WSUS 3.0 SP1 Is there a Public Update Server for Branch Offices?
I have branch offices connected to the main office with vpn tunnels. Instead of the branch office PC's downloading updates over the VPN, is there a way for them to download the updates from a public server but still report the statistics to WSUS at the main office? I can't install a replica at the branch offices and don't want the update traffic going over the vpn tunnel, just the statistics.
ASKER
This is for using a replica server at the branch office and configuring it to get updates from microsoft instead of from the main office server. What I need is a url to point branch office PC's to, to download the updates.
In group policy I have branch office PC's in a group and they have their own GPO, currently they are set to upload statistics and download updates from the WSUS server. There are 2 settings in there:
Set the intranet update service for detecting updates: http://wsus-server:8530 Set the intranet statistics server: http://wsus-server:8530
I know it says intranet update service implying it has to be local, but I'm hoping there's a public server I can put in that policy.
In group policy I have branch office PC's in a group and they have their own GPO, currently they are set to upload statistics and download updates from the WSUS server. There are 2 settings in there:
Set the intranet update service for detecting updates: http://wsus-server:8530 Set the intranet statistics server: http://wsus-server:8530
I know it says intranet update service implying it has to be local, but I'm hoping there's a public server I can put in that policy.
Computer Configuration (Enabled)hide
Administrative Templateshide
Windows Components/Windows Updatehide
Policy Setting
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://wsus-server:8530
Set the intranet statistics server: http://wsus-server:8530
(example: http://IntranetUpd01)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you like there is a way to install wsus on a Xp machine(for your downstream server)
http://www.neowin.net/forum/index.php?showtopic=231689
http://www.neowin.net/forum/index.php?showtopic=231689
ASKER
But I want updates at the main office stored locally, but not at the branch office. I don't have any machines at the branch offices that are on long enough to be used as a downstream server. I just want the branch PC's to report statistics to the main office server but download updates from microsoft, and the main office PC's to get updates from and upload statistics to the server.
What happens if for the branch office GPO I don't specify the "intranet update service"? Would they default to download from microsoft or would it just not work?
What happens if for the branch office GPO I don't specify the "intranet update service"? Would they default to download from microsoft or would it just not work?
This is from the "explain" tab
Specifies an intranet server to host updates from the Microsoft Update Web sites. You can then use this update service to automatically update computers on your network.This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.To use this setting, you must set two servername values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server.If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service, instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them.If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.Note: If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
so yes I would then do it this way
Specifies an intranet server to host updates from the Microsoft Update Web sites. You can then use this update service to automatically update computers on your network.This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.To use this setting, you must set two servername values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server.If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service, instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them.If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.Note: If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
so yes I would then do it this way
ASKER
But I still want statistics on their updates. I would like them to download the updates from microsoft but still report statistics to my server over the vpn, does anyone know if this is possible?
This way I can approve whatever updates I want, know who is and isnt' updated, yet save vpn bandwidth between the branch office and our main office.
This way I can approve whatever updates I want, know who is and isnt' updated, yet save vpn bandwidth between the branch office and our main office.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That looks like what I'm looking for, except when looking at the "Configure Advanced Synchronization Options" it says to set this setting in the WSUS console. So it seems to me like it can't be done through a GPO for a specific group of clients and that setting it in WSUS would affect all clients. I would still like to have all PCs at the main office to download the updates from the local server, but all branch locations to download from microsoft.
I also wonder if approving the updates encompasses the ability to view update statistics on those PCs also.
I also wonder if approving the updates encompasses the ability to view update statistics on those PCs also.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I already have client side targeting through GPOs for main office PCs and branch offices. But the problem is that it looks like to set the clients to download the updates from microsoft, it's done through the WSUS console not through the GPO; which would affect all PC's not just the branch PC's. I haven't found a specific setting in the GPO to download from microsoft. How can I set the GPO to download the updates from microsoft but get approvals and report statistics from/to WSUS?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How to configure a branch office WSUS server to get approvals centrally but download updates from Microsoft Update.