Solved

Internal WSUS in DMZ?

Posted on 2011-03-24
11
2,213 Views
Last Modified: 2012-05-11
My company has requested that I setup Sharepoint services but they do not want to purchase a dedicated server.  The only machine I have available to run Sharepoint is the same machine running my internal WSUS server (Wnidows Server 2003).  They want Sharepoint to be made public so users can access the site externally and I do not feel comfortable doing this without connecting the machine to my DMZ first.  My question is, if I connect the machine to my DMZ what can I do to make sure WSUS continues to work internally?  I also have a replica server located in another facility that is an internal WSUS server for that facility.  It replicates from the server I want to add to my DMZ.
0
Comment
Question by:DarrinZuroff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 3

Accepted Solution

by:
FWeston earned 167 total points
ID: 35206671
The placement of WSUS in your network isn't really critical, since it doesn't need to talk to clients.  Clients talk to it, and I assume that you're permitting traffic from your inside network to your DMZ, so that shouldn't create a problem.  Typically, I don't like machines in a DMZ to have outbound Internet access (which WSUS would need), but it's not always a perfect world.

Another solution would be to use something like VMware ESXi, which is a free hypervisor.  You could load that on the machine you have available (assuming it meets the hardware requirements), then you could create multiple virtual machines and place them on different network segments as needed.
0
 
LVL 5

Assisted Solution

by:zazagor
zazagor earned 167 total points
ID: 35206679
Hi,

WSUS uses HPPT/HTTPS 80/443 or  8530/8531.
Make sure these ports are open LAN-->DMZ.

//zaZagor
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 166 total points
ID: 35212584
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 3

Expert Comment

by:FWeston
ID: 35215650
I would say SSL is not really necessary in this case.  Since the traffic from LAN -> DMZ never leaves the local network, it is not susceptible to eavesdropping (other than perhaps on the local LAN by a rogue employee, which is unlikely).  On top of that, the traffic isn't really sensitive, computer names and windows updates.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35215724
@FWeston

"They want Sharepoint to be made public so users can access the site externally "

Explain how no traffic would be leaving the network


Also why would you not secure your WSUS environment in the first place ?
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216477
Simple - WSUS content is not going to be accessed by the public Internet, only internal clients, therefore no WSUS traffic will be leaving the network.

It'd probably be a good idea to secure the public Sharepoint site with SSL, since that traffic will be traversing a public network, but you suggested SSLfor WSUS...

If they're both using the same virtual server in IIS, then you could share a certificate for both, but Sharepoint sets up another server by default and WSUS uses the "Default Web Site' in IIS, so using default settings, they would be separate virtual servers.
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216511
I realized I forgot to answer your second question.  My reasons for not using SSL for WSUS are in my previous answer...not really anything sensitive there that's worthy of securing.  It's just windows update traffic, which has already been transmitted in the clear across the Internet before it reached the server, so I don't see any sense in paying for a certificate to secure it once it's inside your network, where nobody can really see it anyway.  There's no reason NOT to do it, and if you have certificate services setup, then I guess it would be a good idea since it wouldn't cost you anything, but if you don't have CS and you had to pay for a cert, then I don't see any value added there.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35216635
"but Sharepoint sets up another server by default and WSUS uses the "Default Web Site' in IIS"


This is wrong! Sharepoint uses port 80 and then WSUS gets setup on the custom website of port 8530, However WSUS *must* also always have a selfupdate virtual directory under port 80.
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35216919
That must be a newer version that you're referring to.  My WSUS install put everything under the default website, running on port 80.
wsus.png
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35217045
Nope---same version.....Only if you install WSUS prior to installing Sharepoint(Or any other software that uses port 80) do you even get the option to install on port 80. If port 80 is already in use during the installation of WSUS, Wsus then defaults to using the custom port(8530)
0
 
LVL 3

Expert Comment

by:FWeston
ID: 35217266
Ah, I guess that explains it.  WSUS is the only thing running on our WSUS server so there was nothing to conflict.  At any rate, I guess it boils down to if WSUS and Sharepoint share a virtual server, then there should definitely be an SSL cert that WSUS can share with Sharepoint, but if they're separate virtual servers, then assuming a cert will cost the OP money, I'd leave it up to them as far as whether they want to spend that money to secure windows update traffic.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question