locked
WSUS server behind external ISA, clients use direct server URL to download updates RRS feed

  • Question

  • This is hard to describe, so if something isn't clear, let me know.

    We've got a WSUS server set up behind an external ISA server to provide external WSUS access to remote clients.

    The internal server name is pfgdsmindwsus12.

    The external access to it, and how we configure the clients to contact it, is through secure07.companyname.com.

    This works all well and good, as long as we configure WSUS to have the clients download the updates directly from Microsoft.  But if we configure WSUS to have clients download the updates directly from the WSUS server, they try to download through the internal pfgdsmindwsus12/content path instead of the external secure07.companyname.com/content path.

    Client communications for status checking and reporting still work fine, it's just that they use the wrong path to try to download the updates.

    How do we get the clients to use the external server name URL to download updates from to be able to have clients download updates from the WSUS server instead of from Microsoft?

    Thank you.

    P.S., this is the document we used to set up WSUS behind the ISA server.  It's an old document, but it still works:

    http://blogs.technet.com/b/wsus/archive/2005/10/21/412901.aspx


    • Edited by clh42 Friday, February 27, 2015 7:46 PM
    Friday, February 27, 2015 7:38 PM

All replies

  • Hi,

    I go through the document which you mentioned above. The ISA server is used as a web proxy to publish the internal WSUS server.

    I can't find the official document about how exactly WSUS client gets the download URL of the update. From my point of view, when the client requests the download URL, the internal WSUS server return the internal download URL. For some reason, the ISA server doesn't inspect and replace the download URL in the message. Then the client gets the internal URL.

    Could you tell me why do you want to force the client to download update from the WSUS server? The update file is transferred via HTTP. It's not encrypted. It will save your internet bandwith if we let the client just download the update from Microsoft Update.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Saturday, February 28, 2015 8:10 AM
  • The real purpose of this is that we need to do a locally published update.  All the pieces are working, except this.  It works fine if we put a PC on the internal network pointing directly to the internal WSUS server, but we have this issue with external PCs coming in through the reverse proxy.

    For regular MS updates, yes, we do just let it pull the install files from Microsoft.

    Thanks again!

    Monday, March 2, 2015 2:54 PM
  • Any other ideas?

    An additional piece of information...

    As a test, I was able to put an entry in the HOSTS file of a test PC of the internal server name pointing to the external IP address of the external facing web URL.  Everything worked fine doing this, so overall the whole thing works fine.

    But we have no feasible way to touch every existing external PC to make this HOSTS file entry.

    So if we can figure out why the "download" URL is reported as the internal server name instead of the external URL used for client communications, I expect everything else would work fine.

    • Edited by clh42 Thursday, March 5, 2015 9:39 PM
    Thursday, March 5, 2015 9:32 PM
  • Hi,

    >>But we have no feasible way to touch every existing external PC to make this HOSTS file entry.

    Can we create a DNS record for the WSUS server? Then we can point it to the external IP address.

    Besides, if the client can be configured by Group Policy, we can also change the HOSTS file by GP.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Steven_Lee0510 Tuesday, March 10, 2015 6:40 AM
    • Unproposed as answer by clh42 Tuesday, March 10, 2015 1:30 PM
    Tuesday, March 10, 2015 6:40 AM
  • Hi,

    >>But we have no feasible way to touch every existing external PC to make this HOSTS file entry.

    Can we create a DNS record for the WSUS server? Then we can point it to the external IP address.

    Besides, if the client can be configured by Group Policy, we can also change the HOSTS file by GP.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    These PCs don't connect to our internal network very often, if ever, so using GP won't touch them.

    Regarding DNS, the problem is, the internal server name that it's trying to hit for the download URL is just purely pfgdsmindwsus12, not pfgdsmindwsus12.companyname.com.  I.e., the domain part is missing.  Now, I'm certainly no expert on DNS, but I think that without the companyname.com domain part on it, it'll never be able to resolve just the plain server name through public DNS.

    Tuesday, March 10, 2015 1:36 PM