Monday, December 01, 2008 11:57 AMI have WSUS 3.0 installed on a single Forefront client security server.
Everything is ok, but clients are going to update.microsoft.com and to download.windowsupdate.com either independently from policy settings (i can see them aiming directly at those sites from our ISA server).
Clients connects correctly to our WSUS either and i can see them in the console correctly updated (100% OK).
Every client has ForeFront Client installed that either updates itself from WSUS, WITHOUT the fallback options for updates when WSUS is unavailable.
I don't Know wich software component is aiming directly external, but i need to minimize that connections because my boss is strongly worried about security and we have a very high secure environment (at firewall and proxy level).
So the question is: how can i identify wich components are aiming directly external (absolutely WITHOUT sniffers)?
how can i set those to aim at our WSUS, minimizing external connections for updates?
I know that without sniffers is very hard to find a resolution, but my boss complains a lot.
Tuesday, December 02, 2008 3:29 PMModerator
No need for sniffers at all...!
Here are the possibilities:
1. You installed the WSUS Server and opted to *not* maintain a local content store. This would cause *every* PC to go offsite (to download.microsoft.com) to get the content to download.
2. You've not properly configured/applied policies, and your clients aren't actually using WSUS, but still using Automatic Updates (via update.microsoft.com), and thus downloading from download.microsoft.com.
3. You've not disabled access to Windows Update or Microsoft Update, and *users* are browing to those resources via Internet Explorer.
4. And, since Forefront is part of the equation - you also have the question of Forefront configurations included in that.
Now, as to the basic question of "How can I identify which components are connecting externally?". You already have the answer to that question -- it's in the ISA Server logs. You don't need to know which *components*, you only need to know which *machines*. Once you know which machines, the simple answer is: They're not configured correctly; repair the configurations.
To figure out which "configurations" need to be repaired, start by reviewing the WindowsUpdate.log on the machines that are connecting to the external addresses.
Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
- Marked As Answer by Eric Zhang CHNModerator Wednesday, December 10, 2008 3:19 AM