Windows Server 2003
--
Questions
--
Followers
Top Experts
Updating Antivirus and Windows on DMZ Servers
I curently have 3 servers that reside in the DMZ, an app. server, mail server, and web server. I use WSUS and CA Antivirus Console to manage updates to everything inside our secure network. I am looking for the best way to keep these servers up-to-date with antivirus and windows updates. I cannot use the same method used with the devices on the internal network because the DMZ servers are in a workgroup in Active Directory. Currently, the firewall is configured to block port 80 for added security, so these machines cannot get their own updates. I felt it was more secure to keep these machines from initiating any connections through port 80.
Is there any other way I can push updates to these servers from inside the secure network allowing them to be managed the same way the rest of our intranet is managed? I am of the opinion that opening port 80 is a last resort and there must be another means by which I can keep these servers up-to-date internally.
Is there any other way I can push updates to these servers from inside the secure network allowing them to be managed the same way the rest of our intranet is managed? I am of the opinion that opening port 80 is a last resort and there must be another means by which I can keep these servers up-to-date internally.
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Netman66,
Other than setting the WSUS server up in the DMZ, is there a way to point those DMZ servers back to our secure network to get antivirus and windows updates? However, at this point, I am unsure of what ports would be used and subsequently, what firewall rules would need to be changed to make that work.
I can re-open port 80 on the firewall, and allow it to obtain Windows updates from the Internet; however, I was hoping to use WSUS to maintain consistency and a standardized audit trail in my network. I recently found out that CA Antiviurs does not use Port 80 to retrieve updates from the Internet, so I am not as concerned about those updates.
Other than setting the WSUS server up in the DMZ, is there a way to point those DMZ servers back to our secure network to get antivirus and windows updates? However, at this point, I am unsure of what ports would be used and subsequently, what firewall rules would need to be changed to make that work.
I can re-open port 80 on the firewall, and allow it to obtain Windows updates from the Internet; however, I was hoping to use WSUS to maintain consistency and a standardized audit trail in my network. I recently found out that CA Antiviurs does not use Port 80 to retrieve updates from the Internet, so I am not as concerned about those updates.
Not really, unless they are domain members. Â Downlevel WSUS servers need to be part of the domain also - and that's not a good thing in the DMZ.
Creating rules from the WSUS server to Microsoft wouldn't be difficult.
I understand the need to stay consistent with the internal LAN - a HIPPA thing (my guess), but if you document the internal update approvals then following that script for the DMZ server shouldn't be difficult. Â It's just another process.
I'm finding out for sure whether it's possible to chain a non-domain WSUS server to a domain WSUS server. Â I need to know absolutely.
Creating rules from the WSUS server to Microsoft wouldn't be difficult.
I understand the need to stay consistent with the internal LAN - a HIPPA thing (my guess), but if you document the internal update approvals then following that script for the DMZ server shouldn't be difficult. Â It's just another process.
I'm finding out for sure whether it's possible to chain a non-domain WSUS server to a domain WSUS server. Â I need to know absolutely.
Thanks for your response. I appreciate it. I have since opened Port 80; however, it is only to initiate an outbound connection, not to accept. Other than the options you mentioned, the only other solution I could come up with was a redistribution sever, and that was not a viable alternative for me.
Thanks again.
Thanks again.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Windows Server 2003
--
Questions
--
Followers
Top Experts
Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).