WSUS for remote clients
We have WSUS 3.0 and all of our clients are on the domain, including our remote clients. None of our clients have local admin privledges. our AU policy is GPO based and updates need to be approved on the WSUS before installationon the clients. I want to know how our remote employees receive their updates from the WSUS or from the internet.
1.How do the remote clients communicate with the WSUS for downloads, through the VPN? How does that work, once the update is approved, the client logs onto the VPN and they are told by he WSUS what updates are aproved and then they download/install those updates from the internet or the WSUS?
2. How can I configure the remote clients to communicate with the WSUS while they are not on the VPN? At leasst to communicate what they are approved to download then download it from the internet directly?
Thanks!
1.How do the remote clients communicate with the WSUS for downloads, through the VPN? How does that work, once the update is approved, the client logs onto the VPN and they are told by he WSUS what updates are aproved and then they download/install those updates from the internet or the WSUS?
2. How can I configure the remote clients to communicate with the WSUS while they are not on the VPN? At leasst to communicate what they are approved to download then download it from the internet directly?
Thanks!
Asked:
Who is Participating?
You have to look at it this way. Think of your PC as actually being in your network when it is connected to the VPN. That is the best way to look at it. So when your laptop is connected via the VPN, it will download the updates from the WSUS server, depending on how your settings are. As far as your clients communicating via the WSUS server when not connected to the VPN, I don't think this is realistic as far as security is concerned. Do you have a firewall set up protecting your network?
I understand that while on the vpn the clients are on the network, but since a client may only be on for a few minutes and not long enough to download/install updates and to save bandwith I would like them to update via the internet if possible.
Do you know for sure if while on the vpn the clients are actually downloading the updates from the WSUS or are only notified of the approvals and then downloading from the internet?
Also, I think it should be possible to update via the WSUS through the internet. Of course we have a firewall.
Thanks!
Do you know for sure if while on the vpn the clients are actually downloading the updates from the WSUS or are only notified of the approvals and then downloading from the internet?
Also, I think it should be possible to update via the WSUS through the internet. Of course we have a firewall.
Thanks!
Definitely the computers will download the updates via the WSUS server when connected through the VPN. How often do you push out updates via WSUS? There should be a setting in which you can set PC's to download the updates directly from the internet. I will have a look on my WSUS server. We are currently running our updates through our SCCM server though so I need to familiarize myself with the WSUS console.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month10 days, 9 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
What you can do is create a separate WSUS group policy to have updates downloaded directly from the internet and then apply that policy to a security group with the remote machines. That policy will *always* be in effect though, so even when laptops are on the internal network, they will download updates from the internet and thus you will want to be aware of the impact on your bandwidth with such a solution in place.
For the second part, since WSUS is reliant on group policy, while it is technically possible to publish a WSUS server and have machines download it, they would not get any updated group policy settings and thus would be very limited. Having them connect via VPN solves other problems besides just updates. My current recommendation for such setups is to look at deploying DirectAccess. This allows a VPN to be setup *before* logon, so group policies work, WSUS works, and DA is very firewall friendly. This would be better than publishing a WSUS server.
-Cliff