locked
WSUS - one or multiple servers RRS feed

  • Question

  • Hi just a query as i can't find what I am looking for online,

    I want to setup and internal and an external WSUS server as we have a large percentage of laptops that leave the domain for 4 weeks plus. I want them to receive updates out in the field but only the updates we approve, hence the external WSUS server.

    What do people recommend as a setup? 1 internal server and a downstream external server? If this is the case how do I set this up in Group Policy as I can only set one WSUS server. is this even possible?

    Or I keep with 1 WSUS server, put a certificate on the site and make this externally facing and use just the https://myserver.com:8531 address in the Group Policy. Would this cause any issues apart from needing a DNS entry for when the users are on site?

    Any thoughts are most welcome

    Thursday, October 4, 2018 2:22 PM

All replies

  • We have an internal WSUS and an external downstream WSUS in a DMZ

    In the internal DNS we have an A record resolving myserver.com to the internal IP address

    In our external DNS we have  an A record resolving myserver.com to the DMZ IP address

    This allows internet users use the DMZ WSUS and internal users use the internal WSUS

     

    Not saying this is the best way but it works for us

     

    Regards

    Rob

    Thursday, October 4, 2018 2:30 PM
  • Hi,
     
    Thanks for your information. 

    In my opinion, one WSUS server is enough if there is not too many client computers. If you only want to approve the updates to the specific laptops, we can add the laptops into one domain, and divide into serval groups by "enable client-side targeting" GPO. We can set different approval rules for different group of laptops.


    Hope my idea helps and look forward to you feedback.

    Best regards,
    Johnson
    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Friday, October 5, 2018 2:42 AM
  • Hi Johnson

     

    One WSUS will work but from a security standpoint it is a better job to have two, one on the internal network and a second in the DMZ

    You should never expose a system with access to the internal network to the internet

    You can apply the above policy on the internal server and this will sync downstream to the DMZ system

     

     

    Regards

    Rob

    Friday, October 5, 2018 9:15 AM
  • Thanks for the input guys. That gives me some thought. 

    Have you set it up so that both servers have SSL enabled? Currently I have an internal WSUS working on http 8530. I have just built an external WSUSDMZ server, bought a certificate and it is configured to 8531 which is pingable and contactable by my laptop on the internet. Do I need to make the internal WSUS server SSL as well? I'm thinking in terms of my group policy as I will publish https://myserver.com:8531 as my WSUS server, so when clients look to update the A record will point them to the internal WSUS server but will they use the 8530 ports or try to use the SSl port?

    Also with the above setup does each server need its own database or can they share a repository? What I mean is does the downstream server pull the downloads from the internal WSUS server database or does it keep it's own copy locally? This is all rather new to me and not really finding the answer online

    Thanks everyone

    Friday, October 5, 2018 11:17 AM
  • It makes life a bit easier if  both servers are the same so I would use SSL on both

    You can use the same cert on both servers

    For your database, it depends on your setup but I would go with a database on each

    The less ports opened back to your internal network the better

     

    Regards

    Rob

    Friday, October 5, 2018 3:53 PM
  • Part 7 of my guide will show you why you SHOULD use SSL on ALL WSUS Servers.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-7-ssl-setup-for-wsus-and-why-you-should-care/

    You also have the "Set the alternate download server" option available in GPOs, for this reason (IMO).

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-4-creating-your-gpos-for-an-inheritance-setup/

    I would use the same hostname on both systems utilizing Split-DNS and have internally the DNS hostname point to the internal, and externally to the external. Then you only need 1 SSL Cert (or 1 SAN on an existing cert)


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Friday, October 5, 2018 7:53 PM