Solved

Internal WSUS in DMZ?

Posted on 2011-03-24
11
2,055 Views
Last Modified: 2012-05-11
My company has requested that I setup Sharepoint services but they do not want to purchase a dedicated server.  The only machine I have available to run Sharepoint is the same machine running my internal WSUS server (Wnidows Server 2003).  They want Sharepoint to be made public so users can access the site externally and I do not feel comfortable doing this without connecting the machine to my DMZ first.  My question is, if I connect the machine to my DMZ what can I do to make sure WSUS continues to work internally?  I also have a replica server located in another facility that is an internal WSUS server for that facility.  It replicates from the server I want to add to my DMZ.
0
Comment
Question by:DarrinZuroff
  • 6
  • 4
11 Comments
 
LVL 3

Accepted Solution

by:
FWeston earned 167 total points
ID: 35206671
The placement of WSUS in your network isn't really critical, since it doesn't need to talk to clients.  Clients talk to it, and I assume that you're permitting traffic from your inside network to your DMZ, so that shouldn't create a problem.  Typically, I don't like machines in a DMZ to have outbound Internet access (which WSUS would need), but it's not always a perfect world.

Another solution would be to use something like VMware ESXi, which is a free hypervisor.  You could load that on the machine you have available (assuming it meets the hardware requirements), then you could create multiple virtual machines and place them on different network segments as needed.
0
 
LVL 5

Assisted Solution

by:zazagor
zazagor earned 167 total points
ID: 35206679
Hi,

WSUS uses HPPT/HTTPS 80/443 or  8530/8531.
Make sure these ports are open LAN-->DMZ.

//zaZagor
0
 
LVL 47

Assisted Solution

by:dstewartjr
dstewartjr earned 166 total points
ID: 35212584
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35215650
I would say SSL is not really necessary in this case.  Since the traffic from LAN -> DMZ never leaves the local network, it is not susceptible to eavesdropping (other than perhaps on the local LAN by a rogue employee, which is unlikely).  On top of that, the traffic isn't really sensitive, computer names and windows updates.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35215724
@FWeston

"They want Sharepoint to be made public so users can access the site externally "

Explain how no traffic would be leaving the network


Also why would you not secure your WSUS environment in the first place ?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Expert Comment

by:FWeston
ID: 35216477
Simple - WSUS content is not going to be accessed by the public Internet, only internal clients, therefore no WSUS traffic will be leaving the network.

It'd probably be a good idea to secure the public Sharepoint site with SSL, since that traffic will be traversing a public network, but you suggested SSLfor WSUS...

If they're both using the same virtual server in IIS, then you could share a certificate for both, but Sharepoint sets up another server by default and WSUS uses the "Default Web Site' in IIS, so using default settings, they would be separate virtual servers.
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216511
I realized I forgot to answer your second question.  My reasons for not using SSL for WSUS are in my previous answer...not really anything sensitive there that's worthy of securing.  It's just windows update traffic, which has already been transmitted in the clear across the Internet before it reached the server, so I don't see any sense in paying for a certificate to secure it once it's inside your network, where nobody can really see it anyway.  There's no reason NOT to do it, and if you have certificate services setup, then I guess it would be a good idea since it wouldn't cost you anything, but if you don't have CS and you had to pay for a cert, then I don't see any value added there.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35216635
"but Sharepoint sets up another server by default and WSUS uses the "Default Web Site' in IIS"


This is wrong! Sharepoint uses port 80 and then WSUS gets setup on the custom website of port 8530, However WSUS *must* also always have a selfupdate virtual directory under port 80.
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216919
That must be a newer version that you're referring to.  My WSUS install put everything under the default website, running on port 80.
wsus.png
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 35217045
Nope---same version.....Only if you install WSUS prior to installing Sharepoint(Or any other software that uses port 80) do you even get the option to install on port 80. If port 80 is already in use during the installation of WSUS, Wsus then defaults to using the custom port(8530)
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35217266
Ah, I guess that explains it.  WSUS is the only thing running on our WSUS server so there was nothing to conflict.  At any rate, I guess it boils down to if WSUS and Sharepoint share a virtual server, then there should definitely be an SSL cert that WSUS can share with Sharepoint, but if they're separate virtual servers, then assuming a cert will cost the OP money, I'd leave it up to them as far as whether they want to spend that money to secure windows update traffic.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now