locked
Setting up WSUS to deploy patches on computers and servers RRS feed

  • Question

  • My current setup only deploys patches for computers and I would like to add also the servers. I have one server in the center location that is being used as a upstreamer and I have one server per other location that will connect to the upstreamer server and download the patches from this server.

    I would like some suggestion on the new set up. I have two solutions:

    a) Setup the current downstreamer wsus servers to also deploy patches for the servers located in the same location.

    b) Setup a new server that will be dedicated to updates related to servers.

    The only thing I am worrying about is if I choose option a, is there any why that can cause some security issues? And if I select be as the locations are spread all around the world, I think it will consume to much bandwidth to send all the patched from central location to the server directly.

    Any suggestions will be appreciated. Thanks in advanced.

    Monday, March 14, 2016 10:30 AM

Answers

  • Hi Ryan Theuma,

    Maybe I'll appreciate option a.

    Since based on my knowledge, I couldn't think of specific security issues.

    And if you use a dedicated WSUS for servers, suppose that the WSUS server is attacked by virus, then all servers use the dedicated WSUS server may risk.

    If we separate WSUS server on different sites, then suppose WSUS1 in site1 is attacked by virus, servers use WSUS2 in site2 may not be affected.

    In my lab, I also use one WSUS server for both client computers and server computers.

    That's my opinion, maybe I got somewhere ill conceived.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, March 15, 2016 2:55 AM

All replies

  • I can suggest you to go for second option, 

    Setup new WSUS server for Servers and deploy the patches from there, So that it will be isolated from Desktops, and easy to manage. Let me know if you need further assistance.


    Regards,
    Manjunath Sullad

    Monday, March 14, 2016 11:28 AM
  • Hi Ryan Theuma,

    Maybe I'll appreciate option a.

    Since based on my knowledge, I couldn't think of specific security issues.

    And if you use a dedicated WSUS for servers, suppose that the WSUS server is attacked by virus, then all servers use the dedicated WSUS server may risk.

    If we separate WSUS server on different sites, then suppose WSUS1 in site1 is attacked by virus, servers use WSUS2 in site2 may not be affected.

    In my lab, I also use one WSUS server for both client computers and server computers.

    That's my opinion, maybe I got somewhere ill conceived.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, March 15, 2016 2:55 AM
  • Hi Anne,

    Thanks for your opinion, I would prefer this suggestion also because of the bandwidth usage. As the servers are connected through WAN it will consume to much bandwidth to send all the patch from my location to servers different locations. By using the current downstreamers servers, a single copy will be depolyed and every server will be using these updates. So far I could not find any security issues as well, I just wanted a second opinion. Also I am going to deploy patches using SSL to keep the network safer.

    Thanks,

    Ryan

    Tuesday, March 15, 2016 12:07 PM
  • Hi Manjuanath.

    Thank you for your opinion.

    The only problem I have with this option is that  it will use to much bandwidth to deploy all the patches from a single server. I was thinking using the same server as the main wsus and deploy them on the downstreamers and each server will take the patch needed from the downstreamer according to the location. To make the wsus easier to manage I was going to use GPOs and divide computers from servers by setting up target groups.

    Thanks,

    Ryan

    Tuesday, March 15, 2016 12:12 PM
  • Hi Ryan Theuma,

    Also keep your WSUS server itself patched and up to date. It may help your WSUS server to be security. And SSL is also a good way to secure WSUS deployment.

    If you meet issue when configure SSL connection, you may refer to this post:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/feb83dc7-bdf5-4878-9112-ebdade971f7f/wsus-event-ids-7032-7053-13042-13051-12002-12012-12032-12022-12042-and-12052?forum=winserverwsus

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, March 16, 2016 2:36 AM
  • Hi Anne,

    Thanks for the link, I will make sure to keep the wsus server included in the target machines. Thanks alot for the information provided. I think I will go with the option a then, will consume alot less bandwidth. 

    Regards,

    Ryan

    Wednesday, March 16, 2016 9:33 AM
  • Hi Ryan,

    You are welcome, if you have other questions about WSUS later, feel free to ask. And you may also mark the useful replies above as answer, so that others meet the similar issue can clear to find the useful information.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Thursday, March 17, 2016 1:45 AM