Can I deploy a WSUS server in a DMZ to force our internet clients to update from this server instead of update from microsft site? RRS feed

  • Question

  • Hi experts:

            We have a WSUS infraestructure in our domain. This goes fine. The problem comes when some workers and their laptops move to the internet or just have to work in external clients. In this case, we dont want them to update from microsoft site, becouse this way we cant choose what kind of updates install. It would be nice for them to install only the updates we are allowing trought our WSUS, as happens in our domain network.

           So, I want to know if this is possible, becouse I know microsoft doesn´t allow people to publish their software updates over the internet. 

           Is it possible? Is it worth? (risk >>> profits) Should I manage it trought certificates to only allow our clients to update from our DMZ WSUS server? Have you ever heard about doing that?

           If it´s impossible, then I´ve got another question. Is there a specific template to set a customiced local update policy for, for instance, allow only to apply security updates? Can it be done trought some regisitry tweaks?
    Thanks in advance.

    Ravi Ch

    Sunday, May 20, 2018 3:49 PM

All replies

  • Yes, not only is it possible, many do it.

    Put the WSUS server in the DMZ and set it up as a Downstream Replica of your upstream server internally. Make sure to setup SSL on both systems (to mitigate man in the middle attacks), and then setup your always external clients for the proper WSUS Server via Registry edits or local group policies.

    If the clients are both internal and external, perhaps make a Split-DNS setup so that internally they go to the internal, and externally the same URL resolves to the external IP.

    Adam Marshall, MCSE: Security
    Microsoft MVP - Windows and Devices for IT

    Sunday, May 20, 2018 10:52 PM