Answered by:
best practice for roaming clients

-
This pertains to a WORKGROUP setup - NOT ACTIVE DIRECTORY
We are a small business with 40-50 users and a WSUS installation on Windows Server 2008 R2 (64 bit). Most of the clients are locally connected to the network, but there are a few that use laptops and are seldom connected to the network.
Is there a way that we could open a port through the firewall to allow users access to the WSUS server - so that they could connect, update and disconnect 'relatively' quickly? If so, can anyone offer a suggestion on the best & safest way to accomplish this?
Thanks much
Question
Answers
-
Ideally, yes, it would be much simpler for laptops &c. to update themselves but, for security reasons, we need to be able to assure that systems connecting to our network are compliant for both Windows updates and for Anti-Virus.
Thanks for the response.
Personally I think you have the cart before the horse. You have a 50-user network without Active Directory and you're so worried about AV/Patch compliance that you're trying to publish a WSUS server to the Internet. Without centralized management of network access, patch compliance is almost a waste of time.
Yes, you can publish the WSUS server to Internet-based clients, but there are a myriad of reasons you don't want to do that, and most of them are spelled S-E-C-U-R-I-T-Y.
To Don's point, your best option for those offsite clients is to enable Automatic Updates and let them be patched with Security Updates automatically and immediately.
Back on the compliance issue -- if you need to implement compliance to the point of ensuring that mobile systems are patched and have up-to-date AV/AM software, then you need to implement Network Access Policies, which requires Windows Server 2008 R2 (at least) and Active Directory.
Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
SolarWinds Head Geek
Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
http://www.solarwinds.com/gotmicrosoft
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.- Marked as answer by Daniel JiSunModerator Sunday, February 09, 2014 9:00 AM
All replies
-
For those laptops, is there any reason why they need to be configured/managed by your WSUS at all?
Maybe they can just be configured for automatic updating directly from MS?
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Ideally, yes, it would be much simpler for laptops &c. to update themselves but, for security reasons, we need to be able to assure that systems connecting to our network are compliant for both Windows updates and for Anti-Virus.
Thanks for the response.
-
Ideally, yes, it would be much simpler for laptops &c. to update themselves but, for security reasons, we need to be able to assure that systems connecting to our network are compliant for both Windows updates and for Anti-Virus.
Thanks for the response.
Personally I think you have the cart before the horse. You have a 50-user network without Active Directory and you're so worried about AV/Patch compliance that you're trying to publish a WSUS server to the Internet. Without centralized management of network access, patch compliance is almost a waste of time.
Yes, you can publish the WSUS server to Internet-based clients, but there are a myriad of reasons you don't want to do that, and most of them are spelled S-E-C-U-R-I-T-Y.
To Don's point, your best option for those offsite clients is to enable Automatic Updates and let them be patched with Security Updates automatically and immediately.
Back on the compliance issue -- if you need to implement compliance to the point of ensuring that mobile systems are patched and have up-to-date AV/AM software, then you need to implement Network Access Policies, which requires Windows Server 2008 R2 (at least) and Active Directory.
Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
SolarWinds Head Geek
Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
http://www.solarwinds.com/gotmicrosoft
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.- Marked as answer by Daniel JiSunModerator Sunday, February 09, 2014 9:00 AM