• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1076
  • Last Modified:

Windows Updates & WSUS Remote Laptops

I'm trying to come up with the best design to keep computers updated on a WAN.  I am looking for suggestions on how to handle this in the best way using GPO's, WSUS, and Windows Update.  Here is what I'm working with:

Office1 - 30 users normally, T1
Office2 - 50 users normally, T1
Office3 - 20 users normally, T1
Office4 - 15 users normally, T1
Collocation - Houses most servers including AD, 5MB
All locations are connected through a VPN on the Firewalls.
300 employees across the US and when not in the office they use a VPN software client to connect their laptop to the VPN core at the collocation.

Office 2 has a server that has an extra 40GB of space I could use, and the Collocation has a server with 300GB free space.  Those are my only 2 options for installing WSUS.  My main concern is with the laptops because they are mostly remote from an office.  My other concern is bandwidth.  For instance, lets say 50 users come into an office and they all try to update at the same time; this would completely fill the internet connection.

My initial thoughts are to install WSUS at the collocation and in Office2.  I would use a GPO to have the collocation update the collocation, office1, office3 then use a GPO to have Office2 update office2 and office4.  I was thinking about putting all laptops in their own OU and have a GPO to had them use Microsoft as their update server (Since they can be remote or in the office)

Has anyone ever dealt with a similar situation or have suggestions?

Thanks!


0
deadite
Asked:
deadite
  • 3
  • 2
2 Solutions
 
blahphishCommented:
Hey deadite, your plan sounds very reasonable to me. If you dont have the luxury of putting servers in each site that you can have a downstream wsus server on then the next best thing is put in as many wsus servers as you can and split up the load like you have suggested.
0
 
subliferCommented:
You've got more options... I would put the WSUS at your collocation site as it is your central hub and has the most bandwidth available.  If you don't already have it, install BITS (Background Intelligent Transfer Service)  Then in your domain Group Policy go to Computer Configuration > Administrative Templates > Network > Background Intelligent Transfer Service  and set it to something reasonable, I think it defaulted to something ridiculously low and I was seeing updates fail on my domain computers because the files weren't downloaded yet.  You might have to play with it a little but the settings make sense once you see them.  BITS manages background transfers, like it sounds, which includes Windows updates.

You can find BITS in Add/remove programs, Windows Components, Applications servers, and under IIS
0
 
blahphishCommented:
sublifer, your suggestion of putting the wsus server at the collcation site is already what he has himself suggested in addition to putting a downstream server at office2, which would help so that all office2 clients and office4 could pull from office2 and the rest from collcation. Its not very clear if you are suggesting your other options differ from this.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
subliferCommented:
blahphish, why don't you read the rest of my post before you start criticizing in a bad attempt to scrounge points... you shouldn't even be posting anything if its not relevant to the question.  He asked for opinions on those with experience in this matter.  I have 6 locations myself, two connected at 10mb and 4 by T-1's and a few roaming laptops that connect by VPN.  I keep my WSUS server at my main site and let BITS manage the bandwidth of the transfers.  His two main concerns are his laptop users and traffic congestion.  The laptop users are connecting to the collocation anyway so WSUS there only makes sense.  The use of BITS will help keep congestion down and with some fine tuning it may never be an issue.

To add to what I've already said, I wouldn't bother placing a 2nd one at office two, it will complicate your setup and they wouldn't see any great benefit if you have BITS configured.  Its just not worth it for only 50 users.
0
 
blahphishCommented:
I wasnt attacking, simply asking for clarification, which you provided..
0
 
deaditeAuthor Commented:
Thanks for the comments,  I'm doing some testing now and it looks like I can get away with the downstream server.  Won't be complicated to control and can offload traffic and get them patched quicker.  BTW, I am using the default BITS config in my GPO for 8-5 (10mbps) then as much as they can grab after hours
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now