Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

wsus upstream server & downstream server

Posted on 2013-06-25
5
2,688 Views
Last Modified: 2013-06-28
Hello Experts,
I googled to find what I need but I couldn't find the exact article that I am looking for.

This is my scenario.

I already have a WSUS 3.0 & sp2 running using port 80 on windows 2008 R2 in the network.
The thing is that I have many remote users who need to update MS updates no matter where they are.

So I decided to set up the downstream server in DMZ using DNS so if they are inside, they cannect to the wsus server inside and if not, they can connect to the wsus server in DMZ.

My questions is that can I use the default port 80 for the downstream server? any security issues? What if I want to change the port 80 on the upstream server to 8530?
Can I still do that? does it affect to the current clients? If so, how?

Once I change it, the remote users will be OK? How can I configure for the remote users to download updates from MS even though they get approved from a downstream server?

All I want is to have all computers update from either wsus once I approve.

Thanks in advance.
0
Comment
Question by:Ksean
  • 3
  • 2
5 Comments
 
LVL 14

Assisted Solution

by:luconsta
luconsta earned 500 total points
ID: 39277255
You said that the reason for this DMZ server is for your remote users,
so if they are inside, they cannect to the wsus server inside and if not, they can connect to the wsus server in DMZ
But if they are "outside" they cannot connect to any company resource that need some "authentication" procedures - it would be somehow possible to create such a system, but I think it would complicate to much your infrastructure.

So, I think a better approach is using Network Access Protection that will still have the users to connect to your company resources but you could enforce some policies which can check your client computer "health status" and quarantine them into an "restricted network" (called remediation network) where you could have another WSUS server that will provide them the necessary updates.

If when the "outside users" do not log on to your domain, they will have access directly to Microsoft Updates (but this could be disabled).

If neither of the above comments do not suit your needs, please tell me what operating system your clients use and how they connect to the company resources.
0
 

Author Comment

by:Ksean
ID: 39279113
The wsus in DMZ is a domain member already and I use wsus.xxxxx.com for the wsus name so if they are inside, the computers resolve the name using internal ip address to connect the inside wsus. If they are remote, the computers resolve using public IP address to access the wsus in DMZ.

I am also going to open to port between the upstream and downstream servers but I don't like to use port 80. Thant's why I am asking how to change the port and it will not affect the current wsus client.

You said it's not going to work? what if I move the upsteam server to DMZ with operning the proper ports?
0
 
LVL 14

Accepted Solution

by:
luconsta earned 500 total points
ID: 39283605
Hi,

To change the ports WSUS operating see ashx response in how to change Port settings in WSUS.

And another way of deployment - without storing updates on your server - you could find in the article Step 1: Prepare for Your WSUS Deployment in the section named Remote storage on Microsoft Update servers.

For more info about securing the WSUS server you could get some ideeas from Secure Your WSUS Deployment.
0
 

Author Comment

by:Ksean
ID: 39285553
Luconsta,
thanks for your reply.

I am thinking of moving wsus to DMZ not to have a replica server.
But I would like to change port from 80 to 8530 so that I wouldn't use port 80

I was able to change the port on IIS and wsus client using GPO but wsus console.
I followed the URL you posted above but this is for from 8530 to 80.

Do you have any idea how to? I googled and am still looking for it.
0
 

Author Comment

by:Ksean
ID: 39285601
I got it Thanks.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question