Externally Facing WSUS Servers

Take the following questions into consideration:

  1. How can we solve the problem with controlling updates and reporting both internally and externally using WSUS?
  2. How do we make sure that all of our client systems receive updates whether they are inside or outside the office using only WSUS and not SCCM or other agent-based system?

There are a few ways that this can be done. They can be solved by using an always-on VPN, an auto-triggered VPN, a manual VPN connection, or a downstream replica WSUS Server that is externally facing. The one that is right for your business depends on what environment, software, policies, and needs your business has a that point in time.

The Externally Facing WSUS Server

If you have the need for an externally facing WSUS server, you’re going to want to have a few things in place in the planning stages.

This assumes you are using 1 WSUS Server currently in your network and have the need to expand it to the outside network. Depending on how your network setup is, this can expand into a multi-connected network setup by thinking a bit differently and using GPO Inheritance.

You will want to decide on a common hostname that will be used for both the internal and external WSUS systems. “WSUS.domain.com” is a good example. It must be an Internet routable name because you’re going to want to get an SSL Certificate for this hostname or add it to an existing SAN Certificate.

Always Start With DNS!

We’re going to setup a Split-DNS zone for wsus.domain.com so that when a system is inside the network, the hostname resolves to the internal IP of the WSUS server (eg. but when you are external to the network it resolves to the external IP address (eg.

The easiest way to do this internally is to create a DNS Zone (Active Directory – Integrated) for wsus.domain.com and then create a blank A Record and point it to your internal IP Address for your WSUS server (eg. For your external resolution, you’ll have to go to your DNS Hosting provider (usually your website’s hosting provider) to use their interface to add a new A record for wsus.domain.com pointing to the external IP (eg.

Downstream Replica – The Easy Way

You will want to create a downstream replica server in your DMZ. This WSUS server will receive an exact copy of all of your groups, your updates, your approvals and will function in a slave mode – the easy way (just make sure to confirm that reporting rollup is enabled).

Because you have WSUS on the Internet, you’re going to want to install that SSL Certificate on the server and configure WSUS to use it. Because you have WSUS on your internal network, you’re going to want to install that SSL Certificate on the server and configure WSUS to use it. See Part 7 of my blog series on SSL Setup for WSUS and Why You Should Care!

When configuring your firewall for both internal and external servers, make sure you allow BOTH TCP ports 8530 and 8531 through to the servers as WSUS utilizes both HTTP and HTTPS when the server is configured for HTTPS. It’s like FTP in the relationship of a command channel (8531) and a data channel (8530).

Group Policy – A Friend That Makes Your Life Easy

Now that we have the upstream and downstream systems ready, we have Split-DNS setup let’s tend to group policy. If you’ve been following my inheritance setup, change the “WSUS – Location” GPO to reflect the new URL (https://wsus.domain.com:8531) for all 3 locations.

That’s it! You’re done. KISS Method. It’s that simple!

Now that you added a downstream server, don’t forget to WAM your server

But Wait! I Have Multiple WSUS Servers In My Network!

No problem!

Have 10 sites with different WSUS replica servers at each site? Create 10 “WSUS – Location (Site)” GPOs and apply them at the Site level in GPMC. For each of the 10 site location GPOs, use the first 2 WSUS locations to use the local WSUS Server (https://site1.internaldomain.local:8531) and specify the alternate download server as our new externally facing server (https://wsus.domain.com:8531).

That’s it! You’re done. KISS Method. It’s that simple! If a system cannot connect to the local server (meaning they’ve left the site and are now on external connections), then the alternative server kicks in which is the external downstream replica server in your DMZ.