locked
WSUS: best practices to manage roming clients RRS feed

  • Question

  • Dear all,
    i need your help to manage correctly roaming clients and OS updates.

    Scenario
    The WSUS server is located in our local domain and manage client registered via GPO in their own PC groups.
    The WSUS server is configured with a public SSL certificate (not self-signed) and has automatic approval policies based on specifi criteria (update type/PC group).
    Moreover,a third party software (solarwinds patch mager) push thirdy party security updates into WSUS.

    All works fine when the laptops works connected to corporate networks, but when they are out of office, the only way to get updates from our WSUS is via VPN.

    To avoid this, i was thinking to expose my WSUS over Internet.

    It's clear that this could expose the server to some security risks (like every other web server), but did you think that this is a correct way to manage this scenario?

    Thanks for your support.
    Wednesday, September 27, 2017 10:18 AM

All replies

  • Hey 

    I would suggest creating additional WSUS server in DMZ which would not be joined to domain and setup it as downstream server as its stated in below article. That server should be published to the Internet.

    https://technet.microsoft.com/en-us/library/cc708495(v=ws.10).aspx

    If You have split-DNS scenario You could setup Your GPO with WSUS server public domain name and overwrite it in Your local DNS to point to LAN address instead of Internet address. 

    That would be the safest way to work on Your problem in my opinion.

    Cheers


    Wednesday, September 27, 2017 10:32 AM
  • Nice suggestion
    The only problem would be third party updates; they are only managed on the current WSUS and the downstream server could not sync these updates.
    Wednesday, September 27, 2017 10:44 AM
  • Then maybe putting the original server in DMZ and allowing the traffic from WSUS clients to this server thru LAN, but this would be less secure.

    Other way would be to configure reverse proxy in DMZ and point it back to original server in LAN - that can be done with IIS and its not so complicated, there are articles on how to do it for Exchange or Skype for Business, You could follow these or any other - for example below one could be ok for You: https://blogs.msdn.microsoft.com/carlosag/2010/04/01/setting-up-a-reverse-proxy-using-iis-url-rewrite-and-arr/

    Another idea to work this out would be to configure Solarwinds Patch Manager to push updates to both of these servers. 

    • Proposed as answer by MartinITPro Thursday, September 28, 2017 11:14 AM
    Wednesday, September 27, 2017 11:02 AM
  • Hi,

    Agree with Martin .

    In addition , if there are not too much updates ,you may consider export and import updates into a separate WSUS server which will be "published on the internet" :

    https://technet.microsoft.com/en-us/library/cc720512(v=ws.10).aspx

     

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Elton_Ji Friday, September 29, 2017 6:52 AM
    Friday, September 29, 2017 6:52 AM