Software Update server

Question

Level 2

165 points

Software Update server

Hi,
Should I change any settings on my Macbooks in order for the Software Update to work? All settings seem fine in Server admin, and I log in ok from my Macbook, but when I run SU it gives me a network error and offers to have me check Network Diagnostics. I have a working internet connection, and am talking to my server! Any advice? Thank you.

2Ghz MacBook Pro, Dual Core PowerMac, Mac OS X (10.4.5)

Posted on Sep 22, 2007 8:55 AM

Reply

Answer 1

MrHoffman

Level 10

145,789 points

Sep 22, 2007 12:01 PM in response to Gwyn Plem

I'd guess that the clients either don't have the update server name set correctly, or there's a firewall or such blocking the traffic, or there's an issue somewhere in the IP path between Software Update on the client and on the server.

Check the client update log and see if there's anything useful listed; on the client access System Preferences, Software Update, Installed Updates, Open as Log File and have a look.

Though you've certainly seen this, here are the details on setting up and managing Software Update Service on the server:

http://manuals.info.apple.com/en/SystemImage_and_SW_Updatev10.4.pdf

And here's what is needed on the client:

http://docs.info.apple.com/article.html?artnum=305584

And some random related reading:

http://www.macosxhints.com/article.php?story=20060516093639166
http://www.afp548.com/forum/viewtopic.php?showtopic=11795

Reply

Answer 2

MrHoffman

Level 10

145,789 points

Sep 23, 2007 9:10 AM in response to Gwyn Plem

Mac OS X Server provides a local cache of updates. It's the client that reaches out to Apple or to the server to fetch its updates.

If the sequences shown in the articles I linked didn't work (eg: clearing the setting and reverting back to Apple software update with "defaults delete com.apple.SoftwareUpdate CatalogURL" and/or "sudo defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL" in http://docs.info.apple.com/article.html?artnum=305584), there's something (else) (fundamentally) wrong within the client or server, or within the local network context betwixt client and server.

Within the context of the network, this could easily be a firewall or a router somewhere; either an explicit IP block, or an issue with subnet routing (eg: trying to access a .local address past a router, or another disconnection), or otherwise.

Tools such as ping are your friend here. I might well try that, as well as using the network utility tool, and probing the server ports and the network from the client. And tests, and a look at the logs on both ends. And if you get a chance, take another look at the setup and troubleshooting links that were posted earlier, as there might be something flagged there -- you're closer to the network and the server and the clients than I or others might be.

Reply

Answer 3

Gwyn Plem Author

Level 2

165 points

Sep 22, 2007 4:04 PM in response to Community User

thank you both for your replies. I have not started the firewall service - as I am running behind a router. Does a router firewall internal connections? Never thought of that! I will try asap - and report back. Once again - thank you very much.

Reply

Answer 4

Sep 22, 2007 7:27 PM in response to Gwyn Plem

Gwyn,

I've been a couple of times in a similar situation as you and the only solution i found was to stop SU and start it again, in some cases i had to do it 2 or 3 times.... go figure:)

sudo swupdctl start
sudo swupdctl stop
this will start/stop from command line

Reply

Answer 5

MrHoffman

Level 10

145,789 points

Sep 22, 2007 8:10 PM in response to Gwyn Plem

I do not know if Mac OS X Server starts up the firewall by default, but it would not surprise me. It would be appropriate to do so. Within the local networks I manage -- regardless of the intended level of security or the presence of a network firewall -- the Mac firewalls stay raised. Yes, even inside the local network. The requisite ports are opened as needed.

Routers may or may not be firewalls. If you have an external (dedicated) firewall, it is probably configured to allow traffic on the LAN side, and to filter traffic traversing between WAN (Internet) and LAN.

Reply

Answer 6

Gwyn Plem Author

Level 2

165 points

Sep 23, 2007 3:51 AM in response to Community User

Roger Smith7 wrote:

defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CatalogURL http://<yourserver>:8088/

Thanks, but this did not work. My error message reads "A networking error has occured: timed out (-1001). Make sure you can connect to the internet, then try again."

I am unsure if the error lies on the Server or Client side.

One thing - how do I get SU to look on Apple's server once again. I can't now update when logged in to the mac itself, rather than the server!!!

Thanks again!

Reply

Answer 7

MrHoffman

Level 10

145,789 points

Sep 23, 2007 9:39 AM in response to Gwyn Plem

Direct ping to the standard ICMP port; use the default port. It's here used as an IP connectivity tool within this network. (I'd not expect ping to work directly against the SU port; the SU port is unlikely to understand an incoming ICMP request, nor to respond appropriately.)

Network Utility can look for open ports; you can port-scan a whole range to see what's open. The SU host should be reachable from the client, and the SU port should be open.

Reply

Answer 8

Gwyn Plem Author

Level 2

165 points

Sep 26, 2007 12:39 AM in response to MrHoffman

Hi, I have over the last few days struggled to get this working - but to no avail. I just get the network error described earlier. Also when I try to reset default - that doesn't work - instead I get this message -
macmini5:~ gwynp$ sudo defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL
2007-09-26 08:30:12.491 defaults[223]
There is no (CatalogURL) default for the (com.apple.SoftwareUpdate) domain.
Defaults have not been changed.
macmini5:~ gwynp$

If you have any ideas please - I would appreciate them!

