Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Internal WSUS in DMZ?

Posted on 2011-03-24
11
Medium Priority
?
2,291 Views
Last Modified: 2012-05-11
My company has requested that I setup Sharepoint services but they do not want to purchase a dedicated server.  The only machine I have available to run Sharepoint is the same machine running my internal WSUS server (Wnidows Server 2003).  They want Sharepoint to be made public so users can access the site externally and I do not feel comfortable doing this without connecting the machine to my DMZ first.  My question is, if I connect the machine to my DMZ what can I do to make sure WSUS continues to work internally?  I also have a replica server located in another facility that is an internal WSUS server for that facility.  It replicates from the server I want to add to my DMZ.
0
Comment
Question by:DarrinZuroff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 3

Accepted Solution

by:
FWeston earned 668 total points
ID: 35206671
The placement of WSUS in your network isn't really critical, since it doesn't need to talk to clients.  Clients talk to it, and I assume that you're permitting traffic from your inside network to your DMZ, so that shouldn't create a problem.  Typically, I don't like machines in a DMZ to have outbound Internet access (which WSUS would need), but it's not always a perfect world.

Another solution would be to use something like VMware ESXi, which is a free hypervisor.  You could load that on the machine you have available (assuming it meets the hardware requirements), then you could create multiple virtual machines and place them on different network segments as needed.
0
 
LVL 5

Assisted Solution

by:zazagor
zazagor earned 668 total points
ID: 35206679
Hi,

WSUS uses HPPT/HTTPS 80/443 or  8530/8531.
Make sure these ports are open LAN-->DMZ.

//zaZagor
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 664 total points
ID: 35212584
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 3

Expert Comment

by:FWeston
ID: 35215650
I would say SSL is not really necessary in this case.  Since the traffic from LAN -> DMZ never leaves the local network, it is not susceptible to eavesdropping (other than perhaps on the local LAN by a rogue employee, which is unlikely).  On top of that, the traffic isn't really sensitive, computer names and windows updates.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35215724
@FWeston

"They want Sharepoint to be made public so users can access the site externally "

Explain how no traffic would be leaving the network


Also why would you not secure your WSUS environment in the first place ?
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216477
Simple - WSUS content is not going to be accessed by the public Internet, only internal clients, therefore no WSUS traffic will be leaving the network.

It'd probably be a good idea to secure the public Sharepoint site with SSL, since that traffic will be traversing a public network, but you suggested SSLfor WSUS...

If they're both using the same virtual server in IIS, then you could share a certificate for both, but Sharepoint sets up another server by default and WSUS uses the "Default Web Site' in IIS, so using default settings, they would be separate virtual servers.
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216511
I realized I forgot to answer your second question.  My reasons for not using SSL for WSUS are in my previous answer...not really anything sensitive there that's worthy of securing.  It's just windows update traffic, which has already been transmitted in the clear across the Internet before it reached the server, so I don't see any sense in paying for a certificate to secure it once it's inside your network, where nobody can really see it anyway.  There's no reason NOT to do it, and if you have certificate services setup, then I guess it would be a good idea since it wouldn't cost you anything, but if you don't have CS and you had to pay for a cert, then I don't see any value added there.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35216635
"but Sharepoint sets up another server by default and WSUS uses the "Default Web Site' in IIS"


This is wrong! Sharepoint uses port 80 and then WSUS gets setup on the custom website of port 8530, However WSUS *must* also always have a selfupdate virtual directory under port 80.
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216919
That must be a newer version that you're referring to.  My WSUS install put everything under the default website, running on port 80.
wsus.png
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35217045
Nope---same version.....Only if you install WSUS prior to installing Sharepoint(Or any other software that uses port 80) do you even get the option to install on port 80. If port 80 is already in use during the installation of WSUS, Wsus then defaults to using the custom port(8530)
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35217266
Ah, I guess that explains it.  WSUS is the only thing running on our WSUS server so there was nothing to conflict.  At any rate, I guess it boils down to if WSUS and Sharepoint share a virtual server, then there should definitely be an SSL cert that WSUS can share with Sharepoint, but if they're separate virtual servers, then assuming a cert will cost the OP money, I'd leave it up to them as far as whether they want to spend that money to secure windows update traffic.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question