F-Secure Client Security Premium | Software Updates

Hi,

I'm looking for more informations about how F-Secure Software Updates is working.

Since FSPMC 12.21, I understood that this is FSPMS himself which is downloading software updates, no more the Workstation. Conceptually, this was a good news for me...

Then I am able to define a policy which tell the end-user agent where to download these softwares updates.

My question is... how to configure my FSPMS? Is there somewhere a panel or a file to define proxy settings so the FSPMS can download sources from Internet?

Moreover, I would like to be sure that I understood correctly how this componenet is working. So if someone has documentations, I'll take it.

Best regards,

Vincent

Find more posts tagged with

Comments

A_Grinkevitch

To access internet resources FSPMS uses proxy settings defined in AUA config (c:\Program Files (x86)\F-Secure\FSAUA\program\fsaua.cfg at Windows), property "http_proxies". It does not use proxy settings from IE, only specified in fsaua.cfg.

_Vincent_

Hi,

Thank you for your response which gave me a lot of interesting informations about how this component works.

But now, I have another specific question. It's about how to configure FSPMS to download these updates.

Is there a place to enter proxy settings or does it uses IE settings?

By default, servers does not have Internet access in our company. So either I am able to define proxy settings to get Internet access or I have to ask for a passthrough without authentication based on my IP address?

Can you help me with this question?

Best regards,

Vincent

A_Grinkevitch

Hi Vincent,

To access internet resources FSPMS uses proxy settings defined in AUA config (c:\Program Files (x86)\F-Secure\FSAUA\program\fsaua.cfg at Windows), property "http_proxies".

Here is description how the feature works:

By default, hosts use Policy Manager as the primary source for software updates and fall back to the vendor's side. If needed, this behavior can be changed using the new "Download software updates from Policy Manager" policy setting.

Available options:

Never - client always downloads updates directly from the Internet.
Always - use Policy Manager as the only source for software updates.
If possible (default) - use Policy Manager first, then fallback to vendor's site if PM is unavailable or unable to provide the update, e.g. Policy Manager fails to download itself because vendor's site is unreachable, link is broken, etc.

Maximum cache size is configurable from the Console > Tools > Server configuration > Software updates dialog. 10GB is the default value.

To monitor downloaded and distributed software updates traffic the related indicator introduced to Policy Manager section of the Summary page. Statistics can be reset, and reset time is shown as the item's tooltip.

Notes:

When the client tries to download update from the Server, the Server checks if the origin server is listed in the DB. If origin server is unknown, the Server responds to the client with code 409, which means that the request cannot be served right now due to temporary issues (for example - Server’s and client’s databases got out of sync) and should be repeated during the next polling session.
The same code 409 is returned to the client if the limit of 50 concurrent downloads is reached. NB: this pool of 50 parallel downloads is shared between policy-based upgrade installation packages, update DBs and update packages.
When the Server gets to the point of serving the update to the client, it looks for the requested update in updates cache: the downloaded updates are named using SHA256 (encoded with HEX) of their download URL to avoid name conflicts, and if the update is there, it’s provided to the client along with HTTP code 200.
In case if the requested update cannot be found in the updates cache, the Server responds to the client with HTTP code 202 and starts, if not yet started, downloading the update from the origin server. To the client code 202 means that the update is on its way, and should be requested again during next polling session. When the Server starts downloading update from the Internet it creates a file with “downloading” extension added to the normal filename, and when the downloading is finished, the extension is removed. The files with “downloading” extension are deleted on each Server start to clean up broken downloads.
When connecting to vendors' sites the Server first try to use HTTP proxies from the Automatic Update Agent configuration file, and if unsuccessful, falls back to the direct connection. For now only basic authentication is supported.
During the downloading the Server may encounter an error (like origin server's internal error or error writing to a file), which make it respond to the client with code 410. This code means that the Server cannot serve this update, and the client should try to download it directly from the vendor site, as previously.
Maximum cache size may be temporarily exceeded by the size of the last downloaded update. When this happens the Server removes as many of the oldest updates as needed to go below the limit again. In addition to this routine there’s also a periodic one, which removes updates older than 1 week (modifiable using swup.cache.ttl.downloadEntries system property). Such a short time-to-live was chosen because some vendors reuse URLs for different updates.
Negative responses - with code 410 - are also cached, but their lifespan is much shorter – only 1 hour (modifiable using swup.cache.ttl.failedToDownloadEntries system property). This caching is done to avoid unnecessary repeated connections to the origin servers, which have just returned errors 404 or 500.
The path to updates cache is '<Program Files>\F-Secure\Management Server 5\data\swup\updates' on Windows and '/var/opt/f-secure/fspms/data/swup/updates' on Linux. It is safe to remove update files, if really needed, to clean up the cache.