You can configure vSphere Lifecycle Manager to download software updates for ESXi hosts either from the Internet or from a shared repository of UMDS data.
vSphere Lifecycle Manager downloads only the metadata and not the actual binary payload of the updates. Downloading the metadata saves disk space and network bandwidth. The availability of regularly updated metadata in the vSphere Lifecycle Manager depot lets you perform compliance checks on hosts at any time.
Whatever the download source, vSphere Lifecycle Manager downloads the following types of information:
- Metadata about all ESXi 6.x updates regardless of whether you have hosts of such versions in your environment.
- Metadata about all ESXi 7.x updates regardless of whether you have hosts of such versions in your environment.
- Patch recalls for ESXi 6.x hosts.
vSphere Lifecycle Manager supports the recall of patches for hosts that are running ESXi 6.5 or later. A patch is recalled when it has problems or potential issues. After you scan the hosts in your environment, vSphere Lifecycle Manager alerts you if the recalled patch has been installed on any host. Recalled patches cannot be installed on hosts with vSphere Lifecycle Manager. vSphere Lifecycle Manager deletes all the recalled patches from the vSphere Lifecycle Manager depot. After a patch that fixes the problem is released, vSphere Lifecycle Manager downloads the new patch to its depot. If you have already installed the problematic patch, vSphere Lifecycle Manager notifies you that a fix is available and prompts you to apply the new patch.
Downloading host patches from the VMware website is a secure process.
- Patches are cryptographically signed with the VMware private keys. Before you try to install a patch on a host, the host verifies the signature. This signature enforces the end-to-end protection of the patch itself and can also address any concerns about downloading the patch.
- vSphere Lifecycle Manager downloads the patch metadata and patch binaries over SSL connections. vSphere Lifecycle Manager verifies both the validity of the SSL certificates and the common name in the certificates. The common name in the certificates must match the names of the servers from which vSphere Lifecycle Manager downloads the patches. vSphere Lifecycle Manager downloads the patch metadata and binaries only after successful verification of the SSL certificates.
If your deployment system is connected to the Internet, you can use the default settings and links for downloading updates to the vSphere Lifecycle Manager depot. You can also add URL addresses to download third-party software, for example drivers.
If your deployment system is not connected to the Internet, you can use a shared repository after downloading the upgrades, patches, and extensions by using Update Manager Download Service (UMDS).
For more information about UMDS, see Installing, Setting Up, and Using Update Manager Download Service.
The default configuration is for the vSphere Lifecycle Manager to download information directly from the Internet. However, you can change the download source at any time. Changing the download source from a shared repository to the Internet and the reverse is a change in the vSphere Lifecycle Manager configuration. The two options are mutually exclusive. You cannot download updates from the Internet and a shared repository at the same time.
By default, vSphere Lifecycle Manager is configured to use the official VMware online depot as a download source. When you deploy vCenter Server, synchronization to the official VMware depot is triggered automatically. When you change the default download source, synchronization to the new download source is not triggered automatically. The synchronization task runs as per its schedule. To download new data, you must run the VMware vSphere Update Manager Download task or trigger synchronization manually.
The VMware vSphere Update Manager Download task is a scheduled task that runs at regular intervals. You can change the schedule, and you can also trigger the VMware vSphere Update Manager Download task independently of its schedule.
If the VMware vSphere Update Manager Download task is running when you apply the new configuration settings, the task continues to use the old settings until it finishes. The next time the download task starts, vSphere Lifecycle Manager uses the new settings.
Using a Proxy Server
Starting with vSphere 7.0, you cannot configure vSphere Lifecycle Manager to use a proxy server on its own. vSphere Lifecycle Manager uses the proxy settings of thevCenter Server instance where it runs.
In vSphere 6.7 and earlier, you can configure the proxy settings for Update Manager and use a proxy server to download updates metadata from the Internet.