WSUS Across VPN Link "pvliii via WinServerKB.com" <u46670[ at ]uwe> 10/13/2008 3:52:06 PM We have a second location which is connected via VPN link on a broadband connection. The computers at that location are configured via the same group policy as the computers at HQ where the WSUS is located. However, the computers at the remote location do not show up in the WSUS at HQ. The ip scheme at HQ is 192.168.1.x and the remote is 192.168.2.x. Could that be a problem? We have an extra server in storage. Would it be adventagious to set it up as a WSUS and place it at the remote location and configure it as a downstream WSUS? Thanks in advance, PJ -- Message posted via http://www.winserverkb.com

Re: WSUS Across VPN Link "Lawrence Garvin" <lawrence[ at ]nospam> 10/13/2008 4:22:17 PM "pvliii via WinServerKB.com" <u46670[ at ]uwe> wrote in message news:8b9c5d9f9750a[ at ]uwe... [Quoted Text] > We have a second location which is connected via VPN link on a broadband > connection. The computers at that location are configured via the same > group > policy as the computers at HQ where the WSUS is located. However, the > computers at the remote location do not show up in the WSUS at HQ. > > The ip scheme at HQ is 192.168.1.x and the remote is 192.168.2.x. Could > that > be a problem? It could. Do those clients know how to get to the 192.168.1.x network? Is there firewall on the 192.168.1.x link that's blocking traffic from the remote network on the WSUS port(s)? What says the Client Diagnostic Tool when run on a remote client? or what says the WindowsUpdate.log from a client attempting to make a connection? All of which assumes that your Group Policy has actually been applied to the remote systems. > We have an extra server in storage. Would it be adventagious to set it up > as > a WSUS and place it at the remote location and configure it as a > downstream > WSUS? Probably not, if that's a full-width broadband VPN link between the sites. Generally if there's at least 5kb/sec per client of available bandwidth, the remote clients will do just fine working from a central server. -- Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP Principal/CTO, Onsite Technology Solutions, Houston, Texas Microsoft MVP - Software Distribution (2005-2009) MS WSUS Website: http://www.microsoft.com/wsus My Websites: http://www.onsitechsolutions.com; http://wsusinfo.onsitechsolutions.com My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

Re: WSUS Across VPN Link [MVP] 10/13/2008 4:27:27 PM pvliii via WinServerKB.com schrieb: [Quoted Text] > We have a second location which is connected via VPN link on a broadband > connection. The computers at that location are configured via the same group > policy as the computers at HQ where the WSUS is located. However, the > computers at the remote location do not show up in the WSUS at HQ. Have a look in %windir%\Windowsupdate.log at a client, who not is showed in WSUS. Winfried -- http://www.microsoft.com/germany/windowsserver2003/technologien/updateservices/default.mspx http://www.wsuswiki.com/Home

Re: WSUS Across VPN Link "pvliii via WinServerKB.com" <u46670[ at ]uwe> 10/13/2008 5:15:56 PM Lawrence Garvin wrote: [Quoted Text] >> We have a second location which is connected via VPN link on a broadband >> connection. The computers at that location are configured via the same >[quoted text clipped - 5 lines] >> that >> be a problem? > >It could. Do those clients know how to get to the 192.168.1.x network? > >Is there firewall on the 192.168.1.x link that's blocking traffic from the >remote network on the WSUS port(s)? > >What says the Client Diagnostic Tool when run on a remote client? > >or what says the WindowsUpdate.log from a client attempting to make a >connection? > >All of which assumes that your Group Policy has actually been applied to the >remote systems. > >> We have an extra server in storage. Would it be adventagious to set it up >> as >> a WSUS and place it at the remote location and configure it as a >> downstream >> WSUS? > >Probably not, if that's a full-width broadband VPN link between the sites. > >Generally if there's at least 5kb/sec per client of available bandwidth, the >remote clients will do just fine working from a central server. > Thank you all for the quick reply. Here's the output from the Client Diagnostic Tool: ===== WSUS Client Diagnostics Tool Checking Machine State Checking for admin rights to run tool . . . . . . . . . PASS Automatic Updates Service is running. . . . . . . . . . PASS Background Intelligent Transfer Service is running. . . PASS Wuaueng.dll version 7.2.6001.784. . . . . . . . . . . . PASS This version is WSUS 2.0 Checking AU Settings AU Option is 4: Scheduled Install . . . . . . . . . . . PASS Option is from Control Panel Checking Proxy Configuration Checking for winhttp local machine Proxy settings . . . PASS Winhttp local machine access type <Direct Connection> Winhttp local machine Proxy. . . . . . . . . . PASS Winhttp local machine ProxyBypass. . . . . . . PASS Checking User IE Proxy settings . . . . . . . . . . . . PASS User IE Proxy. . . . . . . . . . . . . . . . . PASS User IE ProxyByPass. . . . . . . . . . . . . . PASS User IE AutoConfig URL Proxy . . . . . . . . . PASS User IE AutoDetect AutoDetect not in use Checking Connection to WSUS/SUS Server AU does not have Policy Set AU does not have Policy Set UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL ===== -- Message posted via http://www.winserverkb.com

