Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Updating Antivirus and Windows on DMZ Servers

Posted on 2008-06-17
Medium Priority
Last Modified: 2013-11-22
I curently have 3 servers that reside in the DMZ, an app. server, mail server, and web server. I use WSUS and CA Antivirus Console to manage updates to everything inside our secure network. I am looking for the best way to keep these servers up-to-date with antivirus and windows updates. I cannot use the same method used with the devices on the internal network because the DMZ servers are in a workgroup in Active Directory. Currently, the firewall is configured to block port 80 for added security, so these machines cannot get their own updates. I felt it was more secure to keep these machines from initiating any connections through port 80.
Is there any other way I can push updates to these servers from inside the secure network allowing them to be managed the same way the rest of our intranet is managed? I am of the opinion that opening port 80 is a last resort and there must be another means by which I can keep these servers up-to-date internally.
Question by:cford1973
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 51

Accepted Solution

Netman66 earned 2000 total points
ID: 21818559
At some point, you are going to need port 80 open to get the updates from the Internet.  Unless you want to manually download them from the internal network then copy them to the DMZ.

You could setup WSUS in the DMZ and manually sync it on a fixed schedule.  During that time, you could open port 80 then close it again.  Honestly, creating an access rule for port 80 and 443 from the WSUS server to the 3 Microsoft sites should be fairly simple.  This would only let that one machine out and only to those sites.

Once this is configured you could let it manage itself.  You would need a registry mod to point all the DMZ equipment to the WSUS server, but that's simple enough.


Author Comment

ID: 21821728

Other than setting the WSUS server up in the DMZ, is there a way to point those DMZ servers back to our secure network to get antivirus and windows updates? However, at this point, I am unsure of what ports would be used and subsequently, what firewall rules would need to be changed to make that work.

I can re-open port 80 on the firewall, and allow it to obtain Windows updates from the Internet; however, I was hoping to use WSUS to maintain consistency and a standardized audit trail in my network. I recently found out that CA Antiviurs does not use Port 80 to retrieve updates from the Internet, so I am not as concerned about those updates.
LVL 51

Expert Comment

ID: 21822840
Not really, unless they are domain members.  Downlevel WSUS servers need to be part of the domain also - and that's not a good thing in the DMZ.

Creating rules from the WSUS server to Microsoft wouldn't be difficult.

I understand the need to stay consistent with the internal LAN - a HIPPA thing (my guess), but if you document the internal update approvals then following that script for the DMZ server shouldn't be difficult.  It's just another process.

I'm finding out for sure whether it's possible to chain a non-domain WSUS server to a domain WSUS server.  I need to know absolutely.

Author Closing Comment

ID: 31468032
Thanks for your response. I appreciate it. I have since opened Port 80; however, it is only to initiate an outbound connection, not to accept. Other than the options you mentioned, the only other solution I could come up with was a redistribution sever, and that was not a viable alternative for me.
Thanks again.

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question