Take the following questions into consideration:
- How can we solve the problem with controlling updates and reporting both internally and externally using WSUS?
- How do we make sure that all of our client systems receive updates whether they are inside or outside the office using only WSUS and not SCCM or other agent-based system?
There are a few ways that this can be done. They can be solved by using an always-on VPN, an auto-triggered VPN, a manual VPN connection, or a downstream replica WSUS Server that is externally facing. The one that is right for your business depends on what environment, software, policies, and needs your business has a that point in time.
The Externally Facing WSUS Server
If you have the need for an externally facing WSUS server, you’re going to want to have a few things in place in the planning stages.
This assumes you are using 1 WSUS Server currently in your network and have the need to expand it to the outside network. Depending on how your network setup is, this can expand into a multi-connected network setup by thinking a bit differently and using GPO Inheritance.
You will want to decide on a common hostname that will be used for both the internal and external WSUS systems. “WSUS.domain.com” is a good example. It must be an Internet routable name because you’re going to want to get an SSL Certificate for this hostname or add it to an existing SAN Certificate.
Always Start With DNS!
We’re going to setup a Split-DNS zone for wsus.domain.com so that when a system is inside the network, the hostname resolves to the internal IP of the WSUS server (eg. 192.168.1.56) but when you are external to the network it resolves to the external IP address (eg. 184.108.40.206).
The easiest way to do this internally is to create a DNS Zone (Active Directory – Integrated) for wsus.domain.com and then create a blank A Record and point it to your internal IP Address for your WSUS server (eg. 192.168.1.56). For your external resolution, you’ll have to go to your DNS Hosting provider (usually your website’s hosting provider) to use their interface to add a new A record for wsus.domain.com pointing to the external IP (eg. 220.127.116.11).
Downstream Replica – The Easy Way
You will want to create a downstream replica server in your DMZ. If you don’t have a DMZ, you can create a downstream replica server in your network and just expose ports 8530/8531 to the internet. This method is less secure than a DMZ, but still secure enough. This WSUS server will receive an exact copy of all of your groups, your updates, your approvals and will function in a slave mode – the easy way (just make sure to confirm that reporting rollup is enabled). You now have two setup choices:
Approvals & Content From Your Upstream
Under the Update Files and Languages section of the WSUS Options, put a dot in “Store update files locally on this server” and make sure “Download update files to this server only when updates are approved” is checked. Make sure you match your upstream server settings for “Download express installation files”. If your upstream server has this option checked, ensure you check this option here. If it is not checked on the upstream, ensure this option is not checked here.
Approvals From Your Upstream & Content From Microsoft.
Under the Update Files and Languages section of the WSUS Options, put a dot in “Do not store update files locally; computers install from Microsoft Update”
Because you have WSUS on the Internet, you’re going to want to install that SSL Certificate on the server and configure WSUS to use it. Because you have WSUS on your internal network, you’re going to want to install that SSL Certificate on the server and configure WSUS to use it. See Part 7 of my blog series on SSL Setup for WSUS and Why You Should Care!
When configuring your firewall for both internal and external servers, make sure you allow BOTH TCP ports 8530 and 8531 through to the servers as WSUS utilizes both HTTP and HTTPS when the server is configured for HTTPS. It’s like FTP in the relationship of a command channel (8531) and a data channel (8530).
Group Policy – A Friend That Makes Your Life Easy
Now that we have the upstream and downstream systems ready, we have Split-DNS setup let’s tend to group policy.
Approvals & Content From Your Upstream
If you’ve been following my inheritance setup, change the “WSUS – Location” GPO to reflect the new URL (https://wsus.domain.com:8531) for all 3 locations.
Approvals From Your Upstream & Content From Microsoft
If you’ve been following my inheritance setup, change the “WSUS – Location” GPO to reflect the new URL (https://wsus.domain.com:8531) for ONLY 2 locations: “Set the intranet update service for detecting updates” and “Set the intranet statistics server”. Clear anything located in the “Set the alternate download server” location as this will then allow the systems to reach out to Microsoft for the content.
That’s it! You’re done. KISS Method. It’s that simple!
Now that you added a downstream server, don’t forget to WAM your server ™
But Wait! I Have Multiple WSUS Servers In My Network!
Have 10 sites with different WSUS replica servers at each site? Create 10 “WSUS – Location (Site)” GPOs and apply them at the Site level in GPMC. For each of the 10 site location GPOs, use the first 2 WSUS locations to use the local WSUS Server (https://site1.internaldomain.local:8531) and specify the alternate download server as our new externally facing server (https://wsus.domain.com:8531).
That’s it! You’re done. KISS Method. It’s that simple! If a system cannot connect to the local server (meaning they’ve left the site and are now on external connections), then the alternative server kicks in which is the external downstream replica server in your DMZ.