You can configure the Update Manager server to download patches and extensions for ESXi hosts or upgrades for virtual appliances either from the Internet or from a shared repository of UMDS data. You can also import patches and extensions for ESXi hosts manually from a ZIP file.
If your deployment system is connected to the Internet, you can use the default settings and links for downloading upgrades, patches, and extensions to the Update Manager repository. You can also add URL addresses to download virtual appliance upgrades or third-party patches and extensions. Third-party patches and extensions are applicable only to hosts that are running ESXi 5.0 and later.
Downloading host patches from the VMware Web site is a secure process.
Patches are cryptographically signed with the VMware private keys. Before you try to install a patch on a host, the host verifies the signature. This signature enforces the end-to-end protection of the patch itself, and can also address any concerns about patch download.
Update Manager downloads patch metadata and patch binaries over SSL connections. Update Manager downloads patch metadata and patch binaries only after verification of both the validity of the SSL certificates and the common name in the certificates. The common name in the certificates must match the names of the servers from which Update Manager downloads patches.
If your deployment system is not connected to the Internet, you can use a shared repository after downloading the upgrades, patches, and extensions by using Update Manager Download Service (UMDS).
For more information about UMDS, see Installing, Setting Up, and Using Update Manager Download Service.
Changing the download source from a shared repository to Internet, and the reverse, is a change in the Update Manager configuration. Both options are mutually exclusive. You cannot download updates from the Internet and a shared repository at the same time. To download new data, you must run the VMware vSphere Update Manager Download task. You can start the task by clicking the Download Now button at the bottom of the Download Sources pane.
If the VMware vSphere Update Manager Update Download task is running when you apply the new configuration settings, the task continues to use the old settings until it completes. The next time the task to download updates starts, it uses the new settings.
With Update Manager, you can import both VMware and third-party patches or extensions manually from a ZIP file, also called an offline bundle. Import of offline bundles is supported only for hosts that are running ESXi 5.0 and later. You download the offline bundle ZIP files from the Internet or copy them from a media drive, and save them on a local or a shared network drive. You can import the patches or extensions to the Update Manager patch repository later. You can download offline bundles from the VMware Web site or from the Web sites of third-party vendors.
You can use offline bundles for host patching operations only. You cannot use third-party offline bundles or offline bundles that you generated from custom VIB sets for host upgrade from ESXi 5.5.x and ESXi 6.0.x to ESXi 6.5.
Offline bundles contain one metadata.zip file, one or more VIB files, and optionally two .xml files, index.xml and vendor-index.xml. When you import an offline bundle to the Update Manager patch repository, Update Manager extracts it and checks whether the metadata.zip file has already been imported. If the metadata.zip file has never been imported, Update Manager performs sanity testing, and imports the files successfully. After you confirm the import, Update Manager saves the files into the Update Manager database and copies the metadata.zip file, the VIBs, and the .xml files, if available, into the Update Manager patch repository.