locked
Need to setup WSUS in a secure, non connected environment RRS feed

  • Question

  • Hi All,
    I need to setup WSUS to patch servers in a secure test environment. The Network has no access to the internet.
    Has anyone done something similar they can advise on. ? Even the initial configuration of wsus requires internet and won't go by it.
    Appreciate any help/feedback.
    Thanks

    Joe.



    Thanks - Joe.

    Tuesday, November 27, 2018 3:20 PM

Answers

  • Hello,
      
    There is  no problem to set a disconnected WSUS environment. All we need to do is setting another WSUS server which could sync with MU as a export WSUS server. Then we could refer to following steps to import the update metadata and binary files to disconnected WSUS server.
     
    1> On the export WSUS server, sync with MU to get the update metadata and download the binary files.
    2> On the export WSUS server, export the metadata and then import them to your disconnected WSUS server via "wsusutil export/import" command.
    3> On the export WSUS server, copy the WSUS content and transfer them to import WSUS server.
     
    Here are some articles which have detailed information and steps about the whole process.
     
    How to install patches in an isolated environment
    https://blogs.msdn.microsoft.com/george_bethanis/2014/09/19/how-to-install-patches-in-an-isolated-environment/
     
    Configure a Disconnected Network to Receive Updates
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939873(v%3dws.10)
     
    Set Up a Disconnected Network (Import and Export Updates)
    https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127442
     
    Before you start the export and import, do not forget to matching advanced options between export and import WSUS server which is also mentioned in above articles. And it is not required but it is recommended to use same OS version on export and import WSUS server.
     
    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Joe The Tim Wednesday, November 28, 2018 8:55 AM
    Wednesday, November 28, 2018 1:46 AM

All replies

  • Hello,
      
    There is  no problem to set a disconnected WSUS environment. All we need to do is setting another WSUS server which could sync with MU as a export WSUS server. Then we could refer to following steps to import the update metadata and binary files to disconnected WSUS server.
     
    1> On the export WSUS server, sync with MU to get the update metadata and download the binary files.
    2> On the export WSUS server, export the metadata and then import them to your disconnected WSUS server via "wsusutil export/import" command.
    3> On the export WSUS server, copy the WSUS content and transfer them to import WSUS server.
     
    Here are some articles which have detailed information and steps about the whole process.
     
    How to install patches in an isolated environment
    https://blogs.msdn.microsoft.com/george_bethanis/2014/09/19/how-to-install-patches-in-an-isolated-environment/
     
    Configure a Disconnected Network to Receive Updates
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939873(v%3dws.10)
     
    Set Up a Disconnected Network (Import and Export Updates)
    https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127442
     
    Before you start the export and import, do not forget to matching advanced options between export and import WSUS server which is also mentioned in above articles. And it is not required but it is recommended to use same OS version on export and import WSUS server.
     
    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Joe The Tim Wednesday, November 28, 2018 8:55 AM
    Wednesday, November 28, 2018 1:46 AM
  • Great  - thanks Ray. Do you know if it is possible to also download the updates from the Microsoft Catalog and then import them into the WSUS server (if we didnt want to setup a export/import system ?  )

    Thanks

    Joe.


    Thanks - Joe.

    Wednesday, November 28, 2018 8:56 AM
  • Hello Joe,

    It is not supported.

    We only could import updates to WSUS by clicking "Import Updates..." in the WSUS console. That means the WSUS server must be connected to Internet.

    In WSUS, it saves not only the updates files, but also the updates metadata and the connection between them. And you can not get the latter two parts from a isolate update binary file. That's why we need to get them from a export WSUS server.

    Hope my answer could help you.

    Best Regards,

    Ray


    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, November 28, 2018 2:27 PM