Solved

WSUS 3.0 SP1 Is there a Public Update Server for Branch Offices?

Posted on 2009-03-31
16
762 Views
Last Modified: 2012-05-06
I have branch offices connected to the main office with vpn tunnels. Instead of the branch office PC's downloading updates over the VPN, is there a way for them to download the updates from a public server but still report the statistics to WSUS at the main office? I can't install a replica at the branch offices and don't want the update traffic going over the vpn tunnel, just the statistics.
0
Comment
Question by:caloric
  • 8
  • 5
16 Comments
 
LVL 47

Expert Comment

by:dstewartjr
ID: 24031645
0
 

Author Comment

by:caloric
ID: 24031823
This is for using a replica server at the branch office and configuring it to get updates from microsoft instead of from the main office server. What I need is a url to point branch office PC's to, to download the updates.

In group policy I have branch office PC's in a group and they have their own GPO, currently they are set to upload statistics and download updates from the WSUS server. There are 2 settings in there:

Set the intranet update service for detecting updates: http://wsus-server:8530 Set the intranet statistics server: http://wsus-server:8530

I know it says intranet update service implying it has to be local, but I'm hoping there's a public server I can put in that policy.
Computer Configuration (Enabled)hide

Administrative Templateshide

Windows Components/Windows Updatehide
 

Policy Setting 

Specify intranet Microsoft update service location Enabled 

Set the intranet update service for detecting updates: http://wsus-server:8530 

Set the intranet statistics server: http://wsus-server:8530 

(example: http://IntranetUpd01) 

 

Open in new window

0
 
LVL 47

Accepted Solution

by:
dstewartjr earned 400 total points
ID: 24032331
All you need to do is make the selection to "Do not store updates locally; computers install from microsoft update"


updateslocation.bmp
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 24032463
If you like there is a way to install wsus on a Xp machine(for your downstream server)

http://www.neowin.net/forum/index.php?showtopic=231689
0
 

Author Comment

by:caloric
ID: 24040167
But I want updates at the main office stored locally, but not at the branch office. I don't have any machines at the branch offices that are on long enough to be used as a downstream server. I just want the branch PC's to report statistics to the main office server but download updates from microsoft, and the main office PC's to get updates from and upload statistics to the server.

What happens if for the branch office GPO I don't specify the "intranet update service"? Would they default to download from microsoft or would it just not work?
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 24040240
This is from the "explain" tab

Specifies an intranet server to host updates from the Microsoft Update Web sites. You can then use this update service to automatically update computers on your network.This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.To use this setting, you must set two servername values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server.If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service, instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them.If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.Note: If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.

so yes I would then do it this way
0
 

Author Comment

by:caloric
ID: 24216612
But I still want statistics on their updates. I would like them to download the updates from microsoft but still report statistics to my server over the vpn, does anyone know if this is possible?

This way I can approve whatever updates I want, know who is and isnt' updated, yet save vpn bandwidth between the branch office and our main office.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 47

Assisted Solution

by:dstewartjr
dstewartjr earned 400 total points
ID: 24216808
Read here:
http://technet.microsoft.com/en-us/library/cc720494.aspx
You still approve updates to client computers on your network as usual, but when it comes time for clients to obtain the actual update, each client connects to the Internet to download it from Microsoft servers. These are the same servers Microsoft uses to distribute updates to the public. Although your clients obtain updates from Microsoft over the Internet, you still make the decisions about which updates are approved for distribution. The benefit of this scenario is that the distributed clients do not have to use the slow WAN connection to download updates, because WSUS only distributes approvals over the WAN link.  
0
 

Author Comment

by:caloric
ID: 24239059
That looks like what I'm looking for, except when looking at the "Configure Advanced Synchronization Options" it says to set this setting in the WSUS console. So it seems to me like it can't be done through a GPO for a specific group of clients and that setting it in WSUS would affect all clients. I would still like to have all PCs at the main office to download the updates from the local server, but all branch locations to download from microsoft.

I also wonder if approving the updates encompasses the ability to view update statistics on those PCs also.
0
 
LVL 47

Assisted Solution

by:dstewartjr
dstewartjr earned 400 total points
ID: 24239095
Yes you can do this, it is called client side targeting


http://technet.microsoft.com/en-us/library/cc720433.aspx
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 24239113
0
 

Author Comment

by:caloric
ID: 24239228
I already have client side targeting through GPOs for main office PCs and branch offices. But the problem is that it looks like to set the clients to download the updates from microsoft, it's done through the WSUS console not through the GPO; which would affect all PC's not just the branch PC's. I haven't found a specific setting in the GPO to download from microsoft. How can I set the GPO to download the updates from microsoft but get approvals and report statistics from/to WSUS?
0
 
LVL 47

Assisted Solution

by:dstewartjr
dstewartjr earned 400 total points
ID: 24243191
Without using a replica server to handle the branch offices(forcing them to download their updates from microsoft) I would suggest that you configure BITS to throttle your bandwidth
WSUS: How To Throttle BITS
More on throttling WSUS downloads
 
 
Bandwidth considerations
http://www.wsuswiki.com/BandwidthConsiderations
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 100 total points
ID: 24566249
As there seems to be no way to set up what you want with GPO, you can change the related reg  key under [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]. You need to remove the WUServer value (only).
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now