Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Can I deploy a WSUS server in a DMZ to force our internet clients to update from this server instead of update from microsft site?

Posted on 2011-09-16
6
Medium Priority
?
1,223 Views
Last Modified: 2012-05-12
Hi experts:

        We have a WSUS infraestructure in our domain. This goes fine. The problem comes when some workers and their laptops move to the internet or just have to work in external clients. In this case, we dont want them to update from microsoft site, becouse this way we cant choose what kind of updates install. It would be nice for them to install only the updates we are allowing trought our WSUS, as happens in our domain network.

       So, I want to know if this is possible, becouse I know microsoft doesn´t allow people to publish their software updates over the internet.

       Is it possible? Is it worth? (risk >>> profits) Should I manage it trought certificates to only allow our clients to update from our DMZ WSUS server? Have you ever heard about doing that?

       If it´s impossible, then I´ve got another question. Is there a specific template to set a customiced local update policy for, for instance, allow only to apply security updates? Can it be done trought some regisitry tweaks?
       
Thanks in advance.
0
Comment
Question by:Guillermin-go
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 8

Assisted Solution

by:barrykfl
barrykfl earned 1000 total points
ID: 36548051
Yes , if your notebook can login your intranet though vpn.

At client side: type cmd > gpedit.msc
local policy > administrative templates> windows componets > Windows update

specify the intranet web site (DM zone internal  wsus ip ) on the administartive template.

0
 
LVL 14

Accepted Solution

by:
JAN PAKULA earned 1000 total points
ID: 36548061
Read this articles:

http://social.technet.microsoft.com/Forums/hu/winserverwsus/thread/e7119fa1-b31b-42bd-8f38-d3043a17061a

http://technet.microsoft.com/en-us/windowsserver/bb466196#EKG

I wouldnt risk it

1st - you would need ssl/vpn connection beetween wsus server and pcs on internet
2nd - it will it your internet bandwith - which you pay for - let microsoft pay for bandwith to update computers:)
3rd - if it doesn't update you would need to RDP or go to physical site of pc to investigate

Jan MA CCNA

You second question
 you can do it in wsus (computer on domain - intranet)

0
 
LVL 3

Author Comment

by:Guillermin-go
ID: 36548149
Hi again:

@barrykfl:

                  thanks for the post.

@janpakula::

                  Thanks for the post. I agree, I would rather prefer to eat microsoft bandwith better than our bandwith, the point is that if  our clients update from microsoft,  they are unable to, for instance, apply only english security  updates. They can´t choose what updates to apply. This is just what I want to avoid,in order  to keep an homogeneous platform, even for the laptops that don´t have access to our domain network. I don´t want them to get updates that are not approved for install  in our domain.

                  When you say "You second question you can do it in wsus (computer on domain - intranet)", what question are you speaking about?


Finally, what I understand is:

                  The only way to do what I want is having our clients connected to our domain trought a SSL/VPN connection, and configure them as barrykfl told. This way I can achieve my objective, but will loose bandwith when they update.


what I cant understand is:

                  Why there is not a way to get updates form microsoft but apply only the ones I want as I can do in our intranet? Don´t you ever think on it? I can´t believe microsoft doesn´t provide an easy way to do that. (for instance,administrative templates )

PD: i´m waiting for someone else posting ideas, but if no one posts in a couple of hours, i will close the question splitting points for both of you.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Expert Comment

by:toxicrain
ID: 36548288
First Publish your WSUS on the internet (don't use 80 Port, I think that default Port is 8530), and then add this reg defs on the workstations

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"ElevateNonAdmins"=dword:00000001
"WUServer"="http://URLOFTHESERVER:PORT"
"WUStatusServer"="http://URLOFTHESERVER:PORT"

I think that's what you need.

Cheers
0
 
LVL 3

Author Comment

by:Guillermin-go
ID: 36548340
Hi  toxicrain:

     This way, I can make sure that no one else can update from my WSUS server? I mean, I can be protected against a microsoft complaint for publishing their updates over the internet? I dont want anyone except our clients to update from there.

   
0
 
LVL 3

Author Closing Comment

by:Guillermin-go
ID: 36558605
Thanks for your advices.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question