none
best practice for roaming clients

    Question

  • This pertains to a WORKGROUP setup - NOT ACTIVE DIRECTORY

    We are a small business with 40-50 users and a WSUS installation on Windows Server 2008 R2 (64 bit).  Most of the clients are locally connected to the network, but there are a few that use laptops and are seldom connected to the network.

    Is there a way that we could open a port through the firewall to allow users access to the WSUS server - so that they could connect, update and disconnect 'relatively' quickly?  If so, can anyone offer a suggestion on the best & safest way to accomplish this?

    Thanks much

    Thursday, January 30, 2014 7:19 PM

Answers

  • Ideally, yes, it would be much simpler for laptops &c. to update themselves but, for security reasons, we need to be able to assure that systems connecting to our network are compliant for both Windows updates and for Anti-Virus.

    Thanks for the response.

    Personally I think you have the cart before the horse. You have a 50-user network without Active Directory and you're so worried about AV/Patch compliance that you're trying to publish a WSUS server to the Internet. Without centralized management of network access, patch compliance is almost a waste of time.

    Yes, you can publish the WSUS server to Internet-based clients, but there are a myriad of reasons you don't want to do that, and most of them are spelled S-E-C-U-R-I-T-Y.

    To Don's point, your best option for those offsite clients is to enable Automatic Updates and let them be patched with Security Updates automatically and immediately.

    Back on the compliance issue -- if you need to implement compliance to the point of ensuring that mobile systems are patched and have up-to-date AV/AM software, then you need to implement Network Access Policies, which requires Windows Server 2008 R2 (at least) and Active Directory.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, February 07, 2014 12:11 AM
    Moderator

All replies

  • For those laptops, is there any reason why they need to be configured/managed by your WSUS at all?

    Maybe they can just be configured for automatic updating directly from MS?


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, January 30, 2014 8:30 PM
  • Ideally, yes, it would be much simpler for laptops &c. to update themselves but, for security reasons, we need to be able to assure that systems connecting to our network are compliant for both Windows updates and for Anti-Virus.

    Thanks for the response.

    Thursday, January 30, 2014 8:49 PM
  • Ideally, yes, it would be much simpler for laptops &c. to update themselves but, for security reasons, we need to be able to assure that systems connecting to our network are compliant for both Windows updates and for Anti-Virus.

    Thanks for the response.

    Personally I think you have the cart before the horse. You have a 50-user network without Active Directory and you're so worried about AV/Patch compliance that you're trying to publish a WSUS server to the Internet. Without centralized management of network access, patch compliance is almost a waste of time.

    Yes, you can publish the WSUS server to Internet-based clients, but there are a myriad of reasons you don't want to do that, and most of them are spelled S-E-C-U-R-I-T-Y.

    To Don's point, your best option for those offsite clients is to enable Automatic Updates and let them be patched with Security Updates automatically and immediately.

    Back on the compliance issue -- if you need to implement compliance to the point of ensuring that mobile systems are patched and have up-to-date AV/AM software, then you need to implement Network Access Policies, which requires Windows Server 2008 R2 (at least) and Active Directory.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, February 07, 2014 12:11 AM
    Moderator