How to allow Windows (OS) Updates / Patches to be applied on a Neverfail Passive server using a Additional / Management IP

How to allow Windows (OS) Updates / Patches to be applied on a Neverfail Passive server using a Additional / Management IP

Summary

This article can be used for configuring a Neverfail Passive (usually the Secondary and Tertiary) server to allow Windows (OS) patches or hotfixes to be applied over and additional (management) IP.

More Information

Neverfail's unique architecture based on cloned servers requires that the Public (Production) IP on the Passive server to be blocked and hidden from the network. This is done by the Neverfail Packet Filter component. However, an additional IP can be configured so that a machine in Passive mode can download and apply Windows patches. It is recommended that all servers in a Neverfail clusters be configured with an additional IP, so that in case a server becomes Passive (following a switchover or failover) it can still download and apply Windows patches. 

Procedure

Before implementing this procedure, ensure that Windows Automatic Update feature is configured so that Updates/Patches are NOT applied automatically. It is acceptable to allow the updates to be downloaded automatically.
Note: It is assumed that the Additional (management) IPs of both Primary and Secondary servers can route traffic into the Internet and are able to reach microsoft.com 
1. On the Secondary (Passive) server, open a command prompt under 'Run As Administrator' and change the path to 'C:\Program Files\Neverfail\R2\Bin'
2. Run the following command to open port 53 (for DNS resolution) in the Neverfail Packet Filter and make sure to not add a space after any comma in the list with ports numbers.

nfpktfltr SetPortFilters 135,137,138,139,389,42,1512,5355

3. Launch Windows Update, download and install the patches or hotfixes, but DO NOT reboot the server if instructed to do so.
4. Shutdown Neverfail Engine from its Advanced Management Client or stop the Neverfail Engine service from Windows Services console.
5. Reboot the Secondary server, if prompted at step 2, to complete the installation of the OS patches or hotfixes.
6. Once the server comes back from the reboot, verify that all patches and hotfixes were installed properly.
7. Also on the Secondary (Passive) server, re-launch Windows Update again and check for any further updates that may be required. If additional updates are required, repeat steps 2 to 6.

To configure the Primary server with the same capability for the times when that machine will be in Passive mode, perform a switchover using the MakeActive button in the Neverfail Advanced Management Client and repeat steps 1 to 7 while Primary is Passive.

Applies To

Neverfail Continuity Engine

Related Information

None 
KBID-