Re: WSUS Across VPN Link DaveMills <DaveMills[ at ]newsgroup.nospam> 10/13/2008 7:04:24 PM On Mon, 13 Oct 2008 17:15:56 GMT, "pvliii via WinServerKB.com" <u46670[ at ]uwe> wrote: Snip.... Well it looks like you GPO is not being applied or does not have the correct WSUS settings. These clients are not configured to use WSUS. You need to double check the GPO settings and use GPresult to see if they are seeing the policy. [Quoted Text] > >Checking Connection to WSUS/SUS Server >AU does not have Policy Set >AU does not have Policy Set > UseWuServer is disabled . . . . . . . . . . . . . . . . FAIL >===== -- Dave Mills There are 10 types of people, those that understand binary and those that don't.

Re: WSUS Across VPN Link "Hank Arnold (MVP)" <rasilon[ at ]aol.com> 10/19/2008 4:05:09 PM pvliii via WinServerKB.com wrote: [Quoted Text] > We have a second location which is connected via VPN link on a broadband > connection. The computers at that location are configured via the same group > policy as the computers at HQ where the WSUS is located. However, the > computers at the remote location do not show up in the WSUS at HQ. > > The ip scheme at HQ is 192.168.1.x and the remote is 192.168.2.x. Could that > be a problem? > > We have an extra server in storage. Would it be adventagious to set it up as > a WSUS and place it at the remote location and configure it as a downstream > WSUS? > > Thanks in advance, > > PJ > This is similar to the situation I found myself in. We have a main site (192.168.1.x) that had all the servers in the domain, including a WSUS 3 server. We have a remote site (192.168.100.x) that is connected via a T1 (1/2 is used for VOIP and 1/2 for data). I was concerned about the amount of data being sent over the T1 when the remote clients did their updates. I took an old server, installed 2003 and WSUS 3, making a "downstream" server to the primary server. The WSUS server on the main site syncs with MS every morning at 10PM. The remote server syncs with the main WSUS server every day at 3AM. The main server notifies me when updates get loaded. I review them and begin the testing/evaluation. I then approve the ones I want and discard the ones I don't want. The server then begins downloading the updates. The next morning at 3AM, the remote server syncs with the main server. It's worked exactly as I had hoped. I control when each server gets updates and can manage them all with the single console. Sounds like it's exactly what you need........ If you need help, contact me at arnoldh at hospiceinc dot org -- Regards, Hank Arnold Microsoft MVP Windows Server - Directory Services

Re: WSUS Across VPN Link "pvliii via WinServerKB.com" <u46670[ at ]uwe> 10/22/2008 2:03:39 PM Thanks, Hank. I'm going to try this out once I clear out this list of to do's. I'll post how it works out. PJ Hank Arnold (MVP) wrote: [Quoted Text] >> We have a second location which is connected via VPN link on a broadband >> connection. The computers at that location are configured via the same group >[quoted text clipped - 11 lines] >> >> PJ > >This is similar to the situation I found myself in. We have a main site > (192.168.1.x) that had all the servers in the domain, including a WSUS >3 server. We have a remote site (192.168.100.x) that is connected via a >T1 (1/2 is used for VOIP and 1/2 for data). > >I was concerned about the amount of data being sent over the T1 when the >remote clients did their updates. > >I took an old server, installed 2003 and WSUS 3, making a "downstream" >server to the primary server. The WSUS server on the main site syncs >with MS every morning at 10PM. The remote server syncs with the main >WSUS server every day at 3AM. > >The main server notifies me when updates get loaded. I review them and >begin the testing/evaluation. I then approve the ones I want and discard >the ones I don't want. The server then begins downloading the updates. >The next morning at 3AM, the remote server syncs with the main server. > >It's worked exactly as I had hoped. I control when each server gets >updates and can manage them all with the single console. > >Sounds like it's exactly what you need........ If you need help, contact >me at > >arnoldh at hospiceinc dot org > -- Message posted via WinServerKB.com http://www.winserverkb.com/Uwe/Forums.aspx/wsus/200810/1