Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Create a transparent local software update server OS X Server
This is a way to transparently set up a server to cache software updates on your local network. This doesn't require any modifications (defaults write...) on clients -- it just works. And I didn't find any other similar solution on the internet; not even here! It does require Mac OS X Server, however. Here's how we did it:
  1. Build a Mac OS X Server and call it yoursus. We used a headless Mac mini to do the job.
  2. You must use external DNS servers on this server (so it won't check itself for updates).
  3. Add a record for your server on your internal DNS, so yoursus.yourdomain.com resolves to your SUS's IP.
  4. Start Software Update Server (SUS). It may take some time to cache all updates -- our /usr/share/swupd/html/ folder now has almost 9GB of files in it!
  5. Start Web Service, and add following redirect (Server Admin » Web » Sites » default » Edit » Aliases » URL Aliases and Redirects » Add » Redirect):
    • Pattern: /content/catalogs/index-1.sucatalog
    • Path: http://yoursus.yourdomain.com:8088/index.sucatalog
  6. Add a zone in your internal DNS, called swscan.apple.com, and point the whole subdomain to the IP of your SUS.
  7. Flush your DNS cache on the clients: lookupd -flushcache
Now test your setup. Using Safari, following this link to Apple's catalog on your SUS should show Apple's real catalog (ApplePostURL should start with swquery.apple.com), while the same on other computers in your network should resolve and be forwarded to your SUS, http://yoursus.yourdomain.com:8088/index.sucatalog (ApplePostURL will start with yoursus.yourdomain.com:8088 this time).

Now just run Software Update on the clients, and enjoy the speed of downloads!

The only downside of this setup is the mini complaining in system.log that it has no reverse DNS entry for itself. To be honest, I didn't have much time to think how to set it up without extra hardware; I just happened to have a spare mini for this purpose. Maybe there's a way to have the DNS and SUS running on one server, perhaps via two IP addresses and tweaking of config files. I also didn't test it much with Panther clients; it possibly needs different redirects for that. Comments welcomed. Happy updating!

Warning: I emphasized using internal DNS so you won't propagate Apple's own zone to the outside world. I warned you and don't bear any responsibility for your bringing Apple's update servers down! I can't provide you with more details, as our DNS runs on Windows.

[robg adds: I haven't tested this one...]
    •    
  • Currently 3.28 / 5
  You rated: 4 / 5 (18 votes cast)
 
[111,649 views]  

Create a transparent local software update server | 45 comments | Create New Account
Click here to return to the 'Create a transparent local software update server' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create a transparent local software update server
Authored by: mojosan on Oct 10, '07 08:51:32AM

Setting up a local software update server for Macs is a great idea and well worth it. I have a slightly different (and I think simpler) method, though YMMV.

You still need a machine with Mac OS X Server (sorry) setup on a static ip address with the Software Update Server turned on (part of Mac OS X Server). Ideally you have your own DNS server so that you can map a DNS name to the IP address of this machine (for convenience).

The next step is to download "Software Update Client Configuration" from versiontracker.com or macupdate.com. This is a little program you run on each client machine which allows you to either temporarily (which is what we use) or permanently change the address of the software update server that the client gets its updates from (note... you have to press the "Save" button once you've entered in your temporary server address or this doesn't work) and then click the "Open Software Update" button. We use "temporarily" so that when our users our at home they can run software updates directly with Apple's servers (which is fine with us). You may choose to manage this differently.

Software update then runs normally but downloads updates available on the local server instead of Apple's server.

The advantages of this are 1) speed (it's a beautiful thing watching these updates download over 100Mb or Gigabit ethernet) 2) saves bandwidth on your WAN as you only have to download the updates once from Apple to your SU Server and 3) it only installs the updates that you have made available on your updates server.

We've been using this for about a year and it works beautifully, fabulously, flawlessly. Great solution.



[ Reply to This | # ]
Create a transparent local software update server
Authored by: TvE on Oct 10, '07 10:46:21AM

I like the original idea a lot better - try your model in an organization with thousand of clients…



[ Reply to This | # ]
Create a transparent local software update server
Authored by: zpjet on Oct 12, '07 02:06:13AM

I appreciate all your comments, although I must say only few people understand my solution so I will emphasise what matters this time again:

This doesn't require any modifications on clients.

