locked
Delivery Optimization on disconnected Networks RRS feed

  • Question

  • I have reviewed several online docs on delivery optimization, but could not find any information for use and configuration on disconnected networks.

    My network has several remote sites, many have slow connections with low bandwidth. I have one WSUS server used to deploy updates/patches. All of the clients on my network do not have any connection to the internet. Each site connects back to Central site via VPN for access to all servers and network resources.

    Question 1: Can I still take advantage of delivery optimization on my disconnected network?

    Question 2: What benefits can I gain from using delivery optimization on my disconnected network?

    Question 3: What are some suggested configurations and/or GPO settings for delivery optimization on disconnected networks?

    Monday, July 20, 2020 10:32 AM

Answers

  • Hi,

    Re 1: Yes, DO works in networks without Internet connectivity

    Re 2: In theory, you could reduce the number of downloads for each update to 1x per remote site. In practice, it will probably be more but still less than the number of clients in that site.

    Re 3: Can't provide any specific guidance here, other than a. use subnets rather than broadcast domains, b. do not use cross-subnet and c. make sure to disable every setting that would require going out to the Internet.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    • Marked as answer by Littlejl01 Monday, July 27, 2020 3:51 PM
    Monday, July 20, 2020 9:55 PM
  • Hi,

    Q1: yes

    Q2: no

    Q3: yes, not only 2 is a better fit, it's the only fit that makes sense in a site without a WSUS server

    Q4: in Group mode (2) you should be good with the defaults but keep an eye on the traffic leaving the site after the next patchday


    Evgenij Smirnov

    http://evgenij.smirnov.de

    • Marked as answer by Littlejl01 Monday, July 27, 2020 3:52 PM
    Sunday, July 26, 2020 11:22 AM

All replies

  • Hi,

    Re 1: Yes, DO works in networks without Internet connectivity

    Re 2: In theory, you could reduce the number of downloads for each update to 1x per remote site. In practice, it will probably be more but still less than the number of clients in that site.

    Re 3: Can't provide any specific guidance here, other than a. use subnets rather than broadcast domains, b. do not use cross-subnet and c. make sure to disable every setting that would require going out to the Internet.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    • Marked as answer by Littlejl01 Monday, July 27, 2020 3:51 PM
    Monday, July 20, 2020 9:55 PM
  • Hi Littlejl01,
     
    Thanks for posting on this forum.
     
    Here are some suggestions of mine for your reference:

    Question 1: Yes

    Question 2: The greatest advantage of Delivery Optimization is that it does not affect our network to consumes the bandwidth of other services. 

    Question 3: Here is a link for your reference: https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization-reference
     
    Regards,
    Rita

    "WSUS" forum will be migrating to a new home on Microsoft Q&A!
    We invite you to post new questions in the "WSUS" forum's new home on Microsoft Q&A!
    For more information, please refer to the sticky post.

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 21, 2020 1:06 AM
  • Hi Littlejl01,
     
    It seems there is no update for a couple of days. May we know the current status of the problem? Is there any other assistance we can provide?
     
    If you have any questions, please keep us in touch.
     
    Regards,
    Rita

    "WSUS" forum will be migrating to a new home on Microsoft Q&A!
    We invite you to post new questions in the "WSUS" forum's new home on Microsoft Q&A!
    For more information, please refer to the sticky post.

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, July 26, 2020 4:20 AM
  • Thank you,

    These responses helped a great deal, but I am still a little confused on how DO will operate in my isolated network.

    I have remote sites spread across the US; each connect back to Main Site via secure VPN connections. All services are hosted from Main Site. I have one WSUS server connected to internet in order to download updates from Microsoft. Updates are then exported and imported to a second WSUS on the isolated network for deployment. I have a few sites that are still using T1 circuits to connect back to Main Site.

    Reading the posted docs that I was able find, it looks like download mode should be set to Simple (99) for isolated networks. My issue is that it also says setting Download mode to Simple also turns off Peer-To-Peer Caching.

    Q1. Does Download Mode - Simple (99) - actually turn off Peer-To-Peer caching?

    Q2. In Download Mode - Simple (99) - Will clients still retrieve updates/files from other clients on the same subnet. Would like to minimize the amount of times remote clients have to connect and retrieve updates from the Main Site WSUS

    Q3. For my scenario, would another setting for Download Mode be a better fit? I would like to use Group (2), but the document states that these modes require internet access

    Q4. What other settings should be disabled on an isolated network? I have read that all settings that require internet access should be disabled/turned off. Not sure which settings require internet access or will attempt to make calls to the internet.


    JJLSecurity

    Sunday, July 26, 2020 11:15 AM
  • Hi,

    Q1: yes

    Q2: no

    Q3: yes, not only 2 is a better fit, it's the only fit that makes sense in a site without a WSUS server

    Q4: in Group mode (2) you should be good with the defaults but keep an eye on the traffic leaving the site after the next patchday


    Evgenij Smirnov

    http://evgenij.smirnov.de

    • Marked as answer by Littlejl01 Monday, July 27, 2020 3:52 PM
    Sunday, July 26, 2020 11:22 AM
  • Great! Thanks for the feedback. Plan to get it configured and tested with the next patch cycle.

    JJLSecurity

    Sunday, July 26, 2020 6:12 PM

  • Hi Littlejl01,
     
    I'm looking for your feedback about this case. Hope you have a nice day.
     
    Regards,
    Rita

    "WSUS" forum will be migrating to a new home on Microsoft Q&A!
    We invite you to post new questions in the "WSUS" forum's new home on Microsoft Q&A!
    For more information, please refer to the sticky post.

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 27, 2020 6:34 AM
  • Have a couple more questions initiated by my security manager:

    Same Scenario: Totally Isolated Network: Main Office hosts all servers and services (WSUS included); Remote sites located throughout US connect back to Main Office via secure VPN

    On isolated sites with "NO" access to internet or DO Cloud Services:

    1. How do workstations/clients on isolated networks share updates/patches retrieved from Remote WSUS located at Main Site.

    2. Do workstations/clients use broadcast to query peers or direct query peers to look for and request needed files from peers that have already downloaded the same updates.

    3. Are the connections secure? How are the packages for download verified before shared between clients? What ports and protocols are used.


    JJLSecurity

    Monday, July 27, 2020 3:50 PM