Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 834
  • Last Modified:

Configure WSUS for Internet Connected Computers

I manage several networks with WSUS 3.0 installed for all Domain Computers. Currently all computers point at http://SERVERNAME.InternalDomain:8530 for updates, so that when they are connected to network they update.

I have been looking for a best practice approach to handle those mobile computers that rarely come into the office, and only connect to VPN on rare occasion so that even if the computer is only connected to Internet, they still point to internal WSUS server.

External DNS Name is remote.domain and I have a 3rd party SSL certificate installed and being used for OWA and RWW.

Should I simply enable SSL on WU virtual directory and then change GPO so clients point at another external DNS name which is port forwarded through firewalls?
0
Flipp
Asked:
Flipp
  • 7
  • 4
  • 4
  • +1
1 Solution
 
nsonbatyCommented:
The WSUS used to update PC's inetrnally without have to access the internet, but if the PC's already connected to the internet then no need to point it to your internal server, just force it to update using MS update site port 80
0
 
FlippAuthor Commented:
I need to have management over all domain computers as far as updates are concerned.

Today I do exactly what you describe as far as using MS Windows Update, but I am rapidly finding out that I lose control of these rogue laptops.
0
 
nsonbatyCommented:
did you create a local GP to check update every time connected to internet, and force install it ?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
FlippAuthor Commented:
I have AD GPO that apply and using inheritance and filtering I am able to affect only Remote Computers to force to update from MS Windows Update - others point at http://SERVERNAME:8530

I would assume I could configure IIS etc. then change the above to something like https://remote.domain:8531 plus open port 8531 to server?????
0
 
nsonbatyCommented:
no, this will require to have real IP for the server and register the server name on the DNS to be able to use server name. and that will cost you, if the rogue laptop's number is minor I would prefare to use NAC client on the internal network , that will force remote laptop to update first and will secure your network resources
0
 
FlippAuthor Commented:
I currently use Static IP and External FQDN already, so what additional expense is going to cost me? Sorry for the confusion.

Due to business requirements, I need to update ALL computers so there is no requirement on User side to update or wait while update occurs before VPN can be established etc.
0
 
nsonbatyCommented:
in this case, in your GPO try to use the server IP instead of the server name

http://10.x.x.x:8531

and open security for VPN LAN to access the server using the 8530 port
0
 
FlippAuthor Commented:
So, per original post, I am currently only using an internal FQDN to distribute updates to domain computers which would mean that any remote computers need to be connected to VPN to receive updates.

I want to move to a model that allows me to continue to manage updates for all domain computers but not have the requirement of having to connect to VPN to receive updates.

I have only made some suggestions on what I think, but hoping to get some guidance on what to do next?
0
 
Donald StewartNetwork AdministratorCommented:
Take a look at the documentation here



Implementing WSUS with ISA Server 2004 to Manage Remote Clients

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ab72eb03-09cf-4cfb-9af5-1a7dc9c80bc9
0
 
kevinhsiehCommented:
Change the GPO to use the Public FQDN of your WSUS server. Make sure that you have a valid SSL certificate and that the ports are forwarded through your firewall. In my case, I have a dedicated WSUS server at update.company.com using ports 80 and 443. You need to make sure that the FQDN resolves to the correct public and private IP address, depending whether you on on the internal network or Internet. It works like a champ for me. The hard part for you will be to get all of the offside laptops to get the updated GPO.
0
 
Donald StewartNetwork AdministratorCommented:
Also read Lawrence Garvins comments here:


http://forums.techarena.in/server-update-service/1163768.htm
0
 
kevinhsiehCommented:
@dstwewartjr: What part of the Lawrence Gavin's comments do you think are applicable? I don't see any reason why it would be necessary to authenticate the clients using WSUS. Yes, there would need to be internal name resolution of servername.domain.com to the private IP address, which has already been mentioned.
0
 
Donald StewartNetwork AdministratorCommented:
"What part of the Lawrence Gavin's comments do you think are applicable?"

All of them!


"I don't see any reason why it would be necessary to authenticate the clients using WSUS"


so that the WSUS Server knows that the client system is an authorized user of its services.

For one so that you dont violate the EULA

Note:
Do not use WSUS to distribute updates to client computers that are not licensed for your organization. The WSUS license agreement specifically disallows this.

http://technet.microsoft.com/en-us/library/cc720448(WS.10).aspx

 
0
 
Donald StewartNetwork AdministratorCommented:
Oh and @kevinhsieh

Let the OP decide which comments are relevant, I'm not bashing your comments so dont bash mine.
0
 
FlippAuthor Commented:
Thank you all for your comments.

I currently have all clients pointing at http://server:8530, so assuming I enable SSL on default port 443 for ALL (except SelfUpdate, Content) virtual directories then update my GPO to point to https://ext-name.domain I should be good?

This is assuming that my external firewall is forwarding traffic from 443 to WSUS Server. Should I change the SSL Port number to 8531 instead?

I currently have a third-party SSL Cert which is used for RWW, so what exactly do I need to do outside of making sure it is being used in IIS?

Lastly, what is the best way to secure who I am distributing updates to (ie. only Domain Computers)?
0
 
FlippAuthor Commented:
I have been able to work out by following http://technet.microsoft.com/en-us/library/bb633246.aspx.

1. Added Certificate to WSUS Administration VD
2. Changed Security and SSL per above link from Technet
3. Updated Internal DNS with a new zone = remote.domain.com and added an A record pointing to ServerIP (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_27075522.html)
4. Updated Group Policy to point clients at https://remote.domain.com:8531
0
 
FlippAuthor Commented:
Researched and found answer.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now