We have WSUS 3.0 and all of our clients are on the domain, including our remote clients. None of our clients have local admin privledges. our AU policy is GPO based and updates need to be approved on the WSUS before installationon the clients. I want to know how our remote employees receive their updates from the WSUS or from the internet.
1.How do the remote clients communicate with the WSUS for downloads, through the VPN? How does that work, once the update is approved, the client logs onto the VPN and they are told by he WSUS what updates are aproved and then they download/install those updates from the internet or the WSUS?
2. How can I configure the remote clients to communicate with the WSUS while they are not on the VPN? At leasst to communicate what they are approved to download then download it from the internet directly?
Thanks!
What you can do is create a separate WSUS group policy to have updates downloaded directly from the internet and then apply that policy to a security group with the remote machines. That policy will *always* be in effect though, so even when laptops are on the internal network, they will download updates from the internet and thus you will want to be aware of the impact on your bandwidth with such a solution in place.
For the second part, since WSUS is reliant on group policy, while it is technically possible to publish a WSUS server and have machines download it, they would not get any updated group policy settings and thus would be very limited. Having them connect via VPN solves other problems besides just updates. My current recommendation for such setups is to look at deploying DirectAccess. This allows a VPN to be setup *before* logon, so group policies work, WSUS works, and DA is very firewall friendly. This would be better than publishing a WSUS server.
-Cliff