Update Management through OMS Gateway ?

Question

Hi Guys,&nbsp;A pretty confusing topic for me.&nbsp;&nbsp;Now i have a lot of VMs in Azure, they dont have internet access but they are configured to connect to log analytics through the OMS gateway which is basically acts like a proxy for them, it works perfectly i can collect all the logs needed and perf counters no problem here.&nbsp;i enabled update management on these servers as well. so then i have to allow hosts in the OMS gateway using&nbsp;Add-OMSGatewayAllowedHost powershell command. which i did as per the documentation here&nbsp;https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway#configure-for-automation-hybrid-workers&nbsp;&nbsp;i believed that it should use the OMS GatewayProxy to access the Update repository and get the assessment and can push the updates now, but i checked and the VMs seems to not be working like this and might need actually another proxy settings to get to the update service from Microsoft.&nbsp;My questions are:&nbsp;&nbsp;- should i add the update service URLs to the allowed hosts in oms gateway ? and then would the VMs connect to the Update services through just the OMS proxy.&nbsp;Update catalogue URLs&nbsp;microsoft.com*.update.microsoft.comwindowsupdate.com*.download.windowsupdate.commicrosoft.com*.download.microsoft.comcom*.windowsupdate.commicrosoft.comwindows.comlive.com (this is required if you have connected a Microsoft Account)microsoft.com*.mp.microsoft.com- Or does the VMs still need to set up a proxy that have access to the internet?!&nbsp;if anyone have experience with this would be great to share.&nbsp;ThanksAhmed Atef&nbsp;

aziz hamid · Answer

Ideally, update services should just connect through the OMS proxy. However, for testing purposes, you can the update service URLs to the allowed hosts in OMS gateway.

As a secondary measure, you could also try using the WSUS pass through gateway app published on the Azure marketplace.

ahmed atef · Answer

i have now 2 VMs that are not connected to the internet directly or through internet proxy.. but connected to log analytics through the OMS proxy but they show up as not assessed on the Update management solution.

so thats mean that the OMS gateway doesnt serve the update management as proxy i assume ? but it would make more logic that if your VM is connected through OMS gateway proxy then Update management should work too.

i will add the URLs as allowed hosts in the oms gateway and see what comes up.

tomek machnik · Answer

I have a similar question about OMS Gateway. Did you manage to find out more? I would like to configure the OMS Gateway in such a way that updates are downloaded on it and sent to agents.

ahmed atef · Answer

Hi Tomek,&nbsp;what we ended up doing is installing WSUS on the OMS Gateway,&nbsp; it acts as repository for updates, all updates are downloaded to it, all&nbsp;servers are configured to have the wsus as their update source through GPO, but all orchestration and schedules of updates are managed through the Update Management Solution.&nbsp;

tomek machnik · Answer

This is something that I wanted to avoid.So you are sure that there is no way that OMS Gateway server can connect to update.microsoft.com and download the update?&nbsp;How does managing the updates look like in this case?You must do "approve" in WSUS for a specific KB and create Scheduled Update Deployment in Azure side?&nbsp;Something more?

Forum Discussion

Update Management through OMS Gateway ?

7 Replies

Resources