Admin Console and Internet Security RWBitters 7/9/2007 3:02:00 PM Let me start by saying that I've been using WSUS2 and I'm now testing and evaluating how to best implement and upgrade to WSUS3. I manage three separate and unique remote domains. Currently I have a WSUS2 server in each domain that us used to approve the updates for the workstations and servers in the domain. To manage these three unique WSUS instances, I connect remotely through a web browser to the WSUSAdmin urls. This works very nicely for me. As for migrating to WSUS3... I've reviewed much of the online documentation for the install an useage of WSUS3, but still have a few questions I'm hoping someone can answer: 1 - It appears that the WSUS3 Administration console communicates to the WSUS server via IIS Web Services. Assuming that this is true... Can I install the Console only and use it to connect to the WSUS3 server over the internet if my WSUS server's IIS is internet facing? 2 - Assuming that I can do what I am proposing in my question above... What WebServices must be exposed to the internet and what are my options/best practices for securing them? Geo

Re: Admin Console and Internet Security "Lawrence Garvin \(MVP\)" <onsitech[ at ]community.nospam> 7/10/2007 3:34:51 AM "RWBitters" <RWBitters[ at ]discussions.microsoft.com> wrote in message news:01311689-5E7A-4D3F-9106-9774E8AAAB50[ at ]microsoft.com... [Quoted Text] > 1 - It appears that the WSUS3 Administration console communicates to the > WSUS server via IIS Web Services. Assuming that this is true... Can I > install the Console only and use it to connect to the WSUS3 server over > the > internet if my WSUS server's IIS is internet facing? Yes, with one absolute requirement. The client running the MMC admin console must have a domain trust with the server running WSUS. One other caveat -- unless you have appropriate security restrictions in place, an "Internet facing" WSUS server is a violation of the licensing terms for WSUS. > 2 - Assuming that I can do what I am proposing in my question above... > What > WebServices must be exposed to the internet and what are my options/best > practices for securing them? It's not a selective process. You simply publish the web server (port 80 or port 8530) to the Internet. I'd also strongly suggest enabling SSL between the client admin node and the WSUS Server, and, you've still got the issue of domain trust to address. -- Lawrence Garvin, M.S., MCTS, MCP Independent WSUS Evangelist MVP-Software Distribution (2005-2007) https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E Everything you need for WSUS is at http://www.microsoft.com/wsus And, almost everything else is at http://wsusinfo.onsitechsolutions.com .....

Re: Admin Console and Internet Security RWBitters 7/10/2007 1:00:00 PM Thanks for the answer. Bummer -- looks like I'll just have to remotely connect to each server to get around that domain trust limitation. Any chance that running the console without domain trust (ie - supplying an alternate logon and password to use to connect to the WSUS webservices over SSL) would be added in the future? It would be convient for me to run the MMC console and be able to see all three of my uniquely remote WSUS servers in the tree. "Lawrence Garvin (MVP)" wrote: [Quoted Text] > "RWBitters" <RWBitters[ at ]discussions.microsoft.com> wrote in message > news:01311689-5E7A-4D3F-9106-9774E8AAAB50[ at ]microsoft.com... > > > 1 - It appears that the WSUS3 Administration console communicates to the > > WSUS server via IIS Web Services. Assuming that this is true... Can I > > install the Console only and use it to connect to the WSUS3 server over > > the > > internet if my WSUS server's IIS is internet facing? > > Yes, with one absolute requirement. The client running the MMC admin console > must have a domain trust with the server running WSUS. > > One other caveat -- unless you have appropriate security restrictions in > place, an "Internet facing" WSUS server is a violation of the licensing > terms for WSUS. > > > 2 - Assuming that I can do what I am proposing in my question above... > > What > > WebServices must be exposed to the internet and what are my options/best > > practices for securing them? > > It's not a selective process. You simply publish the web server (port 80 or > port 8530) to the Internet. I'd also strongly suggest enabling SSL between > the client admin node and the WSUS Server, and, you've still got the issue > of domain trust to address. > > > -- > Lawrence Garvin, M.S., MCTS, MCP > Independent WSUS Evangelist > MVP-Software Distribution (2005-2007) > https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E > > Everything you need for WSUS is at > http://www.microsoft.com/wsus > > And, almost everything else is at > http://wsusinfo.onsitechsolutions.com > ..... > > >

Re: Admin Console and Internet Security "Lawrence Garvin \(MVP\)" <onsitech[ at ]community.nospam> 7/11/2007 2:00:56 AM "RWBitters" <RWBitters[ at ]discussions.microsoft.com> wrote in message news:ED96FF62-3B1B-4FD4-933D-8C6EB6DEE3F5[ at ]microsoft.com... [Quoted Text] > Thanks for the answer. Bummer -- looks like I'll just have to remotely > connect to each server to get around that domain trust limitation. > > Any chance that running the console without domain trust (ie - supplying > an > alternate logon and password to use to connect to the WSUS webservices > over > SSL) would be added in the future? Honestly, I don't know. I don't yet understand why the model went from a simple "Integrated Windows Authentication" website, to an MMC that *requires* a domain trust. Under the old model I could log onto the website from a non-domain-member workstation, enter a domain account/password, and be connected and administering the server. The question may revolve around *why* the domain trust needs to exist in the first place. > It would be convient for me to run the MMC console and be able to see all > three of my uniquely remote WSUS servers in the tree. Wouldn't it though! The very improvement brought about by switching from the web-based to the MMC-based interface is shot in the foot by mandating the domain trust requirement. -- Lawrence Garvin, M.S., MCTS, MCP Independent WSUS Evangelist MVP-Software Distribution (2005-2007) https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E Everything you need for WSUS is at http://www.microsoft.com/wsus And, almost everything else is at http://wsusinfo.onsitechsolutions.com .....