Solved

WSUS for remote clients

Posted on 2010-09-07
7
2,037 Views
Last Modified: 2012-05-10
We have WSUS 3.0 and all of our clients are on the domain, including our remote clients. None of our clients have local admin privledges. our AU policy is GPO based and updates need to be approved on the WSUS before installationon the clients. I want to know how our remote employees receive their updates from the WSUS or from the internet.

1.How do the remote clients communicate with the WSUS for downloads, through the VPN? How does that work, once the update is approved, the client logs onto the VPN and they are told by he WSUS what updates are aproved and then they download/install those updates from the internet or the WSUS?

2. How can I configure the remote clients to communicate with the WSUS while they are not on the VPN? At leasst to communicate what they are approved to download then download it from the internet directly?

Thanks!
0
Comment
Question by:tolinrome
  • 2
  • 2
7 Comments
 
LVL 5

Expert Comment

by:FunkyBrown
ID: 33619562
You have to look at it this way. Think of your PC as actually being in your network when it is connected to the VPN. That is the best way to look at it. So when your laptop is connected via the VPN, it will download the updates from the WSUS server, depending on how your settings are. As far as your clients communicating via the WSUS server when not connected to the VPN, I don't think this is realistic as far as security is concerned. Do you have a firewall set up protecting your network?
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33619927
I understand that while on the vpn the clients  are on the network, but since a client may only be on for a few minutes and not long enough to download/install updates and to save bandwith I would like them to update via the internet if possible.

Do you know for sure if while on the vpn the clients are actually downloading the updates from the WSUS or are only notified of the approvals and then downloading from the internet?

Also, I think it should be possible to update via the WSUS through the internet. Of course we have a firewall.

Thanks!
0
 
LVL 5

Expert Comment

by:FunkyBrown
ID: 33620013
Definitely the computers will download the updates via the WSUS server when connected through the VPN. How often do you push out updates via WSUS? There should be a setting in which you can set PC's to download the updates directly from the internet. I will have a look on my WSUS server. We are currently running our updates through our SCCM server though so I need to familiarize myself with the WSUS console.
0
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 33739776
WSUS defaults to download updates and then the update client pulls the updates from the WSUS server. VPN or not, the client will do whatever the group policy says for it to do. Windows doesn't have any logic built in to say "hey, I'm on a VPN so I should go straight to the internet."
What you can do is create a separate WSUS group policy to have updates downloaded directly from the internet and then apply that policy to a security group with the remote machines. That policy will *always* be in effect though, so even when laptops are on the internal network, they will download updates from the internet and thus you will want to be aware of the impact on your bandwidth with such a solution in place.
For the second part, since WSUS is reliant on group policy, while it is technically possible to publish a WSUS server and have machines download it, they would not get any updated group policy settings and thus would be very limited. Having them connect via VPN solves other problems besides just updates. My current recommendation for such setups is to look at deploying DirectAccess. This allows a VPN to be setup *before* logon, so group policies work, WSUS works, and DA is very firewall friendly. This would be better than publishing a WSUS server.
-Cliff
 
0
 
LVL 7

Author Closing Comment

by:tolinrome
ID: 33740737
Excellent, thanks.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
Experts-Exchange users below are the steps you can follow to upgrade your Lync server to latest CU's or cumulative updates. Note: Perform it during non-production hours.   Step 1: Backup your lync and SQL server database. Follow below article: h…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question