Also - If you could tolerate me trying to do a step-by-step of my procedure - could you scan that and just make sure nothing obvious has been left out -
1) In Server Admin - Turn on SU - and I choose to mirror.
2) In Workgroup manager - I chose the Groups tab (have since tried individually, and on computers) and applied in the preference section that the SU server is http://testserver.test.com:8088/
3) Logged on as client - initially as a member of the "class" group, and tried SU - no luck!
4) Logged on as someone with admin authority on same computer and tried "sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://testserver.test.com:8088/"
5) tried SU - no luck! I tried starting and stopping SU a few times as suggested but this does not work -
macmini5:~ gwynp$ sudo swupdctl start
Password:
sudo: swupdctl: command not found
macmini5:~ gwynp$

Is there a glaring obvious mistake here? I must point out that everything else seems to work as desired otherwise with the server. Thank you.

Reply

Answer 9

MrHoffman

Level 10

145,789 points

Sep 26, 2007 10:25 AM in response to Gwyn Plem

Do you have connectivity -- does a standard ping work -- between the client and the server?

Is the server firewall set to pass update requests (port 8088)? And (for the purposes of local maintenance and network upkeep) ping requests that arrive from the local network?

If you enter http://testserver.test.com:8088/ into your web browser on the client, do you see anything? And if that fails, does http://testserver.test.com/ work on the client?

Did you try both of the default commands I showed? I see references to one, but not to the other.

Reply

Answer 10

Gwyn Plem Author

Level 2

165 points

Sep 26, 2007 4:00 PM in response to Community User

Roger Smith7 wrote:
When I set up my update server a few weeks ago, I got the latest list from the Server Admin window, selected the updates that I wanted to have and wanted to share, made sure that port 8080 was open on my firewall and started the service. It took a while for the updates to all download from Apple.

Hi, Thanks very much for all you help here. I will try your advice asap tomorrow. One thing I do note - that I did wonder about. When I select SU on the server, it populates a list of 165 (i think at last count) items from apple. I deselected the pro-apps etc that we don't own at school, and started the service. i did tick both mirror options. Should I have seen any download progress bar or anything like that? I did not see the server actually downloading the updates from apple. Should I? I am confident that the server can reach the apple SU server - as it updated itself to Mac OS x Server 10.4.10 (was that the last revision) the other day. But I did expect it to be downloading all those updates to itself....

Reply

Answer 11

MrHoffman

Level 10

145,789 points

Sep 26, 2007 7:04 PM in response to Gwyn Plem

Ok, so you've launched Server Admin, and looked at what's in the Software Update log file, and what Updates are now present under the Settings entry... You've some number of entries there -- locally, I see 169 Updates present under the Settings tab.

Now fire up the web browser on a malcontent client box and enter the same URL the clients use to reach your server, though entered directly into your web browser, and you now should see some number of cryptically-named entries listed there, too. This through the path the clients use to access Software Update on your server.

Reply

Answer 12

Gwyn Plem Author

Level 2

165 points

Sep 27, 2007 1:23 AM in response to MrHoffman

ok - it is a connectivity issue. When I ping testserver.test.com great I get a response (which is what I had previously done - forgetting th 8088) - but http://testserver.test.com:8088/ gives me:

ping: cannot resolve http://testserver.test.com:8088/: Unknown host.

I have set the firewall on the server to allow all traffic for the purpose of this problem, and also I have tried with the firewall not started! The main router should allow port 8088 on internal traffic - correct?

If port 8088 is a problem - could I maybe change ports to a less problematic one? As I can see and ping the server - there are obviously ports open (sorry - might be a stupid sentece - am I showing my ignorance here!!)?

Interestingly - I can ping testserver.test.com, but testserver.test.com/ and http://testserver.test.com does not ping. Is this of concern? Thanks as always for you time.

Reply

Answer 13

MrHoffman

Level 10

145,789 points

Sep 27, 2007 1:24 PM in response to Gwyn Plem

If you can +ping testserver.test.com+ then you have established baseline connectivity. You're now done with ping -- at least for now.

And FWIW, ping is not applicable to testserver.test.com:8088 nor to anything with an http or other URL (URI) prefix.

Next up here: access http://testserver.test.com:8088/ from a web browser on a client that is seeing to perform Software Update from the server's cache of updates.

If this fails, verify your "main router", and verify your firewall settings for this port on the server. And see if the port is actually open using the Network Utility.

Your "main router" is something you'll simply have to investigate locally, as these devices can be set up to do whatever is required. This could involve port or content or other filtering. I know of folks using firewalls as their "main routers", and I know of Cisco and other similar routers that get very involved in reachability, in private networks, and that look at and process protocols and ports.

That ping gets to the host implies that port is open from end to end. Hence the request to investigate the browser-level path mentioned earlier.

I'd approach this empirically. I'd not start moving ports around as a first step. Not until I'd tested for and figured out why the default port was failing, and found no way around using the default port.

Reply

Answer 14

Sep 22, 2007 3:15 PM in response to Gwyn Plem

On the server, you should make sure that port 8088 is open in it's firewall (that's the port SUS runs on). The client machines need to know what server to contact to get the updates:

defaults write /Library/Preferences/com.apple.SoftwareUpdate.plist CatalogURL http://<yourserver>:8088/

where <yourserver> is changed to your server's name or address. This should be run as root, so sudo as needed.

Roger

Reply

Answer 15

Gwyn Plem Author

Level 2

165 points

Sep 23, 2007 9:27 AM in response to MrHoffman

Thanks very much for your advice. I shall try pinging etc - Do I therefore ping http://testserver.test.com:8088? Sorry - and thanks!

Reply