Solved

wsus upstream server & downstream server

Posted on 2013-06-25
5
2,521 Views
Last Modified: 2013-06-28
Hello Experts,
I googled to find what I need but I couldn't find the exact article that I am looking for.

This is my scenario.

I already have a WSUS 3.0 & sp2 running using port 80 on windows 2008 R2 in the network.
The thing is that I have many remote users who need to update MS updates no matter where they are.

So I decided to set up the downstream server in DMZ using DNS so if they are inside, they cannect to the wsus server inside and if not, they can connect to the wsus server in DMZ.

My questions is that can I use the default port 80 for the downstream server? any security issues? What if I want to change the port 80 on the upstream server to 8530?
Can I still do that? does it affect to the current clients? If so, how?

Once I change it, the remote users will be OK? How can I configure for the remote users to download updates from MS even though they get approved from a downstream server?

All I want is to have all computers update from either wsus once I approve.

Thanks in advance.
0
Comment
Question by:Ksean
  • 3
  • 2
5 Comments
 
LVL 14

Assisted Solution

by:luconsta
luconsta earned 500 total points
Comment Utility
You said that the reason for this DMZ server is for your remote users,
so if they are inside, they cannect to the wsus server inside and if not, they can connect to the wsus server in DMZ
But if they are "outside" they cannot connect to any company resource that need some "authentication" procedures - it would be somehow possible to create such a system, but I think it would complicate to much your infrastructure.

So, I think a better approach is using Network Access Protection that will still have the users to connect to your company resources but you could enforce some policies which can check your client computer "health status" and quarantine them into an "restricted network" (called remediation network) where you could have another WSUS server that will provide them the necessary updates.

If when the "outside users" do not log on to your domain, they will have access directly to Microsoft Updates (but this could be disabled).

If neither of the above comments do not suit your needs, please tell me what operating system your clients use and how they connect to the company resources.
0
 

Author Comment

by:Ksean
Comment Utility
The wsus in DMZ is a domain member already and I use wsus.xxxxx.com for the wsus name so if they are inside, the computers resolve the name using internal ip address to connect the inside wsus. If they are remote, the computers resolve using public IP address to access the wsus in DMZ.

I am also going to open to port between the upstream and downstream servers but I don't like to use port 80. Thant's why I am asking how to change the port and it will not affect the current wsus client.

You said it's not going to work? what if I move the upsteam server to DMZ with operning the proper ports?
0
 
LVL 14

Accepted Solution

by:
luconsta earned 500 total points
Comment Utility
Hi,

To change the ports WSUS operating see ashx response in how to change Port settings in WSUS.

And another way of deployment - without storing updates on your server - you could find in the article Step 1: Prepare for Your WSUS Deployment in the section named Remote storage on Microsoft Update servers.

For more info about securing the WSUS server you could get some ideeas from Secure Your WSUS Deployment.
0
 

Author Comment

by:Ksean
Comment Utility
Luconsta,
thanks for your reply.

I am thinking of moving wsus to DMZ not to have a replica server.
But I would like to change port from 80 to 8530 so that I wouldn't use port 80

I was able to change the port on IIS and wsus client using GPO but wsus console.
I followed the URL you posted above but this is for from 8530 to 80.

Do you have any idea how to? I googled and am still looking for it.
0
 

Author Comment

by:Ksean
Comment Utility
I got it Thanks.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now