none
WSUS Firewall Ports

    Question

  • We have an internal WSUS server for internal clients and we are going to set up a replica WSUS server in the DMX for laptop users that do not connect back to our network. Does anyone know which ports I need to open to get back to the internal server and which ports I'll need to open for external clients?

    Thanks,
    Scott

    Thursday, May 06, 2010 12:49 PM

Answers

  • We have an internal WSUS server for internal clients and we are going to set up a replica WSUS server in the DMX for laptop users that do not connect back to our network. Does anyone know which ports I need to open to get back to the internal server and which ports I'll need to open for external clients?

    Thanks,
    Scott


    For all communication to WSUS servers you need only the base port that the WSUS server is configured to listen on -- port 80, by default; port 8530 if the server is on an alternate virtual root.

    I would recommend installing the replica server to port 8530, intentionally, so as to keep that traffic (and the visibility of that server) off of port 80.

    In addition, strictly speaking, publishing an anonymous WSUS server to the Internet is a violation of the EULA. Strictly speaking you need some methodology to ensure that only clients licensed to your organization are able to get updates from that WSUS Server. In addition, for security reasons, you want to make sure that unauthorized systems cannot access that WSUS Server.

    Normally the security mechanism used to implement this is VPN. If your client systems are connecting via a VPN, then you don't need to open any ports at all to the DMZ, because the VPN connection will get the client systems onto the local LAN connection.

    Lacking a VPN solution, other alternatives are client-side SSL certificates (which I've not actually seen successfully implemented anywhere for WSUS), or a reverse-proxy server with required authentication (which is a core supported functionality of the WUAgent and WinHTTP).


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    • Marked as answer by scottyp55 Monday, May 10, 2010 6:52 PM
    Thursday, May 06, 2010 4:52 PM
    Moderator

All replies

  • We have an internal WSUS server for internal clients and we are going to set up a replica WSUS server in the DMX for laptop users that do not connect back to our network. Does anyone know which ports I need to open to get back to the internal server and which ports I'll need to open for external clients?

    Thanks,
    Scott


    For all communication to WSUS servers you need only the base port that the WSUS server is configured to listen on -- port 80, by default; port 8530 if the server is on an alternate virtual root.

    I would recommend installing the replica server to port 8530, intentionally, so as to keep that traffic (and the visibility of that server) off of port 80.

    In addition, strictly speaking, publishing an anonymous WSUS server to the Internet is a violation of the EULA. Strictly speaking you need some methodology to ensure that only clients licensed to your organization are able to get updates from that WSUS Server. In addition, for security reasons, you want to make sure that unauthorized systems cannot access that WSUS Server.

    Normally the security mechanism used to implement this is VPN. If your client systems are connecting via a VPN, then you don't need to open any ports at all to the DMZ, because the VPN connection will get the client systems onto the local LAN connection.

    Lacking a VPN solution, other alternatives are client-side SSL certificates (which I've not actually seen successfully implemented anywhere for WSUS), or a reverse-proxy server with required authentication (which is a core supported functionality of the WUAgent and WinHTTP).


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    • Marked as answer by scottyp55 Monday, May 10, 2010 6:52 PM
    Thursday, May 06, 2010 4:52 PM
    Moderator
  • Thanks.
    Monday, May 10, 2010 6:51 PM