Most of the solutions suggested were already described in many places, for example here at macosxhints: 10.4: Manually add a Tiger Software Update Server

I agree that using e.g. defaults write com.apple.SoftwareUpdate CatalogURL "http://yoursus.yourdomain.com:8088/" is more simple. But let me think about some case studies:

  1. If i had the server at home and a few macs, I would use defaults (or a freeware) - even on laptops, because the client seems to fall back to Apple's servers when it can't find local SUS.
  2. Without a server, the suggested Squid proxy solution seems to be fine, although I would save hassle if I had just three home macs.
  3. In a company with twenty macs, I would also use defaults, perhaps wrapped into an AppleScript and sent around in a mail, or using Remote Admin and its feature Send UNIX command as current user.
  4. Yes, the right way to do it is with Open Directory. And yes, if you have 3000 clients, you gotta have it.
  5. But we're a service centre where most of the client computers belong to customers, so we don't want to modify their and want to save our traffic. That's why we invested into the server software and one mini to do the job. If you are an internet cafe or have a lot of guests in general, you might profit, too. I can see in the log it does about ten updates a day, most of them worth ~300MB - the updates are downloaded from local SUS in cca one minute.

Yes, this is actually a DNS hack, but what I like is that the setup is very simple. Just the server, one Redirect and one zone on internal DNS. When I'm not that busy, I will try to find a solution without spare server, as DNS can listen on more IP addresses.



[ Reply to This | # ]
Brilliant!... 10.6 Server update:
Authored by: paullyjay on Oct 29, '09 10:59:23AM

OK, I have this up and running on 10.6.1 server now...

Follow all the steps from the top post... (Great post BTW)
then also add 2 more redirects:

pattern: /content/catalogs/others/index-leopard.merged-1.sucatalog
path: http://yourserver.yourdomain.com:8088/index-leopard.merged-1.sucatalog

pattern: /content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog
path: http://yourserver.yourdomain.com:8088/index-leopard-snowleopard.merged-1.sucatalog

Then instead of using: lookupd -flushcache

use: dscacheutil -flushcache on the client

Now try running software update on the client computer...



[ Reply to This | # ]
Brilliant!... 10.6 Server update:
Authored by: _Tom on Sep 20, '10 03:21:26PM

Truly a great hack, thanks for that. Thought I would add that I have it up and running on Server 10.5.8, and it's happily serving updates to clients using 10.4, 10.5 and 10.6 (haven't tested older ones).

I wanted to share some troubleshooting I did regarding the message:

<Error>: Unable to download upstream catalog index (was looking for http://swscan.apple.com/content/meta/mirror-config-1.plist

I was getting this after I had the SUS up and running. I'm not entirely sure what causes it but it's not related to the DNS hack (I was careful to configure my services stepwise). There are several posts at discussions.apple.com relating to it with no real solution.

As it happens, in order to get Leopard server to serve Snow Leopard clients, I had to modify mirror-config-1.plist and put it on my local drive anyway. Although I reflected this change in swupd.plist, I couldn't get SUS to load the file from the local path (same error as above -- not sure if it was a permissions problem). Obviously the URL http://mySUS.mydomain.com:8088/content/meta/mirror-config-1.plist doesn't resolve from the server since it's using my ISP's DNS, so my solution was to just chuck mirror-config-1.plist on an external website and update swupd.plist so it looks there. Since doing that I haven't had a problem.

Thought I'd share in case anyone else ran into this.

Once again many thanks for the brilliant tip. I love it. We have many computers, most of which aren't administrated by me, and limited bandwidth, so doing this transparently was exactly what I needed.

Cheers,

Tom



[ Reply to This | # ]
Brilliant!... 10.6 Server update:
Authored by: _Tom on Sep 23, '11 09:26:04PM
Alright, I now also have 10.5.8 Server sending out updates to Lion clients!

Added:

http://swscan.apple.com/content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog

to mirror-config-1.plist

Left it for 24 hours to download updates and propagate the catalogs, then redirected

index-lion-snowleopard-leopard.merged-1.sucatalog

to

/usr/share/swupd/html/content/catalogs/others/index-lion-snowleopard-leopard.merged-1.sucatalog.apple

Thanks again to the original poster for the great tip!

