none
Redirecting Windows Update

    Question

  • Is it possible to transparently redirect windows update clients to a WSUS that are standalone at the router level?

    To give some background: We're an IT recycling/refurb company, registered under the "MARS" program; we have a server setup to download windows updates for the AD-bound workstations (as dictated by group policy at the domain level), but we also install windows on end-user machines that are being refurbished for sale. In the network topology is a CentOS-based server running squid which handles HTTP caching (it is configured to be a transparent router with iptables rules to redirect port 80 requests to the squid software), all internet-bound traffic passes through this server before going out on the uplink.

    Ideally, I want to configure that caching server to recognise windows update requests that are headed for the microsoft public update servers and instead redirect that traffic to the WSUS server used by AD clients without modifying the standalone machines themselves.

    Tuesday, September 03, 2013 10:27 PM

Answers

  • This is a really interesting use case and we'll consider it for the future, but it's not something that is likely to work given how things work today. There is logic in the Windows Update Agent that behaves slightly differently depending if a PC is configured to sync against WSUS or MU. In particular, there are SSL signature checks that ensure that a PC is talking to MU if it thinks it's talking to MU. Reporting also won't work since MU doesn't collect reporting data on all PCs syncing against Windows Update in the same way that WSUS does.
    Wednesday, September 04, 2013 4:26 PM

All replies

  • This is a really interesting use case and we'll consider it for the future, but it's not something that is likely to work given how things work today. There is logic in the Windows Update Agent that behaves slightly differently depending if a PC is configured to sync against WSUS or MU. In particular, there are SSL signature checks that ensure that a PC is talking to MU if it thinks it's talking to MU. Reporting also won't work since MU doesn't collect reporting data on all PCs syncing against Windows Update in the same way that WSUS does.
    Wednesday, September 04, 2013 4:26 PM
  • so, for the time being, it's not possible?
    Wednesday, September 04, 2013 8:54 PM