This article explains how to configure WSUS 3 SP2 located in a DMZ to deploy updates to clients that are behind Forefront TMG 2010 SP2. The topology for this scenario is described in the figure below:
On this scenario internal client workstations will receive updates from WSUS which is located in the DMZ. This WSUS Server is not joined to the internal domain. In order to configure the rules on Forefront TMG 2010 you will need to understand the traffic
profile for this deployment, which is described below:
4. On the Protocols page click Add button and select the protocols
HTTP, HTTPS and DNS. Click Close on the
Add Protocols window. The Protocols page should look like figure below. Once you confirm that, click
Next to continue.
5. On the Malware Inspection page cllick Do no enable malware inspection for this rule as shown in figure below and click
Next to continue.
6. In the Access Rule Sources page click Add, click
New and choose Computer. Type the WSUS computer name, right below type the IP address and click
OK. Select the WSUS Server computer that you just created, click
Add, select Internal network, click Add
and click Close. Once you finish these steps the
Access Rule Sources should look like figure 8. Click Next to continue.
7. Repeat the same procedures from step 6 in the Access Rule Destinations.
8. In the User Sets page leave the default selection (All Users) click
Next and click Finish.
Now you will need to create the access rule from WSUS to the Internet. The procedures are pretty much the same, however you will need to make the following changes:
Once you finish creating these two rules click Apply, type a description for this change and click
The WSUS configuration will be similar to any other default configuration, for that reason the recommendation is that you use the Windows Server Update Services 3.0 SP2 Step
By Step Guide in order to configure WSUS.
The following tasks should be done in the Domain Controller:
After finishing the confguration on all other servers you can start validating the configuration on the client computer by following the steps below:
1. Open command prompt and run the command gpupdate /force
2. Run the command rsop.msc and verify if the WSUS Server name is showing up in the Windows Update policy as shown below:
3. Click Start, All Programs and click
4. Click Check for Updates.
Note: if you have live logging enabled on Forefront TMG you should see the traffic pattern similar to the one below:
5. Open the file %windir%\windowsupdate.log and check if the client is trying to get update from the WSUS Server as shown below:
6. Switch to WSUS Server and make sure that the computer is already reporting itself to WSUS.
Great use of images!
Thanks for your comment Ed. I truly appreciate!
Nice and good work. :)
Hi Ahmet, thanks for your comments. I'm glad you liked :)
another idea to put WSUS Server in a secure zone. Thanks for sharing
Greetings Marc Grote
Sure Marc, thanks for your comment !!
Thank you Abdelhamid !
Yes, indeed. Great work on the images. It makes it more easy. Thanks for this.
Very helpful screenshots. :) thanks!