[ Reply to This | # ]
Create a transparent local software update server
Authored by: pauldy on Oct 10, '07 11:26:01AM

Might try a simple entry in /etc/hosts to fix the issue with reverse dns. Of course this may have the side effect of pointing the server to itself for updates.



[ Reply to This | # ]
Create a transparent local software update server
Authored by: zpjet on Oct 12, '07 02:09:24AM

Cheers, yes it helpded. And no it doesn't check on itself, because it has external DNS so it bypasses the hacked DNS.



[ Reply to This | # ]
Create a transparent local software update server
Authored by: zpjet on Oct 12, '07 05:20:13AM

Actually, it didn't because it checks for DNS reverse record, not in FF (flat files). I might just run a DNS service there as I don't like cluttered logs (needles to say, this log helped us once to determine when the server crashed as the DNS error appears every 30 minutes).



[ Reply to This | # ]
Create a transparent local software update server
Authored by: allanmarcus on Oct 10, '07 11:48:42AM
I'm the primary Mac admin at the Los Alamos National Lab. We have over 3000 Macs and we run our own update server. Actually, we test on a Mac OS X Server, then we have a number of XServes with round robin DNS running Mac OS X client and personal web sharing to serve up the actual updates.

To have the clients connect to our server and not Apples, we execute the following:

defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://ourserver.lanl.gov/

The documentroot of the apache servers point to the dir with all the updates. Works great.

If you image machines, you just make the change in the image. If you manually build machines, you just all the defaults write command to your check list. In our cast, we have a hardening tool that secures the Macs, and defaults command is in there.



[ Reply to This | # ]
Create a transparent local software update server
Authored by: marook on Oct 10, '07 11:56:55AM

3000 Mac's and you don't use OD??? WOW!
See my post below.. ;-)

---
/Marook



[ Reply to This | # ]
Create a transparent local software update server
Authored by: marook on Oct 10, '07 11:52:50AM

Hi All,

Ok, the right way to do this, is via the Open Directory on your server.
Here is what to do:

1: Setup a Mac OS X Server, and make sure it resolves to correctly back and forth.
That means: name.domain.tld should resolve to the static IP you have given it, and the IP should resolve to the hostname. You can use the internal DNS server to do this.

2: Make the server an Open Directory Master.
(Without this, you can't puch preferences to the clients)

3: Start the SUS.

4: In Workgroup Manager, make a Computer List, and add the Mac's you want this to happen to, to the list. Set the SUS preference for this list, to you own server.
A shame it's not possible to set this kind of thing in the Guest Computers list.

Ofcource, the DNS 'hack' above would mean every computer on the network will use your SUS, as long as you make sure to puch them the right DNS server via DHCP - but this method is the 'correct' way to do it.

Hope it helps,

---
/Marook



[ Reply to This | # ]
Create a transparent local software update server
Authored by: pexner on Oct 10, '07 12:19:35PM

I'm using "a poor man's SUS" almost every day. Here's how:

I'm doing consulting and service at clients sites. And when I have to update the client's machines, I just plug my PowerBook into their network and start my customised Squid (proxy).
I am using Squidman (Mac OS X GUI for squid), made some changes to the default cachesize, increased the maximum file size to 300MB and the cachedir to 3GB. That's all.

On the client machines I just change the ProxySettings to MyPowerBook.local:8080 and off we go!

On a fast LAN it's a pleasure to see how fast it goes.

And I can even profit from my own Squid if I have to update my own PowerBook. I just change my own Proxy Setting to localhost:8080 and whoooosh! :)

OK - it needs a manual change in every client machine, but it's still faster than updating without a SUS.

By the way: No problem to fast-update Windows machines the same way... It just works! :)



[ Reply to This | # ]
Create a transparent local software update server
Authored by: zpjet on Oct 12, '07 05:57:33AM

this is smart - i've been thinking about the same, having all updates with me when going onsite! although i was planning to setup my apache to do it - swupd is just another apache server.



[ Reply to This | # ]
Sofware update enabler
Authored by: kholburn on Oct 10, '07 02:50:41PM
We used this application http://www.wiretapped.net/~proton/suenabler/index.html to point Software update on a mac to a different server.

This is much more flexible.

[ Reply to This | # ]
Create a transparent local software update server
Authored by: foilpan on Oct 10, '07 04:17:35PM
this is a great tip, but i'm left wondering why administrators allow their desktops to download updates in the first place. wouldn't it be easier to push out the package files on a schedule?

better yet, what about using radmind?

[ Reply to This | # ]

Create a transparent local software update server
Authored by: hellermd98 on Oct 11, '07 03:06:09AM

Most of our users have standard privileges, not administrative privileges.

Is there a way to allow a standard privilege user to run the "Software Update …" without knowing an administrative user's credentials? That is, how can a standard user perform a software update while keeping an administrative account's secret? If the standard user had the user name and password combination for an administrative account to run software update, then s/he could install anything on her/his software.

Thanks in advance for any suggestions!



[ Reply to This | # ]
Create a transparent local software update server
Authored by: zpjet on Oct 12, '07 02:15:42AM

changing suid of the app should help. i haven't tested it tho:

sudo chmod -R u+s /System/Library/CoreServices/Software Update.app

[ Reply to This | # ]
Another advantage of this method
Authored by: amontgomerie on Oct 13, '07 12:28:46AM

Thanks for sharing that trick. I have 70 users with laptops that are set to update from our local SUS. They all complain that they can't update when they take their computers home. This method will fix that.



[ Reply to This | # ]
Make it work for 10.3 & 10.2 also
Authored by: aaronfreimark on Oct 24, '07 01:56:24PM

The hint above is fantastic. Unfortunately, it breaks Software Update for 10.2 and 10.3. This is because the Software Update Server 10.4 only caches local copies of 10.4 software updates.

To keep the above functionality, but to pass 10.2 and 10.3 requests to Apple, add the following lines to your httpd config file, which probably lives at /etc/httpd/sites/0000_any_80_.conf.


        <IfModule mod_proxy.c>
                ProxyRequests Off
                ProxyPass /scanningpoints/scanningpointX.xml http://swscan.apple.com/scanningpoints/scanningpointX.xml
        </IfModule>


[ Reply to This | # ]
...and something for 10.5
Authored by: chrisfriend on Oct 27, '07 09:15:01PM
Since there are no software updates (yet) for 10.5, and it's possible to serve updates to clients on other OSes, here's a tip for those on an older server with users running Leopard. (I used the below hint to serve application updates to a Leopard client from a Tiger Server.)

Similar to the original hint from zpjet, adding an additional Redirect entry will cover the new URL for Leopard updates:

Pattern: /catalogs/others/index-leopard.merged-1.sucatalog
Path: http://yoursus.yourdomain.com:8088/index.sucatalog

Please note that this simply points Leopard to the same catalog as everyone else. I'm sure there are likely to be implications beyond missing OS updates that I can't forsee, but it's working great for the time being, where no such updates are around to be missed.

I'd like to thank everyone else who provided the hints and tweaks above -- you've allowed the transition of my home LAN to Leopard to go much, much, much faster and more simply than I would have imagined.

[ Reply to This | # ]
Create a transparent local software update server
Authored by: brycec on Dec 12, '07 10:24:13AM
Small update to this... I was having issues with my Leopard giving me the File Not Found error when trying to pull this. Turns out, at least according to the Apache error logs that Software Update is looking for
/content/catalogs/others/index-leopard.merged-1.sucatalog
(note the /content). Thanks for the handy tip!

[ Reply to This | # ]
Create a transparent local software update server
Authored by: el doctor on Mar 25, '08 09:44:03AM
Very usefull hint for our repair center, but I'm using Mac OS 10.5 Server and with this hint, the Software Update Service won't work anymore because it asks to the same server as clients and the DNS redirect the requests to the server himself. The workaround is again a Web redirection for the server requests. The idea is to redirect the server request to the official Apple Software Server with its IP adress. So, you just have to add those RedirectMatch to your default Web site as you did in the first post :

/content/meta/mirror-config-1.plist
to
http://17.250.248.95/content/meta/mirror-config-1.plist

/content/catalogs/index.sucatalog
to
http://17.250.248.95/content/catalogs/index.sucatalog

/content/catalogs/others/index-windows-1.sucatalog
to http://17.250.248.95/content/catalogs/others/index-windows-1.sucatalog

Now, your server is downloading the updates from Apple and the clients are updating them transparently with the joy of speed!

[ Reply to This | # ]
Create a transparent local software update server
Authored by: jasonthat on Jul 12, '09 12:27:19PM

Hi el doctor

Do you know if these "RedirectMatch" entries (for having the the server not point to itself) which has to be added on the "Default Web site" - do they still apply to Leopard 10.5.7 (both my server and clients are on Leopard 10.5.7) or has it changed?

The 3rd step mentioned in the instructions about creating a new record for this server - Does SUS really have to be on a separate/standalone server doing only Software update. I am right now testing it on our existing OD Master but it is not our DNS server. Any issues with this?

Anyone else reading this thread, please do feel free to comment on this.



[ Reply to This | # ]
Create a transparent local software update server
Authored by: zpjet on Sep 15, '09 04:09:22AM

i've just run DNS on the same server. or you could put external DNS in your TCP/IP config



[ Reply to This | # ]
Create a transparent local software update server
Authored by: uruguayuploder on Oct 21, '09 05:18:16AM

This is a great post!!!.
I have like 30 macs in my environment and 60 windows pcs.
Im running WindowsSUS successfuly for about a year and i tought "this can be done to mac too".
So i installed like 3 month ago an OS X Server 10.4 in an old emac. Redirecting all the machines to the sus server manually was not the best option for me so when this post appeared on google saying that this could be done transparently i feel that this was going to be the right solution.
Well, i couldnt get this to work and i beg you for help.
First i started the Update Service and mirrored all the updates.
2. I started the Web service, enable the default site and added to the redirect:

Pattern: /content/catalogs/index-1.sucatalog
Path: http://yoursus.yourdomain.com:8088/index.sucatalog

Pattern: /content/catalogs/others/index-leopard.merged-1.sucatalog
Path: http://yoursus.yourdomain.com:8088/index.sucatalog
I added this line to serve the leopard updates.

3. Added a zone in myinternal DNS wich swscan.apple.com,swquery.apple.com, swcdn.apple.com, are pointing to 152.146.224.249 (my sus).

Thats all the settings i made.
When the mac clients now go to update, the progress bar is stopped almost inmediatley and after a few minutes it says it cant found something. So I think the redirect is working.

Something that i noticed is that in the updates service in the server has 0 updates and 0 mirrored now, and cant connect to apple. I think its looking the updates to himself.

Can you help me?
i hope this post isnt dead



[ Reply to This | # ]
Create a transparent local software update server
Authored by: paullyjay on Oct 29, '09 10:55:15AM

OK, I have this up and running on 10.6.1 server now...

Follow all the steps from the top post... (Great post BTW)
then also add 2 more redirects:

pattern: /content/catalogs/others/index-leopard.merged-1.sucatalog
path: http://yourserver.yourdomain.com:8088/index-leopard.merged-1.sucatalog

pattern: /content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog
path: http://yourserver.yourdomain.com:8088/index-leopard-snowleopard.merged-1.sucatalog

Then instead of using: lookupd -flushcache

use: dscacheutil -flushcache on the client

Now try running software update on the client computer...



[ Reply to This | # ]
Create a transparent local software update server
Authored by: gajones on Dec 09, '09 08:27:16AM

I am also using Snow Leopard Server (10.6.2)

Could you share with us exactly how you entered your DNS and redirect settings?

As far as I can see I have everything set up correctly. All 3 catalog files resolve to the local server when entered in a client browser, yet the client machines do not find any updates (and yes the software update service is started, updates downloaded and enabled).



[ Reply to This | # ]
Create a transparent local software update server
Authored by: gajones on Dec 10, '09 05:07:32AM

I tested on several other machines today, and suddenly it works fine. Go figure....



[ Reply to This | # ]
Create a transparent local software update server
Authored by: Vince02 on Jan 19, '10 02:29:55AM

Hello ,
I follow all instructions and i can't update my client . When i start sus from my client i get the message , Your software is up to date' . But when i go to system message on console i have several errors :
- Msg Id Software Update (1124) : " Can't instantiate distribution from http://MySus.local:8088/content/downloads/.."
If you can help me .....

Thx



[ Reply to This | # ]
Create a transparent local software update server
Authored by: filipp on Nov 11, '09 02:39:28AM

A great tip, thanks for sharing!



[ Reply to This | # ]
Create a transparent local software update server
Authored by: JLG on Jan 07, '10 09:59:01AM

You don't really need all the redirects in the web service. The standard caveat applies to be sure your Mac OS X Server is not using itself for DNS; otherwise, you'll never get any new updates in the Software Update service. All your clients, though, must be using your Mac OS X Server for DNS; otherwise, they'll always hit Apple's update server instead of yours.

1. Set up Mac OS X Server, and enable the Software Update, Web, and DNS services.
2. In the DNS service, add a master zone named "swscan.apple.com." (with the trailing dot!)
3. Create an A (machine) record that maps "swscan.apple.com." (with the trailing dot!) to the IP of your Mac OS X Server.
4. Create two CNAME (alias) records that point "swcdn.apple.com." and "swquery.apple.com." to "swscan.apple.com." (with the trailing dots!)
5. In a terminal window, run the following script to create all the necessary directories and symlinks:

# Create required directory for 10.5.x/10.6.x catalogs
sudo mkdir /usr/share/swupd/html/content/catalogs/others/
# Add symlink for 10.6.x updates
sudo ln -s /usr/share/swupd/html/content/catalogs/index.sucatalog /usr/share/swupd/html/content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog
# Add symlink for 10.5.x updates
sudo ln -s /usr/share/swupd/html/content/catalogs/index.sucatalog /usr/share/swupd/html/content/catalogs/others/index-leopard.merged-1.sucatalog
# Add symlink for 10.4.x updates
sudo ln -s /usr/share/swupd/html/content/catalogs/index.sucatalog /usr/share/swupd/html/content/catalogs/index-1.sucatalog
# Add swupd symlink to default webserver directory
sudo ln -s /usr/share/swupd/html/content /Library/WebServer/Documents/content
# Add symlink for stats engine
sudo ln -s /usr/share/swupd/cgi-bin/SoftwareUpdateServerStats /Library/WebServer/Documents/WebObjects/SoftwareUpdatesStats
Edited on Jan 07, '10 10:01:26AM by JLG


[ Reply to This | # ]
Create a transparent local software update server
Authored by: JLG on Jan 11, '10 10:46:58AM

Minor correction: The CNAME entries won't work properly, because they're not in the swscan.apple.com zone...so, you should ignore step 4 and, instead, repeat steps 2 and 3 for the other two hostnames (swcdn.apple.com. and swquery.apple.com.).



[ Reply to This | # ]
Create a transparent local software update server
Authored by: Marshmallow on Apr 13, '10 02:58:40PM

I have been following these steps to create a transparent local software update server, but it's not quite working right. Here are the steps I've taken:

1. Downloaded http://swscan.apple.com/content/meta/mirror-config-1.plist and copied it to /usr/share/swupd/html/content/meta/mirror-config-1.plist

2. Changed it to:

<key>PrimaryCatalog</key>
<string>http://swscan.apple.com/content/catalogs/index.sucatalog</string>
<key>CatalogsList</key>
<array>
<string>http://swscan.apple.com/content/catalogs/index.sucatalog</string>
<string>http://swscan.apple.com/content/catalogs/others/index-leopard.merged-1.sucatalog</string>
<string>http://swscan.apple.com/content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog</string>
</array>

3. Edited /etc/swupd/swupd.plist and changed the metaIndexURL entry to:

<key>metaIndexURL</key>
<string>http://mysus.mydomain.com:8088/content/meta/mirror-config-1.plist</string>
<key>portToUse</key>

4. Changed my *internal* DNS to point to swscan.apple.com, swcdn.apple.com, and swquery.apple.com to mysus.mydomain.com server at IP address 10.1.0.136.
* Verified connectivity by pinging these URLs from other computers and getting responses back from 10.1.0.136,
* and by surfing to http://swscan.apple.com:8088/index.sucatalog and pulling up my server's index.sucatalog page

5. Set mysus.mydomain.com's DNS to an *external* DNS server
* Added my local (internal) servers to the /etc/hosts file so it could communicate with them internally (Active Directory, Exchange, etc.)
* Verified it connects to the correct Apple servers both by pinging and by downloading the latest updates

6. After it generated the local catalog files, I added these symlinks:

cd /usr/share/swupd/html
ln -s /usr/share/swupd/html/content/catalogs/index.sucatalog
ln -s /usr/share/swupd/html/content/catalogs/others/index-leopard.merged-1.sucatalog
ln -s /usr/share/swupd/html/content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog

7. Started Web Service, and added the following redirects:

Pattern: /content/catalogs/index-1.sucatalog
Path: http://mysus.mydomain.com:8088/index.sucatalog

pattern: /content/catalogs/others/index-leopard.merged-1.sucatalog
path: http://mysus.mydomain.com:8088/index-leopard.merged-1.sucatalog

pattern: /content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog
path: http://mysus.mydomain.com:8088/index-leopard-snowleopard.merged-1.sucatalog

I am still not able to download updates to my workstations. When I try to check for updates, I get the message "Software Update can't check for updates because of a network problem." However, I can ping it, get the correct local IP using nslookup, and I can navigate to http://mysus.mydomain.com:8088/index.sucatalog.

So I've done a bit more poking around, and I found Apple.com's index.sucatalog file lists the URLs as http://swcdn.apple.com/content/downloads/etc… while my server's index.sucatalog file lists the URLs as http://mydomain.com:8088/content/downloads/etc… The URL is for the wrong server. My server should list the URLs as http://MYSUS.mydomain.com:8088/content/downloads/etc… I am clueless as to why my server lists the URLs incorrectly, and I don't know how to fix it. But, since the index.catalog file is pointing to the wrong server, I'm pretty sure this is the issue.

Does anybody have any suggestions? Ideas? Comments? Please help. My company has very limited T1 bandwidth (we are extremely rural), and the Apple updates just overwhelm us. My server is 10.5.8, mixed Windows/Mac network.

Thank you.



[ Reply to This | # ]
Create a transparent local software update server
Authored by: Marshmallow on Apr 14, '10 10:22:11AM

I've done a bit more testing, and the hostname missing from the FQDN is NOT the issue causing the network connection errors. (I corrected the FQDN in the *.sucatalog files, entered CLI command "defaults writes ..." to point my workstation to my server, and it was able to find the updates.

However, I also tested to see if it made any difference on my workstation whether the default writes CatalogURL pointed to http://mysus.mydomain.com:8088/index-leopard-snowleopard.merged-1.sucatalog or http://swscan.apple.com:8088/index-leopard-snowleopard.merged-1.sucatalog, and it does not. My workstation finds *my* server regardless of whichever FQDN I write to CatalogURL.

So, any ideas about why my workstations are unable to connect to my server without the defaults writes command? I don't believe it's a DNS issue because either FQDN works when using the CatalogURL, but I am at a loss as to what else to check.



[ Reply to This | # ]
Create a transparent local software update server
Authored by: Marshmallow on Apr 16, '10 11:57:18AM

After much screaming and cursing at the digital gods, I finally figured this out. Here is my solution:

I checked my web server settings. The default web server IP address was set to "any" and listed * (wildcard) for the IP address. I changed the IP address to my machine's address (10.1.0.136), stopped and restarted web services, stopped and restarted SUS services, and it worked.

I hope this information helps anyone else who may face this problem in the future.



[ Reply to This | # ]
Lion Update
Authored by: zpjet on Jul 21, '11 07:54:27AM

It doesn't look that there will be a SWUS in Lion Server at all, but my colleagues bugged me to enable Lion updates as fresh Lion usually needs at least Java runtime to run older apps, so I added this one more redirect to Web server:

/content/catalogs/others/index-lion-snowleopard-leopard.merged-1.sucatalog

redirects to

http://17.250.248.95//content/catalogs/others/index-lion-snowleopard-leopard.merged-1.sucatalog

That way Lion updates are read from Apple's servers.



[ Reply to This | # ]
Lion Update
Authored by: BiL Castine on May 15, '12 06:35:51AM
Software Update is a part of Lion server, however you need to download the 10.7.x Server Admin Tools to configure it.

[ Reply to This | # ]
Create a transparent local software update server
Authored by: installghost on Dec 08, '11 01:08:52PM
Does anybody know how to perform step 5 on Lion Server? Server Admin no longer has that functionality and it will need to be done via some conf file I assume but I don't know which one.
---
[URL="http://www.backuposx.co"]Backup OS X[/URL] - For the Preservation of Metadata
Edited on Dec 08, '11 01:09:21PM by installghost


[ Reply to This | # ]
Create a transparent local software update server
Authored by: fkick on Jan 13, '12 02:12:06PM

Hi All,

I'm currently running a mini server with 10.6.8 running on it, with a variety of snow leopard and lion clients.

I've followed all the steps (I believe) and software update is pulling the catalog files from my SUS, however I've noticed the clients are still downloading from apple's servers (specifically a184-28-32-224.deploy.akamaitechnologies.com) rather then the mac mini. Do I need to setup a DNS zone for deploy.akamaitechnologies.com as well?

Thanks!



[ Reply to This | # ]
Create a transparent local software update server
Authored by: fkick on Jan 13, '12 02:31:04PM

Hi All,

I figured out my issue. While all the clients were checking my SUS for the catalog files, they were pulling the actual downloads from Apple still. I needed to create a dns zone for swdownload.apple.com and point that to my sus' IP to ensure all the downloads came from the sus. I then edited my host file to point swdownload.apple.com to 17.250.248.91 so my sus could still download the proper updates.

Thanks!



[ Reply to This | # ]
Mountain Lion update
Authored by: zpjet on Aug 30, '12 04:36:36AM

As an original author of this hint, I feel I should add an update for Mountain Lion.

It turns out that ML does updates via the same swscan.apple.com but using HTTPS.

Managing OS X: Mountain Lion and Software Update

So far it looks like it's the end of this hack. You would have to have signed certificate to swscan.apple.com which is impossible. Self-signed one won't work - that's why Apple used HTTPS in the first place to protect user against fake software updates.

I don't see you could also combine to server older updates and sending new to Apple because software updates via IP address won't work either. If only Apple used another server but it looks it's using the same swscan.apple.com - the only way I see using a proxy server inbetween clients and SWUS.

Pity, I had fun setting this up a couple of times but I also appreciate Apple's attempts to protect against malware.



[ Reply to This | # ]
Mountain Lion update
Authored by: _Tom on Sep 24, '12 05:59:58AM

What a shame. This was incredibly useful for me in an environment containing ~10 client computers, most of which were also used on other networks. I wonder if there's another solution.



[ Reply to This | # ]
Mountain Lion update
Authored by: zpjet on Sep 24, '12 06:39:05AM

If the clients have "defaults" modification, they will try to use the local SWUS and if they won't find it, then they will fail-over to Apple's SWUS.

So if the clients are "yours" - eg people working for your company do the BYOD or sometimes take work machines home - it's not that serious issue. Just do defaults.

Or write a little Automator or AppleScript to flip the switch. Or use one of the freebie system preferences.

The original setup was the best solution for something like Apple repair shop (which it actually was, AASP in North London I worked a few years), where you wouldn't like to modify users' machines at all but still loved the convenience of SWUS.



[ Reply to This | # ]
Create a transparent local software update server
Authored by: fkick on Dec 07, '12 06:36:04PM

Thanks to a software update today, Server X 2.2 (mountain lion) can now act as a transparent update server for snow leopard, lion, and mountain lion clients. To get it up and working for 10.6 and 10.7 clients, simply configure the dns and hosts files as you would have on a server running those OS files. The new "Caching" feature of Server 2.2 takes care of the rest for the mountain lion clients, as it caches all Software Updates (and APP STORE Downloads) for computers on the same network (as long as they share an external IP under NAT). While you lose the ability to enable/disable updates directly for 10.8.2 clients unless you set them up as managed users, this does work as a sort of transparent update server for them.



[ Reply to This | # ]