Patch/hotfix updates

<p>We are running Empower2 with Citrix enviroment. From time to time, corporate IT will ask to update Empower CDS database server and Citrix server Security Patches. Is there any one have the same situation? How did you verify the updates? Please give me some advices. Thanks in advance.</p>


  • We are in control of both our Citrix servers for Empower/LIMS and the network we have. So any servers/client PCs that are installed with qualified software have Windows auto update option turned off. If there is major service pack for Windows (such as XP service pack 3), we will install it only when we need to install other Empower related patch/fixes. Our Citrix servers are behind firewall and used for Intranet only, so security is not a big concern. If your company is publishing Citrix server for Internet access, then you may want to install the Citrix server in a VMWare server and isolate the Citrix/VMWare server with other part of corporate network for security.

  • ...or do as we does, perform a yearly update of the servers. Both Windows and Empower-patches, IQ, OQ and back to live business. For us, this creates about 4 hours downtime including a full backup before the patching.

    We are taking the risk of not patching all the time, but have not had any problems with this the last 15 years.

    Usually not a problem if your corporate network is behind a firewall and the servers are not "surfing the web".

    - kjbu

  • Our IS department pushes out Windows patches monthly to our servers (Empower 2 DB and Citrix servers with Empower 2 client) and LAC/E's.  Our SOP is to run the Empower AQT on one Citrix server and one LAC/E.  Our Citrix servers were built and configured the same, and all of our LAC/E's were built and configured the same.  The LAC/E's are all the same make and model PC (we built our own).  Therefore we felt it was necessary to only run the AQT on each "type" of system.  Yes there is some risk in this, but one we are willing to take.

  • So here is as we handle this. In general all machines are patched with security relevant-, and hardwaredepended patches every 3 months. We're using NetChk Protect from Shavlik Technologies which enables us to have a track on actual daily , risk rated patches which can be reported which ones are missing per machine. Further on the deploymet can be scheduled to the systems off times. Each machine type, i.e. database-, rawdata and terminalservers aswell as the laces have been installed by cloning the definite, well documented installation for each type with the Altiris-rapiddeployment solution. Before the rollout the change is verified on each machinetype on a special q-system, which is not produktive, with an aqt and a small usability test which is part of the changeapproval. After approval for the identical machise of the q-system the rollout for the productive systems is scheduled for the next following early monday morning.