This is what I would do:
I manage a WAN that is servicing K-12 school districts here in colorado and have been noticing that first thing in the morning when the districts start their computers we are seeing a large influx of BITS (windows update) trafftc. The result is that from around 8:00 am - 9:00 am we are using nearly all of our 50 Mbps but after 9 we drop down to our more normal 25 Mbps. What I am looking for is a solution to chache the BITS updates so that we are only downloading them once each day. I have looked into WSUS but I don't want to have to corridinate (or try to force) all of my independant districts to configure their machines to look at my WSUS server. I have seen that there is a BITS caching service related to ISA but it appears that the server must be in the same subnet as the clients. Which isn't an option since I want to deploy this near our gateway.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
I do know that WSUS will allow the usage of upstream servers but I am hoping for a solution that does not require individual district & host configuration as WSUS does. A WSUS solution could catch a large portion of traffic but there are always some computers that aren't configured the way that I would like. Especially when I don't have direct control over them.
While I do have the capability to throttle the bandwidth on our packetshaper. I was seeking a more elegant solution that would improve the client's perceived download performance without requiring a massive coordination effort among the various technology departments.
You can do pretty much the entire setup of WSUS through group policy and push those to the clients fairly easily. I just recently set up a new WSUS server and got all of our users onto it. Baiscally it is about 4-6 group policy entries to direct the clients to the server and set the update frequency.
Then if you have downstream servers it is just a matter of pointing them to the main server to get their updates.
Ok so I don't think that I have explained myself clearly enough.
1. Throttling. I can throttle down BITS traffic with a single step on my packetshaper. This device sits just inside my firewall and distinctly identifies all types of traffic including BITS. I do not want to do this.
2. WSUS. Of the 18 school districts that are attached to my WAN. I have direct control over none of them. This means I cannot make group policy changes to the clients at these sites. If I deploy my own WSUS server and ask each of my districts to do the same and use mine as an upstream server, I will not get all of them to do it. Leaving some unknown percentage still consuming bandwidth unnecessarily.
What I am seeking (which I know may not exist), is a transparent solution that could intercept windows update BITS requests and serve them on it's own.
One thought that I have had is to deploy WSUS and then block regular windows update. This doesn't work because I place school district property at risk.
So any thoughts?
You spoke clearly, you're just refusing to listen. There is no other way. You can either schedule the updates to install at specific times with GPO or throttle Bits(With Gpo not packetshaper). Or deploy downstream WSUS servers.
http://technet.microsoft.c
Background Intelligent Transfer Service Bandwidth Management
Background Intelligent Transfer Service (BITS) is a file transfer service that transfers files in the foreground or background (default) between a client and a server. Background transfers use only idle network bandwidth in order to preserve the users interactive experience with other network applications, such as Internet Explorer. BITS examines the network traffic, and uses only the idle portion of the network bandwidth. BITS regulates its use of bandwidth as users increase or decrease their use of the bandwidth.
Server 2008 may have what you are looking for
http://technet.microsoft.c
There is one other way but if you dont have the ability/authority to deploy GPOs and WSUS I would think this would be even harder. We used to run a caching appliance at several of our remote sites. Theoretically if you were to have a caching appliance on each endpoint of your WAN connection/school district then the windows updates could be downloaded once and then kept locally in the appliances cache without the need for any BITS, WSUS, etc.
We ran bluecoat proxysg appliances, but you can get them from many other companies riverbed, cisco, etc.
I guess that there isn't a way to actually do what I am looking for. I will probably setup a WSUS server and ask the districts to point to it but I won't catch everything that way... Anyway, thanks for the help!
dstewartjr: maybe you can explain why you think that the packeteer won't throttle BITS, because it will. Any traffic that it can positively identify can be limited or blocked all together. I know that it accurately identifies BITS because that is how I know this issue exists.
Business Accounts
Answer for Membership
by: xxdcmastPosted on 2009-10-14 at 12:12:47ID: 25573991
Question for you do each of your districts have their own WSUS servers?
One way that I could suggest doing this would be to add a main WSUS server and then have each of your remote sites with a downstream WSUS server. This way each sites WSUS server will only download the updates one time and them get them from their server rather than each individual machine trying to get their own updates.
I dont know if you have looked into this extensively but it is pretty easy to set up upstream and downstream WSUS servers in WSUS 3.0. Once the initial synchronization between the two is complete it works very well.