I curently have 3 servers that reside in the DMZ, an app. server, mail server, and web server. I use WSUS and CA Antivirus Console to manage updates to everything inside our secure network. I am looking for the best way to keep these servers up-to-date with antivirus and windows updates. I cannot use the same method used with the devices on the internal network because the DMZ servers are in a workgroup in Active Directory. Currently, the firewall is configured to block port 80 for added security, so these machines cannot get their own updates. I felt it was more secure to keep these machines from initiating any connections through port 80.
Is there any other way I can push updates to these servers from inside the secure network allowing them to be managed the same way the rest of our intranet is managed? I am of the opinion that opening port 80 is a last resort and there must be another means by which I can keep these servers up-to-date internally.