Externally Facing WSUS Servers

by | Last updated 2022.10.29 | Published on 2018.10.22 | Guides, WSUS

Take the following questions into consideration:

  1. How can we solve the problem with controlling updates and reporting both internally and externally using WSUS?
  2. How do we make sure that all of our client systems receive updates whether they are inside or outside the office using only WSUS and not SCCM or other agent-based system?

There are a few ways that this can be done. They can be solved by using an always-on VPN, an auto-triggered VPN, a manual VPN connection, or a downstream replica WSUS Server that is externally facing. The one that is right for your business depends on what environment, software, policies, and needs your business has a that point in time.

The Externally Facing WSUS Server

If you have the need for an externally facing WSUS server, you’re going to want to have a few things in place in the planning stages.

This assumes you are using 1 WSUS Server currently in your network and have the need to expand it to the outside network. Depending on how your network setup is, this can expand into a multi-connected network setup by thinking a bit differently and using GPO Inheritance.

You will want to decide on a common hostname that will be used for both the internal and external WSUS systems. “WSUS.domain.com” is a good example. It must be an Internet routable name because you’re going to want to get an SSL Certificate for this hostname or add it to an existing SAN Certificate.

Always Start With DNS!

We’re going to setup a Split-DNS zone for wsus.domain.com so that when a system is inside the network, the hostname resolves to the internal IP of the WSUS server (eg. 192.168.1.56) but when you are external to the network it resolves to the external IP address (eg. 38.55.11.55).

The easiest way to do this internally is to create a DNS Zone (Active Directory – Integrated) for wsus.domain.com and then create a blank A Record and point it to your internal IP Address for your WSUS server (eg. 192.168.1.56). For your external resolution, you’ll have to go to your DNS Hosting provider (usually your website’s hosting provider) to use their interface to add a new A record for wsus.domain.com pointing to the external IP (eg. 38.55.11.55).

Downstream Replica – The Easy Way

You will want to create a downstream replica server in your DMZ. If you don’t have a DMZ, you can create a downstream replica server in your network and just expose ports 8530/8531 to the internet. This method is less secure than a DMZ, but still secure enough. This WSUS server will receive an exact copy of all of your groups, your updates, your approvals and will function in a slave mode – the easy way (just make sure to confirm that reporting rollup is enabled). You now have two setup choices:

  1. Approvals & Content From Your Upstream

    Under the Update Files and Languages section of the WSUS Options, put a dot in “Store update files locally on this server” and make sure “Download update files to this server only when updates are approved” is checked. Make sure you match your upstream server settings for “Download express installation files”. If your upstream server has this option checked, ensure you check this option here. If it is not checked on the upstream, ensure this option is not checked here.

  2. Approvals From Your Upstream & Content From Microsoft.

    Under the Update Files and Languages section of the WSUS Options, put a dot in “Do not store update files locally; computers install from Microsoft Update”

Because you have WSUS on the Internet, you’re going to want to install that SSL Certificate on the server and configure WSUS to use it. Because you have WSUS on your internal network, you’re going to want to install that SSL Certificate on the server and configure WSUS to use it. See Part 7 of my blog series on SSL Setup for WSUS and Why You Should Care!

When configuring your firewall for both internal and external servers, make sure you allow BOTH TCP ports 8530 and 8531 through to the servers as WSUS utilizes both HTTP and HTTPS when the server is configured for HTTPS. It’s like FTP in the relationship of a command channel (8531) and a data channel (8530).

Group Policy – A Friend That Makes Your Life Easy

Now that we have the upstream and downstream systems ready, we have Split-DNS setup let’s tend to group policy.

  1. Approvals & Content From Your Upstream

    If you’ve been following my inheritance setup, change the “WSUS – Location” GPO to reflect the new URL (https://wsus.domain.com:8531) for all 3 locations.

  2. Approvals From Your Upstream & Content From Microsoft

    If you’ve been following my inheritance setup, change the “WSUS – Location” GPO to reflect the new URL (https://wsus.domain.com:8531) for ONLY 2 locations: “Set the intranet update service for detecting updates” and “Set the intranet statistics server”. Clear anything located in the “Set the alternate download server” location as this will then allow the systems to reach out to Microsoft for the content.

That’s it! You’re done. KISS Method. It’s that simple!

Now that you added a downstream server, don’t forget to WAM your server

How to Prepare for On-Prem WSUS UUP Updates

How to Prepare for On-Prem WSUS UUP Updates

Quality updates are coming on March 28 for on-premises Windows 11, version 22H2 devices. The updates are coming via the Unified Update Platform (UUP) which interoperates with WSUS and Microsoft Configuration Manager. UUP quality updates are cumulative, including all...

Backing Up Windows Server Update Services

Backing Up Windows Server Update Services

You probably already know that backing up your Windows Server Update Services is crucial. You want to back up because restores are faster than rebuilding WSUS. Although it’s not difficult to rebuild, it takes valuable time we know you don’t have. Your WSUS...