Do I really need an Internet connected WSUS server? Cliff Hobbs 10/24/2008 11:50:00 AM Hi all, apologies if this has been asked before. We have a customer who has a completely disconnected site of about 30 machines who need to manage their security updates. One suggestion is to install a local WSUS server on this site. The problem is how do we get the updates onto this server in order to deploy them? It seems we'd either need to give this server Internet connectivity in order to download the updates from MS (which isn't an option) OR install another WSUS server somewhere that does have Internet access, download the updates on here and then copy them across to the isolated WSUS server. Do we REALLY need to install two WSUS servers to get this to work? Does MS not have a WSUS server somewhere from where you can download the updates direct (I'm guessing fears of content tampering wouldn't be an issue as the content is digitally signed so if someone tries to change an update WSUS will whinge or am I misinformed)? Any thoughts or comments much appreciated. Kind regards, Cliff

Re: Do I really need an Internet connected WSUS server? Cliff Hobbs 10/24/2008 6:57:04 PM Many thanks David but the issue is this: "In this example, you create a WSUS server that is connected to the Internet but isolated from the intranet" The site where my Clients is doesn't have Internet connectivity which suggests to me I need TWO WSUS servers - one connected to the Internet, and the other not connected I use to manage my Clients which isn't what I want to do and of course involves buying two servers. Hoping I missing the obvious here. -- Many thanks and kind regards, Cliff Hobbs Microsoft MVP - ConfigMgr/ SMS (2004 - Present) Owner FAQShop.com - Giving You the FAQs | http://www.faqshop.com WMUG Cofounder | http://wmug.co.uk/ "David" wrote: [Quoted Text] > Hi Cliff, > > Yes you can, apparently. > > I found the following info on page 14 of the attached document. Page 75 > tells you how. Good luck! > > Networks Disconnected from the Internet > It is unnecessary for your entire network to be connected to the Internet in > order for you to deploy WSUS. If you have a network segment that is not > connected to the Internet, consider deploying WSUS as shown in the > "Distributing Updates on an Isolated Segment" illustration below. In this > example, you create a WSUS server that is connected to the Internet but > isolated from the intranet. After you download updates to this server, you > can hand-carry media to disconnected servers running WSUS, by exporting and > importing updates. > Distributing Updates on an Isolated Segment > > > Exporting and importing is also appropriate for organizations that have > high-cost or low-bandwidth links to the Internet. Even with all the > bandwidth-saving options described later in this guide downloading enough > updates for all Microsoft products throughout an organization can be > bandwidth-intensive. Importing and exporting updates enables organizations > to download updates once and distribute by using inexpensive media. See Set > Up a Disconnected Network (Import and Export Updates) for more information > about how to export and import updates. > > > -- > Take care, > > David > http://dcraige27.blogspot.com > > "Cliff Hobbs" <Cliff Hobbs[ at ]discussions.microsoft.com> wrote in message > news:7EDF39A6-3177-40AC-ADBA-F2198B1C6FAF[ at ]microsoft.com... > > Hi all, > > > > apologies if this has been asked before. We have a customer who has a > > completely disconnected site of about 30 machines who need to manage their > > security updates. > > > > One suggestion is to install a local WSUS server on this site. The problem > > is how do we get the updates onto this server in order to deploy them? It > > seems we'd either need to give this server Internet connectivity in order > > to > > download the updates from MS (which isn't an option) OR install another > > WSUS > > server somewhere that does have Internet access, download the updates on > > here > > and then copy them across to the isolated WSUS server. > > > > Do we REALLY need to install two WSUS servers to get this to work? Does MS > > not have a WSUS server somewhere from where you can download the updates > > direct (I'm guessing fears of content tampering wouldn't be an issue as > > the > > content is digitally signed so if someone tries to change an update WSUS > > will > > whinge or am I misinformed)? > > > > Any thoughts or comments much appreciated. > > > > Kind regards, > > Cliff >

Re: Do I really need an Internet connected WSUS server? DaveMills <DaveMills[ at ]newsgroup.nospam> 10/24/2008 7:09:18 PM On Fri, 24 Oct 2008 04:50:00 -0700, Cliff Hobbs <Cliff Hobbs[ at ]discussions.microsoft.com> wrote: [Quoted Text] >Hi all, > >apologies if this has been asked before. We have a customer who has a >completely disconnected site of about 30 machines who need to manage their >security updates. > >One suggestion is to install a local WSUS server on this site. The problem >is how do we get the updates onto this server in order to deploy them? It >seems we'd either need to give this server Internet connectivity in order to >download the updates from MS (which isn't an option) OR install another WSUS >server somewhere that does have Internet access, download the updates on here >and then copy them across to the isolated WSUS server. The latter, it in the operations and/or deployment guides > >Do we REALLY need to install two WSUS servers to get this to work? Does MS >not have a WSUS server somewhere from where you can download the updates >direct (I'm guessing fears of content tampering wouldn't be an issue as the >content is digitally signed so if someone tries to change an update WSUS will >whinge or am I misinformed)? So you want to download the updates from an MS server but you don't want to connect to it over the internet. How do you want to connect to it 54K dial up for 2GB a month? Or will you be able to pay for a dedicated connection to MS (not that they offer one). > >Any thoughts or comments much appreciated. > >Kind regards, >Cliff -- Dave Mills There are 10 types of people, those that understand binary and those that don't.

Re: Do I really need an Internet connected WSUS server? "Lawrence Garvin \(MVP\)" <lawrence[ at ]nospam> 10/24/2008 7:10:18 PM "Cliff Hobbs" <Cliff Hobbs[ at ]discussions.microsoft.com> wrote in message news:7EDF39A6-3177-40AC-ADBA-F2198B1C6FAF[ at ]microsoft.com... [Quoted Text] > Hi all, > > apologies if this has been asked before. Hi Cliff! (Even if it has... we're used to "things that have been asked before") :))) > We have a customer who has a > completely disconnected site of about 30 machines who need to manage their > security updates. > > One suggestion is to install a local WSUS server on this site. The problem > is how do we get the updates onto this server in order to deploy them? > OR install another WSUS > server somewhere that does have Internet access, download the updates on > here > and then copy them across to the isolated WSUS server. This is the methodlogy required, and it's documented in the WSUS Deployment Guide. > Do we REALLY need to install two WSUS servers to get this to work? If one is disconnected... yes. However, since the 'connected' server is only going to be used for the express purpose of downloading content, and not for actually servicing clients, it can easily be run on a part-time virtual machine from a connected desktop machine. Fire up a copy of WinServer2003WebEdition in a VM on a connected XP desktop, and once a week or so synchronize the server and downloaded the needed update files. > Does MS > not have a WSUS server somewhere from where you can download the updates > direct (I'm guessing fears of content tampering wouldn't be an issue as > the > content is digitally signed so if someone tries to change an update WSUS > will > whinge or am I misinformed)? Well yeah.... but it's called "Microsoft Update". :-) Also, there's the "Microsoft Update Catalog", that the WSUS Server can import from, but it still requires a direct server-to-server connection (i.e. via the Internet). -- Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP Principal/CTO, Onsite Technology Solutions, Houston, Texas Microsoft MVP - Software Distribution (2005-2009) MS WSUS Website: http://www.microsoft.com/wsus My Websites: http://www.onsitechsolutions.com; http://wsusinfo.onsitechsolutions.com My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin