?
Solved

Internal WSUS in DMZ?

Posted on 2011-03-24
11
Medium Priority
?
2,252 Views
Last Modified: 2012-05-11
My company has requested that I setup Sharepoint services but they do not want to purchase a dedicated server.  The only machine I have available to run Sharepoint is the same machine running my internal WSUS server (Wnidows Server 2003).  They want Sharepoint to be made public so users can access the site externally and I do not feel comfortable doing this without connecting the machine to my DMZ first.  My question is, if I connect the machine to my DMZ what can I do to make sure WSUS continues to work internally?  I also have a replica server located in another facility that is an internal WSUS server for that facility.  It replicates from the server I want to add to my DMZ.
0
Comment
Question by:DarrinZuroff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 3

Accepted Solution

by:
FWeston earned 668 total points
ID: 35206671
The placement of WSUS in your network isn't really critical, since it doesn't need to talk to clients.  Clients talk to it, and I assume that you're permitting traffic from your inside network to your DMZ, so that shouldn't create a problem.  Typically, I don't like machines in a DMZ to have outbound Internet access (which WSUS would need), but it's not always a perfect world.

Another solution would be to use something like VMware ESXi, which is a free hypervisor.  You could load that on the machine you have available (assuming it meets the hardware requirements), then you could create multiple virtual machines and place them on different network segments as needed.
0
 
LVL 5

Assisted Solution

by:zazagor
zazagor earned 668 total points
ID: 35206679
Hi,

WSUS uses HPPT/HTTPS 80/443 or  8530/8531.
Make sure these ports are open LAN-->DMZ.

//zaZagor
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 664 total points
ID: 35212584
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 3

Expert Comment

by:FWeston
ID: 35215650
I would say SSL is not really necessary in this case.  Since the traffic from LAN -> DMZ never leaves the local network, it is not susceptible to eavesdropping (other than perhaps on the local LAN by a rogue employee, which is unlikely).  On top of that, the traffic isn't really sensitive, computer names and windows updates.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35215724
@FWeston

"They want Sharepoint to be made public so users can access the site externally "

Explain how no traffic would be leaving the network


Also why would you not secure your WSUS environment in the first place ?
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216477
Simple - WSUS content is not going to be accessed by the public Internet, only internal clients, therefore no WSUS traffic will be leaving the network.

It'd probably be a good idea to secure the public Sharepoint site with SSL, since that traffic will be traversing a public network, but you suggested SSLfor WSUS...

If they're both using the same virtual server in IIS, then you could share a certificate for both, but Sharepoint sets up another server by default and WSUS uses the "Default Web Site' in IIS, so using default settings, they would be separate virtual servers.
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216511
I realized I forgot to answer your second question.  My reasons for not using SSL for WSUS are in my previous answer...not really anything sensitive there that's worthy of securing.  It's just windows update traffic, which has already been transmitted in the clear across the Internet before it reached the server, so I don't see any sense in paying for a certificate to secure it once it's inside your network, where nobody can really see it anyway.  There's no reason NOT to do it, and if you have certificate services setup, then I guess it would be a good idea since it wouldn't cost you anything, but if you don't have CS and you had to pay for a cert, then I don't see any value added there.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35216635
"but Sharepoint sets up another server by default and WSUS uses the "Default Web Site' in IIS"


This is wrong! Sharepoint uses port 80 and then WSUS gets setup on the custom website of port 8530, However WSUS *must* also always have a selfupdate virtual directory under port 80.
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216919
That must be a newer version that you're referring to.  My WSUS install put everything under the default website, running on port 80.
wsus.png
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35217045
Nope---same version.....Only if you install WSUS prior to installing Sharepoint(Or any other software that uses port 80) do you even get the option to install on port 80. If port 80 is already in use during the installation of WSUS, Wsus then defaults to using the custom port(8530)
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35217266
Ah, I guess that explains it.  WSUS is the only thing running on our WSUS server so there was nothing to conflict.  At any rate, I guess it boils down to if WSUS and Sharepoint share a virtual server, then there should definitely be an SSL cert that WSUS can share with Sharepoint, but if they're separate virtual servers, then assuming a cert will cost the OP money, I'd leave it up to them as far as whether they want to spend that money to secure windows update traffic.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses
Course of the Month10 days, 16 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question