Maintaining up-to-date software is critical for security and operational efficiency. Heimdal Security's 3rd Party Patching Module simplifies this process by automating patch deployment across your network. However, in areas with limited bandwidth, such as vessels or remote locations, optimizing bandwidth usage becomes essential. This article explores how Heimdal’s Priority Server Updates feature addresses this challenge, the bandwidth requirements for effective operation, by routing patches through a single server. The routing takes patches from the WAN network, onto the Priority update server, which then distributes those packages on the LAN network, with Heimdal technology and limiting the bandwidth of the server using NetLimiter.
1. Steps for configuring Heimdal effectively in remote environments.
3. Configuring 3rd Party Patching and QoS Policies in Heimdal Security
Steps for configuring Heimdal effectively in remote environments.
1. What is Priority Server Updates and How to Enable It?
Priority Server Updates is a feature that allows administrators to designate specific endpoints as central servers for downloading and distributing updates to other devices in the network. This significantly reduces external bandwidth usage, as only the Priority Servers connect to external sources for updates, and other endpoints retrieve updates internally.
Steps to Enable Priority Server Updates:
-
- Access the Heimdal Dashboard: Log in with your administrator credentials.
-
Configure Group Policy:
- Go to the Endpoint Settings and select the Group Policy you wish to modify.
- Enable the "Use Priority Update Servers" option.
-
Assign Priority Servers:
- In the Device Info view, select the endpoints to act as Priority Servers.
- Mark these endpoints as Priority Update Servers.
- Save Changes: Apply the settings to activate the configuration.
2. Bandwidth Requirements for 3rd Party Patching
For optimal performance of the 3rd Party Patching Module, Heimdal recommends the following minimum bandwidth requirements:
- Endpoints: 10 kbps
- Priority Update Servers: 80–100 kbps
These values ensure efficient communication and update distribution without overloading your network.
3. Recommended Group Policy Settings
To maintain a balanced network load and ensure timely updates, the interval checks should be configured as follows:
- Priority Server Update Interval: Must be higher than 120 min
- Additional check interval: should be set at 720-1440 minutes
- Endpoints and Priority server updates must run under the same policy.
- Keep cached files indefinitely should be enabled
- Real-time communication should be OFF
Important: To ensure the endpoint receives all required updates from the machine designated as the Priority Server Update, it is essential that every application installed in your environment is also installed on the Priority Server Update machine. If any applications are missing on the Priority Server Update machine, the endpoint will not be able to retrieve the required patches.
Showcase
Using NetLimiter, we monitored and restricted the bandwidth of the Heimdal.ClientHost process. The objective was to identify the lowest bandwidth thresholds that allow the 3rd Party Patching Module to operate successfully on endpoints and servers.
The test results show the following:
- Endpoints: A minimum bandwidth of 10 KB/s is required for the Heimdal patching tool to work effectively. Below this threshold, operations fail or are severely impacted. A server receiving updates from the Priority update server is also considered an endpoint in this scenario.
- Priority Update Server: The tool functions correctly with a minimum bandwidth of 80 KB/s. Below this threshold, failures are observed.
Operational example at 10 KB/s (Endpoints) and 100 KB/s (Servers)
Here are screenshots from the test, showcasing the bandwidth configurations and results:
Initial setup
Description: NetLimiter showing the active Heimdal.ClientHost process with bandwidth limited to 100 KB/s for endpoints and 80 KB/s for servers.
Operation at 10 KB/s (Endpoints) and 100 KB/s (Servers)
Description: 3rd Party Patching is starting to patch CCleaner.
Failure Below Thresholds
Description: 3rd Party Patching has patched CCleaner.
The test was performed with 4 applications: 7-zip, Adobe Acrobat Reader, CCleaner, and Google Chrome.
Conclusion
Heimdal’s Priority Server Updates is a strategic feature designed to optimize bandwidth usage and streamline patch distribution in environments of all sizes. With the proper bandwidth allocation and interval settings, it ensures reliable and secure updates while minimizing the strain on your network.
The results of our recent test with NetLimiter confirm that these configurations effectively balance performance and resource utilization. Implementing Priority Server Updates and adhering to the recommended settings will enhance the efficiency of your patch management strategy.