The Update Manager Download Server must be isolated from direct connection to Internet public patch repositories by a proxy server.

From VMware vCenter Server Version 5 Security Technical Implementation Guide

Part of ESXi5-432

Associated with: CCI-000366

SV-51426r1_rule The Update Manager Download Server must be isolated from direct connection to Internet public patch repositories by a proxy server.

Vulnerability discussion

In a typical deployment, the Update Manager Download Server connects to public patch repositories on the Internet to download patches. This connection must be restricted as much as possible to prevent access from the outside to the Update Manager Download Server. Any direct channel to the Internet represents a threat.

Check content

If the Update Manager Download Server does not connect to the Internet to source vendor patches, this check is not applicable. Verify there is a Web proxy between Update Manager Download Server and the Internet. Check the proxy settings for the Update Manager Download Server to ensure correct configuration. To verify proxy settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Proxy Settings pane, select properties and view the proxy information. If a web proxy between Update Manager Download Server and the Internet is not configured, this is a finding.

Fix text

If the Update Manager Download Server does not connect to the Internet to source vendor patches, no fix is required. To configure proxy settings, from the vSphere Client/vCenter Server system, click Update Manager under Solutions and Applications. On the Configuration tab, under Settings, click Download Settings. In the Proxy Settings pane, select Use proxy and change the proxy information. Optional: If the proxy requires authentication, select Proxy requires authentication and provide a user name and password. Optional: Click Test Connection at any time to test a connection to the Internet through the proxy is possible. Click Apply.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer