VULNERABILITY DIGEST FROM ACTION1

Patch Tuesday and third-party updates | This Wednesday | 12 PM EST / 6 PM CET

Action1 5 Documentation 5 Private P2P Software Distribution Technology

Private P2P Software Distribution Technology

Overview

To optimize bandwidth efficiency during third-party software patching and deployment, Action1 leverages an advanced peer-to-peer (P2P) file-sharing technology, which seamlessly distributes updates across endpoints within the same network. This proprietary P2P approach allows Action1 agents to download software setup files in segments, distributing them among local endpoints until each receives the full update. For instance, when two endpoints require an update for 7-Zip, the second endpoint retrieves the update directly from the first endpoint’s cache through P2P sharing, reducing external bandwidth utilization.

Unlike other solutions, Action1 eliminates the need for dedicated on-premises file distribution servers or appliances. Every Action1 agent acts as a fully autonomous distribution node, ensuring a robust software deployment or patching process without a single point of failure.

This technology makes Action1 a bandwidth-efficient, cloud-native solution for streamlined software deployment and patching.

Required configuration settings

Private P2P file sharing is enabled by default for built-in software packages, so you do not need to take any additional steps to activate it when configuring the automated software deployment:

Select target architecture and Office 365 edition.

However, to ensure proper P2P functioning, a specific firewall configuration is required: ports 22551 (TCP) and 6771 (TCP and UDP) should be open for local-only inbound and outbound connections on the endpoints. The Action1 agent creates local firewall rules automatically.

NOTE: Make sure that the firewall rules are created, as your network infrastructure settings might override this configuration.

The figure below illustrates the network connections and data flow across Action1 infrastructure:

Creating a new package

Action1’s cloud infrastructure is hosted by Amazon Web Services (AWS), with data centers located in the USA, Germany, and Australia.

NOTE:If your organization must comply with specific data privacy regulations that limit data storage to other regions, contact technical support to discuss your requirements.

If inbound communication between agents on the local network is restricted, these agents will not be able to exchange downloaded file segments locally.

NOTE: If you want to disable local P2P sharing, you can block the relevant ports on the managed endpoints. However, be aware that in this scenario, agents will need to download the entire file from the cloud each time, which may impact bandwidth efficiency.

How it works

When the Action1 agent needs to download an application for installation or update, it first searches for other Action1 agents (“peers”) on the local network that have already downloaded parts of the application setup package. To identify these peers, the agent uses Local Peer Discovery technology.

If no other peers on the same LAN have downloaded the package, the agent will retrieve it from the Action1 cloud servers, making it available to other peers.

This works as follows:

  1. The software setup file is divided into smaller chunks to facilitate a dependable incremental exchange between peer agents.
  2. The Action1 agent starts downloading the file chunks, using the most reliable source for each download. For third-party software update setups, the downloads occur from the content delivery network (CDN), which consists of a geographically distributed network of servers. This network caches content close to end users, enabling rapid transfer of the assets necessary for loading the content.

NOTE: Windows updates are downloaded from Microsoft servers. For distributing these updates, Action1 relies on Microsoft’s Windows Update Delivery Optimization technology. We recommend reviewing your current Update Delivery Optimization configuration and making adjustments as necessary. For more information on setting up delivery optimization for Windows, refer to Microsoft’s documentation.

  1. Multiple agents download the file chunks simultaneously.
  2. Each agent maintains a temporary local cache of all downloaded files.
  3. The agent shares information about the downloaded chunks across the local network. Other agents in the local subnet can connect to it for downloading. The agents start downloading package chunks from their peers as the chunks become available.

    To optimize network bandwidth, Action1 manages the number of agents that can concurrently download the same package from the CDN. The Action1 server determines which agents will download from the CDN and which will remain on standby to download from their peers within the local subnet. For instance, if a subnet contains 200 Action1 agents, only the designated ones will initiate the download from the cloud, while the remaining agents will retrieve the file from their peers.

  4. Each peer then reconstructs the original file by assembling the downloaded chunks like a puzzle and verifies the file’s integrity to ensure consistency.

Is there a way to designate specific endpoints to download from peers or the cloud, without sharing with others?

Currently, this process is fully automated. To prevent an endpoint from P2P sharing, you can block the necessary ports. However, this means that the agent on that endpoint will download the entire files from the cloud. As a result, this will increase the load on the internet connection.

Configuring P2P sharing for custom software packages

As said, P2P sharing is by default enabled for the built-in packages stored in Action1 Software Repository. To enable this functionality for custom packages, you need to select the corresponding option when configuring the package.
In the version properties of the package you are setting up, you will be prompted to configure the binary settings and specify the location to point to the Windows installer.
Select Private P2P distribution via Action1 Cloud and specify the package file:

Specify package version general properties.

With this option selected, you will benefit from the Action1 technologies without requiring additional effort:

  • Uploading to Action1 Cloud allows for the installation to remote endpoints that are not connected to a corporate LAN.
  • The P2P functionality helps you to reduce external bandwidth usage.