Solved

WSUS for remote clients

Posted on 2010-09-07
7
1,998 Views
Last Modified: 2012-05-10
We have WSUS 3.0 and all of our clients are on the domain, including our remote clients. None of our clients have local admin privledges. our AU policy is GPO based and updates need to be approved on the WSUS before installationon the clients. I want to know how our remote employees receive their updates from the WSUS or from the internet.

1.How do the remote clients communicate with the WSUS for downloads, through the VPN? How does that work, once the update is approved, the client logs onto the VPN and they are told by he WSUS what updates are aproved and then they download/install those updates from the internet or the WSUS?

2. How can I configure the remote clients to communicate with the WSUS while they are not on the VPN? At leasst to communicate what they are approved to download then download it from the internet directly?

Thanks!
0
Comment
Question by:tolinrome
  • 2
  • 2
7 Comments
 
LVL 5

Expert Comment

by:FunkyBrown
ID: 33619562
You have to look at it this way. Think of your PC as actually being in your network when it is connected to the VPN. That is the best way to look at it. So when your laptop is connected via the VPN, it will download the updates from the WSUS server, depending on how your settings are. As far as your clients communicating via the WSUS server when not connected to the VPN, I don't think this is realistic as far as security is concerned. Do you have a firewall set up protecting your network?
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33619927
I understand that while on the vpn the clients  are on the network, but since a client may only be on for a few minutes and not long enough to download/install updates and to save bandwith I would like them to update via the internet if possible.

Do you know for sure if while on the vpn the clients are actually downloading the updates from the WSUS or are only notified of the approvals and then downloading from the internet?

Also, I think it should be possible to update via the WSUS through the internet. Of course we have a firewall.

Thanks!
0
 
LVL 5

Expert Comment

by:FunkyBrown
ID: 33620013
Definitely the computers will download the updates via the WSUS server when connected through the VPN. How often do you push out updates via WSUS? There should be a setting in which you can set PC's to download the updates directly from the internet. I will have a look on my WSUS server. We are currently running our updates through our SCCM server though so I need to familiarize myself with the WSUS console.
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 33739776
WSUS defaults to download updates and then the update client pulls the updates from the WSUS server. VPN or not, the client will do whatever the group policy says for it to do. Windows doesn't have any logic built in to say "hey, I'm on a VPN so I should go straight to the internet."
What you can do is create a separate WSUS group policy to have updates downloaded directly from the internet and then apply that policy to a security group with the remote machines. That policy will *always* be in effect though, so even when laptops are on the internal network, they will download updates from the internet and thus you will want to be aware of the impact on your bandwidth with such a solution in place.
For the second part, since WSUS is reliant on group policy, while it is technically possible to publish a WSUS server and have machines download it, they would not get any updated group policy settings and thus would be very limited. Having them connect via VPN solves other problems besides just updates. My current recommendation for such setups is to look at deploying DirectAccess. This allows a VPN to be setup *before* logon, so group policies work, WSUS works, and DA is very firewall friendly. This would be better than publishing a WSUS server.
-Cliff
 
0
 
LVL 7

Author Closing Comment

by:tolinrome
ID: 33740737
Excellent, thanks.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

I have put this article together as i needed to get all the information that might be available already into one general document that could be referenced once without searching the Internet for the different pieces. I have had a few issues where…
This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now