none
Possible to download updates from Microsoft but receive approval list from parent server?

    Frage

  • Hello,

    Basically I want to save duplication and set a customers WSUS server (SITE A) to look at our WSUS server (SITE B) for the approval list updates but although I want it to store the file locally, I don't want SITE B download those updates from SITE A.  Instead I want the SITE B's WSUS server to download the updates directly from Microsoft.

    Is that possible?

    Donnerstag, 17. Januar 2013 10:43

Antworten

  • Hi, Benjamin Owens

    Quiet not understand what you want!

    As i understood  you have WSUS hierarchy with 2 servers call them WSUS - A (SITE A) and WSUS -B (SITE B)

    But i don't understand what server on the top level on your hierarchy?

    >>WSUS server (SITE A) to look at our WSUS server (SITE B) for the approval list updates<<

    In this case

    WSUS B - Master WSUS on the top level

    WSUS A - MUST BE running in *REPLICA MODE* (in order to inherit update approvals)

    >>I don't want SITE B download those updates from SITE A<<

    In This CASE WSUS B will never download updates from WSUS A , because WSUS B on the  top level (by default WSUS A in Replica Mode will be download update files from master WSUS B)

    >>Instead I want the SITE B's WSUS server to download the updates directly from Microsoft.<<

    Your WSUS B on the top level and BY DESIGN it will be synchronize updates and download update files from Microsoft.

    _____________________

    May be your wrong with letters? (A and B) and  want to:

    WSUS server (SITE B) to look at our WSUS server (SITE A) for the approval list updates<<

    In this case WSUS - B must be Replica  of WSUS -A

    I don't want SITE B download those updates from SITE A Instead I want the SITE B's WSUS server to download the updates directly from Microsoft.

    If you want That your *WSUS B* (*NOT clients of your WSUS B*) download update files fom MS not from WSUS A

    On your WSUS B:

    Options->Update Files and Languages

    Check

    "Download  files from Microsoft Updates; Don't  download from upstream server"



    Maxim Sinel'nikov

    Donnerstag, 17. Januar 2013 11:25

Alle Antworten

  • Hi, Benjamin Owens

    Quiet not understand what you want!

    As i understood  you have WSUS hierarchy with 2 servers call them WSUS - A (SITE A) and WSUS -B (SITE B)

    But i don't understand what server on the top level on your hierarchy?

    >>WSUS server (SITE A) to look at our WSUS server (SITE B) for the approval list updates<<

    In this case

    WSUS B - Master WSUS on the top level

    WSUS A - MUST BE running in *REPLICA MODE* (in order to inherit update approvals)

    >>I don't want SITE B download those updates from SITE A<<

    In This CASE WSUS B will never download updates from WSUS A , because WSUS B on the  top level (by default WSUS A in Replica Mode will be download update files from master WSUS B)

    >>Instead I want the SITE B's WSUS server to download the updates directly from Microsoft.<<

    Your WSUS B on the top level and BY DESIGN it will be synchronize updates and download update files from Microsoft.

    _____________________

    May be your wrong with letters? (A and B) and  want to:

    WSUS server (SITE B) to look at our WSUS server (SITE A) for the approval list updates<<

    In this case WSUS - B must be Replica  of WSUS -A

    I don't want SITE B download those updates from SITE A Instead I want the SITE B's WSUS server to download the updates directly from Microsoft.

    If you want That your *WSUS B* (*NOT clients of your WSUS B*) download update files fom MS not from WSUS A

    On your WSUS B:

    Options->Update Files and Languages

    Check

    "Download  files from Microsoft Updates; Don't  download from upstream server"



    Maxim Sinel'nikov

    Donnerstag, 17. Januar 2013 11:25
  • I think my initial post was confusing on which server downstream but from looking at your email I can makes sense of what you're saying.

    Thanks for the input!

    One last question, how well does this work between different domains.  For example if the WSUS servers in question are in different domains, can I still get them to work together for the approval list?

    Regards,

    Ben

    Dienstag, 22. Januar 2013 14:42
  • Hello,

    Basically I want to save duplication and set a customers WSUS server (SITE A) to look at our WSUS server (SITE B) for the approval list updates but although I want it to store the file locally, I don't want SITE B download those updates from SITE A.  Instead I want the SITE B's WSUS server to download the updates directly from Microsoft.

    Is that possible?

    I thought I had written a reply to this....

    What you describe is technically possible... however it is not legally possible.

    The WSUS EULA prohibits a WSUS server from synchronizing to any other WSUS server not licensed to that customer. It also prohibits a WSUS server from providing update content to any downstream WSUS Server or client that is not licensed to that customer.

    To make what you describe legally possible, requires a Microsoft Service Provider Licensing Agreement (SPLA).

    To technically implement the scenario described, you check the option that Siniy identified in his last sentence:

    "Download files from Microsoft Updates; Don't download from upstream server"

    Also, managing a WSUS server across the Internet and into another customer's domain is problematic for additional reasons. First, you'll need to publish the customer's WSUS server through their firewall as a web server. (I suggest, at a minimum, the WSUS server should be installed on port 8530/8530 and SSL enabled for this endeavor). Second, a remote console requires a "domain trust" between the console system and the WSUS server, and this is the most common roadblock for most arrangements of this type. The best solution for managing a customer's WSUS server is a VPN connection to the customer's site, and Remote Desktop to a console machine in the customer's network -- where a "domain trust" can be established between the console and WSUS server.

    Given these complications, and the necessary solutions, there is no real value in making the customer's WSUS server a replica of yours. The customer's server can be an upstream server, synchronizing direct from Microsoft, and you avoid the requirement of the SPLA.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Dienstag, 22. Januar 2013 22:42