locked
WSUS design RRS feed

  • Question

  • Hi all,

    I have old 2003 WSUS server in internal LAN. Mobile users are able to connect with VPN to company DMZ.  I need to make new WSUS design which allows remote users to update their laptops from outside  of company LAN. 

    I thought to place upstream WSUS server to DMZ and downstream/replica to LAN. Is there a way to target  user laptops to DMZ WSUS when they connect remotely (VPN) and to target them to LAN WSUS when they are at office? As far as I know I can specify only 1 WSUS server in GPO.

    What is the best way to update laptops from LAN or DMZ WSUS based on their location (remotely connected with VPN or connected to LAN). 

    I also thought to have only one WSUS in DMZ and allow LAN users to update from this WSUS server.

    Thanks

    Tuesday, February 24, 2015 3:00 PM

Answers

  • Directaccess might not be possible here (it might be, but Windows 2003 is a bit of a red flag on this one).

    Configuring DNS round-robin might be a good work around, allowing different servers be targeted depending on which DNS server it hits

    • Marked as answer by tomas.kukan Friday, February 27, 2015 2:54 PM
    Wednesday, February 25, 2015 7:44 AM

All replies

  • I think you can install an upstream server on lan and a downstream in dmz.

    You can also install an wsus server  autonomous and configure separately.

    But it is less convenient

    Tuesday, February 24, 2015 10:15 PM
  • Hi tomas,

    I think that DirectAccess is suitable for your situation. If we deploy the DirectAccess, we only need one WSUS server in LAN.

    DirectAccess allows remote users to securely access internal network file shares, Web sites, and applications without connecting to a virtual private network (VPN). An internal network is also known as a private network or intranet.

    DirectAccess establishes bi-directional connectivity with an internal network every time a DirectAccess-enabled computer connects to the Internet, even before the user logs on.

    Users never have to think about connecting to the internal network and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, February 25, 2015 7:32 AM
  • Directaccess might not be possible here (it might be, but Windows 2003 is a bit of a red flag on this one).

    Configuring DNS round-robin might be a good work around, allowing different servers be targeted depending on which DNS server it hits

    • Marked as answer by tomas.kukan Friday, February 27, 2015 2:54 PM
    Wednesday, February 25, 2015 7:44 AM
  • I don't want to use directaccess. The point is to only allow WSUS updates for remote clients. Netmas ordering looks good. 

    Am I right with this example scenario?

    - Let's say I have WSUS server in LAN - hostname WSUS with IP address 192.168.1.1/24

    - I will create new replica/downstream WSUS in DMZ - hostname WSUS-DMZ with IP address 172.16.1.1/24

    - When remote clients connect to DMZ with VPN they get IP address within range172.16.1.0/24

    - I will create DNS A record for WSUS with IP address 172.16.1.1

    - Enable netmask ordering on DNS with default 24bit mask

    This should work? Or am I missing something?

    Thanx 

    Wednesday, February 25, 2015 8:20 AM
  • Hi Tomas,

    I think that approach should work alright. 

    Friday, February 27, 2015 11:20 AM