same directory.


Download program update files via a script

  1. On a computer with internet access download and install WGet for Windows (or use the WGet utility found on most Linux/Unix/MAC distributions)
  2. Create a InputFile.txt with a appropriate list of files from above.
  3. Contact GFI Support for the "UserName" and "Password" for use in the commands below
  4. Create a batch file (DownloadProgramUpdates.bat) the runs the following commands:
wget.exe --input-file=InputFile.txt --base=http://lnsupdate.gfi.com/ --http-user=UserName --http-password=Password --output-file=WgetLogFile0.txt --directory-prefix=Program_Updates
wget.exe --output-file=WgetLogFile1.txt --directory-prefix=Program_Updates http://go.microsoft.com/fwlink/?LinkID=74689
  • Note: The "output-file" is a log of the process. Use this log file if you encounter problems.


Configure Instance 2 - Secure Network Instance

  1. Install  GFI LanGuard on the Secure Network if you have not done so already.
  2. In the GFI LanGuard console navigate to Configuration -> Program Updates -> Edit program updates options. Configure it NOT to automatically update by disabling the "Enable scheduled updates" setting.
  3. When you want to update instance 2, use the Update Procedure section below


Update Procedure

When you want to update GFI LanGuard Instance 2 (Secure Network Instance) do the following:


On GFI LanGuard Instance 1:

  • Copy the contents of the C:\ProgramData\GFI\LanGuard 11\Update\ directory  (or C:\Documents and Settings\All Users\Application Data\GFI\LanGuard 11\Update on a 2003 class computer) to the removable drive and move the drive to the GFI LanGuard Instance 2 location. Alternately copy them from the directory you used manually downloaded them to or via script.


On GFI LanGuard Instance 2:

  • Insert the removable drive on the GFI LanGuard Instance 2 machine (or copy the files to a location on the hard drive of Instance 2)
  • In the GFI LanGuard console go to Configuration -> Program Updates and click the "Check for Updates..." button
  • Select to "Update application files from the following location" and select the "Alternative location:" 
  • Enter the location of the update files and click the "Next =>"  button to go to the "Choose which packages to update" dialog.
  • If this is the first update you should choose the "Update ALL files (including the ones already updated)
  • Otherwise, select the "Next >" button to perform the update.
 

Variations:

Some organizations may have their networks configured so that the GFI LanGuard Instance 2 can get access to the GFI LanGuard Instance 1 computer (through http or shares) and yet not be able to access the internet. In this case they can configure their GFI LanGuard Instance 2 to get it's updates (and patches in some cases) from the GFI LanGuard Instance 1. Another variation is when there is a WSUS server available from the secure network.

Case 1 - Access GFI LanGuard Instance 1 via HTTP:

  1. Configure an http server on the GFI LanGuard Instance 1 server (Microsoft Internet Information Server or other) to serve the files in the  C:\ProgramData\GFI\LanGuard 11\Update directory  (or C:\Documents and Settings\All Users\Application Data\GFI\LanGuard 11\Update\ on a 2003 class computer)
  2. On the GFI LanGuard Instance 2 server, in Configuration -> Program Updates -> Edit program updates options... dialog choose the option to Download updates from an alternative location: and enter the http address of the GFI LanGuard Instance 1 computer (ex. http://192.168.2.200/ or http://192.168.2.200:8000, depending on configuration of the http server)
  3. In the same dialog enable the Enable scheduled updates option to update automatically.


Case 2 - Access GFI LanGuard Instance 1 via network shares

  1. On the GFI LanGuard Instance 1 computer share the C:\ProgramData\GFI\LanGuard 11\Update\ directory (or C:\Documents and Settings\All Users\Application Data\GFI\LanGuard 11\Update on a 2003 class computer)
  2. On the GFI LanGuard Instance 2 server, in Configuration -> Program Updates -> Edit program updates options... dialog choose the option to Download updates from an alternative location: and enter the UNC path of the GFI LanGuard Instance 1 computer (ex. \\192.168.2.200\Update\)
  3. In the same dialog enable the Enable scheduled updates option to update automatically. 
  4. In this case, the repository of the GFI LanGuard Instance 1 machine can also be used by sharing it and then configuring GFI LanGuard Instance 2 (under Configuration -> Patch Auto-Download -> Edit patch auto-download options... dialog -> Patch Repository tab) by entering the UNC path to the share on GFI LanGuard Instance 1

Case 3 - Get patch installers from a WSUS server

  1. Disable the Patch Auto-download feature on the GFI LanGuard Instance 1 computer.
  2. On the GFI LanGuard Instance 2 computer, disable the Patch Auto-download feature under Configuration -> Patch Auto-Download -> Edit patch auto-download options -> General tab.
  3. On the Patch Repository tab, choose Use files downloaded by WSUS when available and enter a UNC path (no mapped drive paths) to the WSUS Content folder. See the article: How to configure GFI LanGuard to use a WSUS server for the patch repository