You can configure the Update Manager server to download patches and extensions for ESXi hosts either from the Internet or from a shared repository of UMDS data. You can also import patches and extensions for ESXi hosts manually from a ZIP file.
If your deployment system is connected to the Internet, you can use the default settings and links for downloading upgrades, patches, and extensions to the Update Manager repository. You can also add URL addresses to download third-party patches and extensions. Third-party patches and extensions are applicable only to hosts that are running ESXi 6.0 and later.
Downloading host patches from the VMware website is a secure process.
Patches are cryptographically signed with the VMware private keys. Before you try to install a patch on a host, the host verifies the signature. This signature enforces the end-to-end protection of the patch itself, and can also address any concerns about patch download.
Update Manager downloads patch metadata and patch binaries over SSL connections. Update Manager downloads the patch metadata and patch binaries only after verifying both the validity of the SSL certificates and the common name in the certificates. The common name in the certificates must match the names of the servers from which Update Manager downloads the patches.
If your deployment system is not connected to the Internet, you can use a shared repository after downloading the upgrades, patches, and extensions by using Update Manager Download Service (UMDS).
For more information about UMDS, see Installing, Setting Up, and Using Update Manager Download Service.
Changing the download source from a shared repository to the Internet, and the reverse, is a change in the Update Manager configuration. The two options are mutually exclusive. You cannot download updates from the Internet and a shared repository at the same time. To download new data, you must run the VMware vSphere Update Manager Download task.
If the VMware vSphere Update Manager Update Download task runs when you apply the new configuration settings, the task continues to use the old settings until it finishes. The next time the task to download updates starts, it uses the new settings.
With Update Manager, you can import both VMware and third-party patches or extensions manually from a ZIP file, also called an offline bundle. Import of offline bundles is supported only for hosts that are running ESXi 6.0 and later. You download the offline bundle ZIP files from the Internet or copy them from a media drive, and save them on a local or a shared network drive. You can import the patches or extensions to the Update Manager patch repository later. You can download offline bundles from the VMware Web site or from the Web sites of third-party vendors.
You can use offline bundles for host patching operations only. You cannot use third-party offline bundles or offline bundles that you generated from custom VIB sets for host upgrade from ESXi 6.0 and ESXi 6.5 to ESXi 6.7.
Offline bundles contain one metadata.zip file, one or more VIB files, and, optionally, two .xml files: index.xml and vendor-index.xml.
When you import an offline bundle to the Update Manager patch repository, Update Manager extracts the bundle and checks whether the metadata.zip file has already been imported. If the metadata.zip file has never been imported, Update Manager performs sanity testing and imports the files successfully. After you confirm the import, Update Manager saves the files to the Update Manager database and copies the metadata.zip file, the VIBs, and the .xml files, if available, to the Update Manager patch repository.