Can I deploy a WSUS server in a DMZ to force our internet clients to update from this server instead of update from microsft site?
Hi experts:
We have a WSUS infraestructure in our domain. This goes fine. The problem comes when some workers and their laptops move to the internet or just have to work in external clients. In this case, we dont want them to update from microsoft site, becouse this way we cant choose what kind of updates install. It would be nice for them to install only the updates we are allowing trought our WSUS, as happens in our domain network.
So, I want to know if this is possible, becouse I know microsoft doesn´t allow people to publish their software updates over the internet.
Is it possible? Is it worth? (risk >>> profits) Should I manage it trought certificates to only allow our clients to update from our DMZ WSUS server? Have you ever heard about doing that?
If it´s impossible, then I´ve got another question. Is there a specific template to set a customiced local update policy for, for instance, allow only to apply security updates? Can it be done trought some regisitry tweaks?
Thanks in advance.
We have a WSUS infraestructure in our domain. This goes fine. The problem comes when some workers and their laptops move to the internet or just have to work in external clients. In this case, we dont want them to update from microsoft site, becouse this way we cant choose what kind of updates install. It would be nice for them to install only the updates we are allowing trought our WSUS, as happens in our domain network.
So, I want to know if this is possible, becouse I know microsoft doesn´t allow people to publish their software updates over the internet.
Is it possible? Is it worth? (risk >>> profits) Should I manage it trought certificates to only allow our clients to update from our DMZ WSUS server? Have you ever heard about doing that?
If it´s impossible, then I´ve got another question. Is there a specific template to set a customiced local update policy for, for instance, allow only to apply security updates? Can it be done trought some regisitry tweaks?
Thanks in advance.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First Publish your WSUS on the internet (don't use 80 Port, I think that default Port is 8530), and then add this reg defs on the workstations
[HKEY_LOCAL_MACHINE\SOFTWA
"ElevateNonAdmins"=dword:0
"WUServer"="http://URLOFTHESERVER:PORT"
"WUStatusServer"="http://URLOFTHESERVER:PORT"
I think that's what you need.
Cheers
[HKEY_LOCAL_MACHINE\SOFTWA
"ElevateNonAdmins"=dword:0
"WUServer"="http://URLOFTHESERVER:PORT"
"WUStatusServer"="http://URLOFTHESERVER:PORT"
I think that's what you need.
Cheers
ASKER
Hi toxicrain:
This way, I can make sure that no one else can update from my WSUS server? I mean, I can be protected against a microsoft complaint for publishing their updates over the internet? I dont want anyone except our clients to update from there.
This way, I can make sure that no one else can update from my WSUS server? I mean, I can be protected against a microsoft complaint for publishing their updates over the internet? I dont want anyone except our clients to update from there.
ASKER
Thanks for your advices.
ASKER
@barrykfl:
thanks for the post.
@janpakula::
Thanks for the post. I agree, I would rather prefer to eat microsoft bandwith better than our bandwith, the point is that if our clients update from microsoft, they are unable to, for instance, apply only english security updates. They can´t choose what updates to apply. This is just what I want to avoid,in order to keep an homogeneous platform, even for the laptops that don´t have access to our domain network. I don´t want them to get updates that are not approved for install in our domain.
When you say "You second question you can do it in wsus (computer on domain - intranet)", what question are you speaking about?
Finally, what I understand is:
The only way to do what I want is having our clients connected to our domain trought a SSL/VPN connection, and configure them as barrykfl told. This way I can achieve my objective, but will loose bandwith when they update.
what I cant understand is:
Why there is not a way to get updates form microsoft but apply only the ones I want as I can do in our intranet? Don´t you ever think on it? I can´t believe microsoft doesn´t provide an easy way to do that. (for instance,administrative templates )
PD: i´m waiting for someone else posting ideas, but if no one posts in a couple of hours, i will close the question splitting points for both of you.