The goal of this article is to bring an updated version of the white paper
Implementing WSUS with ISA Server 2004 to Manage Remote Clients.
This article explains how to publish WSUS 3 SP2 located in a DMZ to deploy updates to clients located in the external network. In this scenario WSUS will be behind Forefront TMG 2010 SP2. We will use the same topology presented in the article
Deploy Windows Server Updates Services (WSUS) 3 SP2 on a DMZ Protected by Forefront TMG 2010 SP2. On this scenario remote clients will be receiving updates from an Internal WSUS
that is already in use in the internal network.
In order to configure Forefront TMG 2010 for this scenario you will need the following:
Note: if the certificate was issued by an internal CA (behind Forefront TMG) you will need to also publish the CRL so that external clients can retrieve this list. If you are using a public CA you will not need to perform this step.
Once you have that configured you can configure the Forefront TMG publishing rule for WSUS. Follow the steps below to configure this rule:
1. Open Forefront TMG Management Console. Right click Firewall Policy, point to
New and click Web Site Publishing Rule.
2. On the Welcome to the New Web Publishing Wizard page type the rule name as shown below and click
3. On the Select Rule Action page choose Allow
as shown below and click Next.
4. On the Publishing Type page keep the default selection (Publish a single Web site or load balancer) as shown below and click
Next to continue.
5. On the Server Connection Security page click Use non-secured connections to connect the published Web server or farm as shown in figure below and click
Next to continue.
6. In the Internal Publishing Details page type the internal WSUS Server name as shown below and click
Next to continue.
7. In the Internal Publishing Details page type /* as shown below and click
Note: It is important to mention that once we finish these steps we will remove this path and add the correct list of paths.
8. In the Public Name Details page, type the public name that will be used by the remote clients to access WSUS Server (this name must match the subject name for the certificate installed on TMG) in the
Public Name field as shown below and click Next.
9. In the Select Web Listener page, click New, type a name for the web listener in the
Welcome to the New Web Listener Wizard page and click Next.
10. In the Client Connection Security page leave the default selection as shown below and click
11. In the Web Listener IP Address page click External
and use the following decision matrix to choose the option that best fits with your scenario:
13. In the Authentication Settings page click the drop down list, select
No Authentication and click Next.
14. In the Single Sign On Settings page click Next
and then click Finish.
15. Back to the Select Web Listener page, make sure that the new listener is selected and click
16. In the Authentication Delegation page click the drop down list and select
No delegation, but client may authenticate directly, click
Next twice and click Finish.
Now that the rule is created there are some extra steps to make sure that the rule is correctly configured. Follow the steps below to customize this rule:
1. Right click on WSUS Publishing rule and click Properties.
2. Click Paths tab, remove the existing path by selecting it and click
3. Click Add button and one by one, add the paths below:
5. Once you finish adding all those paths click Apply and click
Test Rule. The result should be similar to the one below:
6. Notice that all tests passed, once you confirm that click Close.
7. Click OK, click Apply, type a description and click
There is no additional change for the WSUS configuration if it is already configured using the guidelines from the article
Deploy Windows Server Updates Services (WSUS) 3 SP2 on a DMZ Protected by Forefront TMG 2010 SP2.
There are a set of pre-requisites to make sure that the remote clients are able to obtain updates from this published WSUS Server. The options are:
- They must be pointing to https://wsus.contoso.com/ update services as shown in the figure below:
- Client must trust the CA that issued the certificate to wsus.contoso.com and it should be installed in the correct container as shown below:
- External clients must be able to resolve this name (wsus.contoso.com)
After finishing the configuration you can start validating the configuration on the client computer by following the steps below:
1. Open command prompt and run the command gpupdate /force
2. Run the command rsop.msc and verify if the WSUS Server name is showing up in the Windows Update.
3. Click Start, All Programs and click
4. Click Check for Updates.
Note: if you have live logging enabled on Forefront TMG you should see the traffic pattern similar to the one below:
5. On the client, open the file %windir%\windowsupdate.log and check if the client is trying to
get update from the WSUS Server as shown below:
6. Switch to WSUS Server and make sure that the computer is already reporting itself to WSUS.