WSUS Question

I work with a company that has basically told me to research setting up a WSUS server at our office and having all our clients connect to this server to get their updates. From what I have read you can have one WSUS server on site and have the second WSUS server offsite connected by VPN. Is it possible to just set up one server off site and have the clients connect to it without using a VPN? I am using WSUS 2.0. They also want to have office updates located on the server for our clients to update from.

Any suggestions would be appreciated.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

helms20

According to the deployment guide under the disconnected networks section it says you have to have one on the network to export from.

royal

What I would do is have 2 WSUS servers, one at each location. Wherever the WSUS administrator would be, I would configure that WSUS server to download updates from the Windows Updates Server and have that administrator approve updates on that server. I would then configure your 2nd WSUS server to pull the accepted updates from the other WSUS server so you only have to approve updates from one server. Have that 2nd WSUS server also download WSUS updates from the Windows Updates. Configure Group Policy to configure all your clients to download updates from the local WSUS server in their location. Hopefully this helps. There's some really good information at www.wsuswiki.com

This also of course depends on your infrastructure and security policies. For example, if you are using a DMZ and are required to have all publicly accessible systems in the DMZ, then I would have a dedicated WSUS DMZ server and have an internal WSUS server pulling updates from the DMZ server. There are many things you can do, and that wsuswiki site is an excellent resource for WSUS related stuff.

DDread

Thanks for the replies. I was actually thinking about going with the two server idea but our clients are at different locations so I wasn't sure if it would work. I guess we could have a server at each location and that server would connect to the server at our office. I will do some research on the site you gave me. They told me about researching this one Thursday and said they would like to have the information by next Friday. Looks like there will be lots of late nights.

Thanks again for you help.

royal

Let me explain it in a better manner:

Lets say you have 2 locations: Chicago and New York. The WSUS Administrator is located in Chicago.

Chicago Site:
Server CHIWSUS
Administrator approves updates on CHIWSUS
CHIWSUS downloads updates from Windows Update Servers
Group Policy is configured so clients in Chicago connect to CHIWSUS to download updates. These clients will only download approved updates.

New York Site:
Server NYCWSUS
NYCWSUS automatically finds out what updates are approved for installation by talking to the CHIWSUS server
NYCWSUS downloads updates from Windows Update Servers
Group Policy is configured so clients in New York connect to NYCWSUS to download updates. These clients will only download approved updates.

So in essence, you have the 2 WSUS servers. Both servers will synchronized based on the time schedule you provide. When Chicago synchronizes, it will download updates based on what you settings you specify (locale, Operating System, etc.). The administrator will then choose which updates will actually be marked as approved updates which means they will be rolled out to clients/workstations (whichever systems are configured to use your WSUS server to download updates).

You would configure your WSUS server in New York so when it synchronizes, it will contact the Chicago server automatically and check Chicago's approved update list. This means that you will ONLY have to approve updates on the Chicago server and the New York server will automatically use the same approved list.

Hope this helps.

sprkymrk

Correct me if I am wrong icroyal, but I believe that if you specify an upstream server (as you would in the case of New York in your example) it will download the updates from the upstream server. I don't think you can specify to synchronize with an upstream server and then download those updates from MS. The upstream server is considered "directly connected to MS" while the downstream server is not. This would be important to consider in a remote office with a VPN back to the main office with possibly limited bandwidth. Now I have been wrong before, and a quick search didn't turn up anything specific, but I'll be heading into work this afternoon and I'll double check my WSUS servers when I do. I found this link which seems to verify what I say:

http://www.microsoft.com/technet/updatemanagement/plan/wsus-step5.mspx

If you have a chain of WSUS servers, it is recommended that you do not chain them too deeply, for the following reasons:

• In a chain of WSUS servers, WSUS automatically sets all downstream servers to use the deferred download option that is selected on the server directly connected to Microsoft Update. You cannot change this configuration. The entire chain of WSUS servers must either defer the download of updates or download both metadata and updates during synchronizations.

• If you have deferred downloads enabled and a downstream server requests an update that has not been approved on the upstream server, the downstream server’s request triggers a download on the upstream server. The downstream server then downloads the content on a subsequent synchronization, as shown in the "Deferred Downloads Using Multiple WSUS Servers" illustration. If you have a deep hierarchy of WSUS servers using deferred downloads, there is greater potential for delay as content is requested, downloaded, and then passed down the chain.

Like I said though, I'll double check this afternoon unless you find something definite. I'll post back either way. Thanks.

royal

Thanks for pointing this out Mark. You are correct in your statements. This is what I have found.

It appears that if you have the default option, which is store updates locally on this server, then it would synchronize both the approved updates list as well as the actual files from that server. I made the mistake thinking you can separate the approved list from downloading files from the Windows Update Server.

Also, there is a method similar to what I was speaking of, it is a very big waste of bandwidth, and I would not recommend it. You can get around the bandwidth issue using ISA which I explain later. In the picture, you could choose the last option to not store updates locally on server. Your clients will still point to the local WSUS server for the list of approved updates they are to download and install, but they will still connect to Windows Update Servers to actually download the update. This will waste a lot of WAN bandwidth. You could install a caching server, however. This will allow for 1 client to download updates, and those updates will then be cached on the server. Next time a user tries to go out to the Windows Update Servers to download these updates, they'll actually be copying/downloading these files from that internal caching server which will help reduce the amount of traffic going over your WAN link. This type of caching is BITS caching which ISA server can take care of. You can read more about BITS caching here

sprkymrk

Thanks icroyal. I wasn't sure if maybe there was a difference between different versions of WSUS. Also, I ended up not having to go into work this afternoon after all, so I'm glad you posted back.

DDread

Thanks for all the great information. With everything that you guys have given me I am sure that I have a building block to start with. When I spoke to the owner of the company she said that the way she was thinking of setting it up is by using the two servers like you mentioned and using a VPN connection back to the office for the on-site servers to sync with. I know this will probably be a huge bandwidth hog but if this is done during the night while there is no one there it shouldn't be an issue.