Solved

wsus upstream server & downstream server

Posted on 2013-06-25
5
2,743 Views
Last Modified: 2013-06-28
Hello Experts,
I googled to find what I need but I couldn't find the exact article that I am looking for.

This is my scenario.

I already have a WSUS 3.0 & sp2 running using port 80 on windows 2008 R2 in the network.
The thing is that I have many remote users who need to update MS updates no matter where they are.

So I decided to set up the downstream server in DMZ using DNS so if they are inside, they cannect to the wsus server inside and if not, they can connect to the wsus server in DMZ.

My questions is that can I use the default port 80 for the downstream server? any security issues? What if I want to change the port 80 on the upstream server to 8530?
Can I still do that? does it affect to the current clients? If so, how?

Once I change it, the remote users will be OK? How can I configure for the remote users to download updates from MS even though they get approved from a downstream server?

All I want is to have all computers update from either wsus once I approve.

Thanks in advance.
0
Comment
Question by:Ksean
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 14

Assisted Solution

by:luconsta
luconsta earned 500 total points
ID: 39277255
You said that the reason for this DMZ server is for your remote users,
so if they are inside, they cannect to the wsus server inside and if not, they can connect to the wsus server in DMZ
But if they are "outside" they cannot connect to any company resource that need some "authentication" procedures - it would be somehow possible to create such a system, but I think it would complicate to much your infrastructure.

So, I think a better approach is using Network Access Protection that will still have the users to connect to your company resources but you could enforce some policies which can check your client computer "health status" and quarantine them into an "restricted network" (called remediation network) where you could have another WSUS server that will provide them the necessary updates.

If when the "outside users" do not log on to your domain, they will have access directly to Microsoft Updates (but this could be disabled).

If neither of the above comments do not suit your needs, please tell me what operating system your clients use and how they connect to the company resources.
0
 

Author Comment

by:Ksean
ID: 39279113
The wsus in DMZ is a domain member already and I use wsus.xxxxx.com for the wsus name so if they are inside, the computers resolve the name using internal ip address to connect the inside wsus. If they are remote, the computers resolve using public IP address to access the wsus in DMZ.

I am also going to open to port between the upstream and downstream servers but I don't like to use port 80. Thant's why I am asking how to change the port and it will not affect the current wsus client.

You said it's not going to work? what if I move the upsteam server to DMZ with operning the proper ports?
0
 
LVL 14

Accepted Solution

by:
luconsta earned 500 total points
ID: 39283605
Hi,

To change the ports WSUS operating see ashx response in how to change Port settings in WSUS.

And another way of deployment - without storing updates on your server - you could find in the article Step 1: Prepare for Your WSUS Deployment in the section named Remote storage on Microsoft Update servers.

For more info about securing the WSUS server you could get some ideeas from Secure Your WSUS Deployment.
0
 

Author Comment

by:Ksean
ID: 39285553
Luconsta,
thanks for your reply.

I am thinking of moving wsus to DMZ not to have a replica server.
But I would like to change port from 80 to 8530 so that I wouldn't use port 80

I was able to change the port on IIS and wsus client using GPO but wsus console.
I followed the URL you posted above but this is for from 8530 to 80.

Do you have any idea how to? I googled and am still looking for it.
0
 

Author Comment

by:Ksean
ID: 39285601
I got it Thanks.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question