locked
WSUS - Downloading from WSUS Server over WAN? RRS feed

  • Question

  • Hello,

         I have (I hope) a very basic, beginners question regarding WSUS:

    If I have my WSUS service hosted on a server at site A., it makes sense that all client computers at site A. would download their Windows updates directly from this server via LAN.

    However, if I have clients at an external site B., which has no server, and is located at least one state away, is there any benefit to having them download their updates from the server at site A. over WAN?

    In my mind, this would logically mean that clients in site B. are using the same amount of download bandwidth as if they were to download the updates directly from Microsoft's servers, while putting unnecessary strain on site A.'s upload bandwidth.

    I've tried explaining this to a colleague of mine, however he is insistent that it would be best to have sites in different states download their Windows updates from a central WSUS server.

    Can anyone provide a situation in which this would be true, or should I go with my original assertion that clients at site A. should download from the local WSUS server, and clients at other sites download the updates directly from Microsoft's servers?

    Sorry if any of this is confusing, please forgive me as I am only just beginning to investigate setting up a WSUS service.

    Thank you for your time and help.

    Wednesday, July 24, 2013 9:53 AM

Answers

  • The fact is that if your WAN is really 'slow' you'd better to use replica servers.

    Anyway, clients communicate to server over the BITS so it's up to you to have B site's computers come to your WSUS central server to take their updates.

    All you will have to do is create Computers Groups, GPO, link them correctly with settings designed for sites and you'll be fine.

    This plus the fact that you can schedule WSUS to synchronize at night to not impact your daily production downloading files or installing them, may have you use only the A site WSUS server.

    It's not the most accurate solution, but it's possible to do so.

    TiGrOu.

    • Proposed as answer by Brice Pradel Thursday, July 25, 2013 12:07 PM
    • Marked as answer by Clarence Zhang Wednesday, July 31, 2013 2:13 AM
    Wednesday, July 24, 2013 11:27 AM

All replies

  • Hello Candrin,

    Maybe the best would be to have a replica server in your B site that will take updates from your main site and from your central WSUS server.

    This way, you'd be able to make replica server take updates only at night when the bandwith is less used and make client computers from your B site take their updates from your replica with LAN.

    This will also make your computers have the same state as you'll be able to control installation approval over all sites with Group Policies.

    Hope this will help.

    Thanks.

    TiGrOu.

    Wednesday, July 24, 2013 10:07 AM
  • Thanks for the reply, elTiGrOu!

         I would love to implement this kind of set up and it would make a lot of sense to me, unfortunately the budget I have for this project is virtually zero, so the option of installing even a modest server at any of our external sites outside of A. is currently off the table.

    Does this leave setting clients located at external sites to download updates directly from the MS servers as my best option?

    Thanks again for your help.

    Wednesday, July 24, 2013 10:51 AM
  • The fact is that if your WAN is really 'slow' you'd better to use replica servers.

    Anyway, clients communicate to server over the BITS so it's up to you to have B site's computers come to your WSUS central server to take their updates.

    All you will have to do is create Computers Groups, GPO, link them correctly with settings designed for sites and you'll be fine.

    This plus the fact that you can schedule WSUS to synchronize at night to not impact your daily production downloading files or installing them, may have you use only the A site WSUS server.

    It's not the most accurate solution, but it's possible to do so.

    TiGrOu.

    • Proposed as answer by Brice Pradel Thursday, July 25, 2013 12:07 PM
    • Marked as answer by Clarence Zhang Wednesday, July 31, 2013 2:13 AM
    Wednesday, July 24, 2013 11:27 AM
  • Thanks a lot TiGrOu, I'll use that information for my upcoming WSUS proposal :)

    Cheers,

    -Candrin

    Wednesday, July 24, 2013 12:04 PM