Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2409
  • Last Modified:

WSUS server in DMZ?

My firewall is currently configured such that there are no inbound connections from the DMZ to my internal network. I am looking at adding a WSUS server in the DMZ. Is there any way to configure WSUS such that the configuration is pushed from the internal to the DMZ server? Everything I've seen so far requires opening 80 and 443 to my internal network. I'm just looking for the meta data on my server and the updates themselves provided by MS.
0
timbrigham
Asked:
timbrigham
1 Solution
 
NetExpert-WarszawaCommented:
Why do you want to put WSUS into DMZ? DMZ is for services available for outside. Put WSUS into your internal network. It is the place for it. You will not have problems with a firewall either.
0
 
kdearingCommented:
Agreed. WSUS belongs in the internel network, not the DMZ where it's publicly available.
0
 
timbrighamAuthor Commented:
I don't want to place my internal WSUS server into the DMZ, but I would like to control what updates my users receive while in the field. There have been too many cases where an update from MS has broken one of our systems and we're not able to address it when the user is half way around the world. I'm not aware of a way to do this without a WSUS server; if there is a way to do please enlighten me.

I would like to have a secondary WSUS server located in the DMZ strictly for these remote users I want to do so without opening any ports from the DMZ into my internal network.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
timbrighamAuthor Commented:
More specifically I'm looking for a way to synchronize the approvals from the internal to the external server.  
0
 
NetExpert-WarszawaCommented:
You do not need to use ports 80 or 443. However since you do not want to open any ports, consider http://technet.microsoft.com/en-us/library/cc720486%28WS.10%29.aspx
0
 
Suliman Abu KharroubIT Consultant Commented:
You need to deploy WSUS on Replica mode:

http://technet.microsoft.com/en-us/library/cc720448(WS.10).aspx

downstream and upstream server.
depends on you config; allow https(s) from DMZ to internal..
0
 
timbrighamAuthor Commented:
Many thanks gentlemen. The disconnected network configuration looks appealing. Is there a way to use that configuration with the meta data only?
0
 
NetExpert-WarszawaCommented:
Just skip step 2 :)

Why don't you want to copy updates? Do you want to download them twice from the Internet?
0
 
timbrighamAuthor Commented:
I want my clients to connect to the MS site for retrieving the windows updates, not the local WSUS server in the DMZ. My bandwidth is provided by a co location facility and we pay for overages - I'd rather our users not be retrieving publicly available files on our dime.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now