Solved

Internal WSUS in DMZ?

Posted on 2011-03-24
11
2,087 Views
Last Modified: 2012-05-11
My company has requested that I setup Sharepoint services but they do not want to purchase a dedicated server.  The only machine I have available to run Sharepoint is the same machine running my internal WSUS server (Wnidows Server 2003).  They want Sharepoint to be made public so users can access the site externally and I do not feel comfortable doing this without connecting the machine to my DMZ first.  My question is, if I connect the machine to my DMZ what can I do to make sure WSUS continues to work internally?  I also have a replica server located in another facility that is an internal WSUS server for that facility.  It replicates from the server I want to add to my DMZ.
0
Comment
Question by:DarrinZuroff
  • 6
  • 4
11 Comments
 
LVL 3

Accepted Solution

by:
FWeston earned 167 total points
ID: 35206671
The placement of WSUS in your network isn't really critical, since it doesn't need to talk to clients.  Clients talk to it, and I assume that you're permitting traffic from your inside network to your DMZ, so that shouldn't create a problem.  Typically, I don't like machines in a DMZ to have outbound Internet access (which WSUS would need), but it's not always a perfect world.

Another solution would be to use something like VMware ESXi, which is a free hypervisor.  You could load that on the machine you have available (assuming it meets the hardware requirements), then you could create multiple virtual machines and place them on different network segments as needed.
0
 
LVL 5

Assisted Solution

by:zazagor
zazagor earned 167 total points
ID: 35206679
Hi,

WSUS uses HPPT/HTTPS 80/443 or  8530/8531.
Make sure these ports are open LAN-->DMZ.

//zaZagor
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 166 total points
ID: 35212584
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Expert Comment

by:FWeston
ID: 35215650
I would say SSL is not really necessary in this case.  Since the traffic from LAN -> DMZ never leaves the local network, it is not susceptible to eavesdropping (other than perhaps on the local LAN by a rogue employee, which is unlikely).  On top of that, the traffic isn't really sensitive, computer names and windows updates.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35215724
@FWeston

"They want Sharepoint to be made public so users can access the site externally "

Explain how no traffic would be leaving the network


Also why would you not secure your WSUS environment in the first place ?
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216477
Simple - WSUS content is not going to be accessed by the public Internet, only internal clients, therefore no WSUS traffic will be leaving the network.

It'd probably be a good idea to secure the public Sharepoint site with SSL, since that traffic will be traversing a public network, but you suggested SSLfor WSUS...

If they're both using the same virtual server in IIS, then you could share a certificate for both, but Sharepoint sets up another server by default and WSUS uses the "Default Web Site' in IIS, so using default settings, they would be separate virtual servers.
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216511
I realized I forgot to answer your second question.  My reasons for not using SSL for WSUS are in my previous answer...not really anything sensitive there that's worthy of securing.  It's just windows update traffic, which has already been transmitted in the clear across the Internet before it reached the server, so I don't see any sense in paying for a certificate to secure it once it's inside your network, where nobody can really see it anyway.  There's no reason NOT to do it, and if you have certificate services setup, then I guess it would be a good idea since it wouldn't cost you anything, but if you don't have CS and you had to pay for a cert, then I don't see any value added there.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35216635
"but Sharepoint sets up another server by default and WSUS uses the "Default Web Site' in IIS"


This is wrong! Sharepoint uses port 80 and then WSUS gets setup on the custom website of port 8530, However WSUS *must* also always have a selfupdate virtual directory under port 80.
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216919
That must be a newer version that you're referring to.  My WSUS install put everything under the default website, running on port 80.
wsus.png
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35217045
Nope---same version.....Only if you install WSUS prior to installing Sharepoint(Or any other software that uses port 80) do you even get the option to install on port 80. If port 80 is already in use during the installation of WSUS, Wsus then defaults to using the custom port(8530)
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35217266
Ah, I guess that explains it.  WSUS is the only thing running on our WSUS server so there was nothing to conflict.  At any rate, I guess it boils down to if WSUS and Sharepoint share a virtual server, then there should definitely be an SSL cert that WSUS can share with Sharepoint, but if they're separate virtual servers, then assuming a cert will cost the OP money, I'd leave it up to them as far as whether they want to spend that money to secure windows update traffic.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question