Frequently Asked Questions

A preferred server is a machine hosting a file share. As such, it minimally requires the following:

• Disk space for staged files for clients to download. This differs for patches and applications, as follows:
  • For patches, the actual space required varies depending on the variety of operating systems and applications on client machines discovered by patch scanning. Note that if you patch macOS clients, their OS updates can be large.
    Ivanti recommends 100GB disk space.
  • For App Distribution, the actual space required depends on the downloads defined for applications.
    

    Automatic synchronization of App Distribution is not supported, although you may manually stage apps on preferred servers.

• Support for the protocol required for download (HTTPS, SMB)
  • SMB protocol is enabled on Windows by default. See Preferred Server security recommendations.
  • For HTTPS downloads, a web server will be required to be installed or enabled (such as IIS).

Yes, it can be a standard file share over conventional Windows file sharing. Specify `file:` as the download protocol in the URL field.
For example: file://myserver.ivantosi.org/myshare.

Preferred servers do not download anything. Client endpoints download from preferred servers, and sync engines push to preferred servers. Naturally, a preferred server needs to be open for inbound connections on the protocol you specify for download in the URL field.
Example: For HTTPS, TCP port 443 needs to be open. Sync engines upload to preferred servers over SMB which uses TCP port 445, by default.

Use the following formats:

• file://ivantosi-srv/myshare
• https://myserver/myshare
• http://myserver/myshare

A Read Credential is used by client endpoints when downloading from a preferred server. For security, you should give only read privilege to the account authenticated by the Read Credential for the directory shared as a preferred server.

A Write Credential is used by sync engines when uploading to a preferred server or deleting files on it. An account authenticated by a Write Credential must have write privilege to the directory shared as a preferred server, and in the permissions of the share itself.

Use the following formats:

• \\myserver\myshare (UNC format)
• smb://myserver/myshare

Not supported. This control is removed.

Not supported. This control is removed.

In the case of read creds (which are optional), endpoints using the preferred server in their Agent Settings will attempt to download from the preferred server without using read creds. If the preferred server requires authentication, endpoints fail to download from it and continue trying other download sources as configured in their Agent Settings.

The write creds are used only by sync engines.

No, as long as you assign Read permissions to the “Everyone” group on the share, and on the directory being shared.

It depends on the internet bandwidth available to the client endpoints for downloading patches and apps versus the cost of keeping a file server running on your LAN.
Ivanti recommends not to use preferred servers in locations where you have a small number of clients sharing a high-speed connection (internet bandwidth / # of clients > 1Mb/s).

Assuming the LAN bandwidth available to a client endpoint is high (such as a fully-switched GB Ethernet), consider at least one preferred server for every 2,500 endpoints.

If you have subnets separated by firewalls, each with a substantial number of clients, consider setting up a preferred server on each subnet to reduce traffic flowing through firewalls.

Consider redundancy. Agent Settings allows you to define an ordered list of preferred servers to use, so that if one becomes unavailable, endpoints will fail over to another preferred server before failing over to direct internet download.

Yes. You can remove that preferred server selection from Agent Settings.

You cannot delete a preferred server that is in use by any IP range or sync engine configuration without first removing it from those IP ranges and/or sync engine configurations.

No, endpoints will download directly from the vendor if necessary, even when peer downloading is not enabled. The endpoints will attempt downloads in the following order:

• Peer endpoints, if enabled.
• If the above failed or was disabled, then Preferred servers, if enabled.
• If the above failed or were disabled, then direct from the vendor, via the Internet.

No. An endpoint will always use the first IP range it finds that includes one of its bound IP addresses, but if there are multiple such ranges, you cannot control the order in which the endpoint evaluates them.

IP ranges cannot be reordered, but their order of evaluation is not guaranteed anyway. Also, click here for more information.

A sync engine is a capability that you enable on an agent, much like engines that carry out other Neurons features on endpoints. It downloads vendor files and uploads them to preferred servers. It also deleted expired files from preferred servers. Sync engines are governed by rules describing what files are desired on preferred servers, and for how long. Rules are maintained automatically by Neurons features like Patch Management that require large amounts of downloaded content.

A sync engine runs four times per day. It can also be triggered manually by the command line.

There is no hard limit, but use a small number, because sync engines should be connected by a high speed LAN to their assigned preferred servers, or even run on the same machine hosting preferred server shares.

Click here for more information.

It is not recommended. You could use, but this assumes that preferred servers always get identical file rules. Mostly, the rules are identical across preferred servers for Patch Management, but it’s not necessarily so.

It is important to know that a Sync Engine downloads like any other engine, so it too can download from one preferred server while it is uploading to another, much like a replicating file system.

Patch and App Distribution. Agent and engine updates are not supported for automatic syncing, and the dynamic nature of these updates makes them poor candidates for manual syncing.

Yes. Also, click here for more information.

Errors can range from name resolution to authentication to lost connections to disk space. In general, network and file system.

A sync engine only manages content on preferred servers explicitly listed in the Preferred Server Sync configuration, named in its policy. When you create a new preferred server, it will not be automatically synced until you add it to the configuration of a sync engine on its network.

A sync engine runs four times per day. It can be triggered manually by the command line. Also, you can manually drop a file onto a preferred server any time, as long as you know the full path and file name it must have.

ACL the directory of the file share, and the share itself, to allow writes only by admins and a service account associated with your Write Credentials. You can similarly lock down the ACLs for reading only by the Read Credentials, but there are no secrets kept on a preferred server. They are publicly available installer files.

Do not use a domain admin account for Write Credentials, even temporarily. This is contrary to the Principle of Least Privilege and more privilege than a sync engine requires.

Perform a directory listing of the preferred server share.

Yes, if the file rules say that a given file should be there and it isn’t – for any reason – the sync engine will upload it. Sync engines run four times per day.

Sync engines download and upload whole files. No delta-patching. It does evaluate each file individually and does not download/upload files as collections.