Best practice for multiple WSUS servers?

Skip B 91

What is the WSUS best practice when you are going to service internet-connected clients?

Is it to have separate WSUS servers for internet and intranet clients?

Or to use 1 server that services internet and intranet clients?

Skip

Accepted answer

Jason Sandys 31,171 Reputation points Microsoft Employee

2021-04-02T18:14:10.537+00:00

As noted, you need more than just a SUP. Clients must also be able to communicate with an MP and a DP. Ultimately, this is all just web traffic so you can present these roles to the clients on the Internet in multiple ways. The two most common (and recommended ways) are using an existing site system (or systems) in a DMZ to host these roles or to use a reverse proxy to enable client communication to reach the roles on an existing site server or site system. I would strongly recommend, for security reasons, not to reverse proxy to the roles hosted on the site server though if that's the path you choose. We don't have an explicit documentation covering these scenarios anymore although the ConfigMgr 2007 documentation to cover it. Also, keep in mind that device authentication for Internet clients requires PKI-issued client authentication certificates.

Using a CMG makes all of the above moot though and is quite easy to deploy with no infrastructure cost or additional security burden.
Please sign in to rate this answer.
Skip B 91 Reputation points

2021-04-07T19:30:07.29+00:00

At this point I've got an IBCM server as MP and DP. Devices are checking in and receiving application deployments. So they've got the cert.

So is it basically a matter of adding the SUP role at this point?

Skip

Jason Sandys 31,171 Reputation points Microsoft Employee

2021-04-07T20:09:19+00:00

Yes, that is correct. Internet clients will then automatically download update content directly from Microsoft.

Skip B 91 Reputation points

2021-04-09T16:12:56.777+00:00

Swell. Things are making more sense now.

Do I need the SUP role on the IBCM server to use SSL to communicate with WSUS? If so, do I just need a cert for server authentication with the FQDN of the WSUS server?

Thanks for your patience.

Skip

Jason Sandys 31,171 Reputation points Microsoft Employee

2021-04-09T16:16:14.48+00:00

It doesn't have to be the same site system as the other Internet-enabled client facing roles (the MP and DP) -- which I'm presuming you are referring to as the "IBCM server" -- but it can be if you wish. If you are using that same site system for Internet clients, it will already have the necessary server auth cert assigned to it (otherwise Internet clients wouldn't be able to connect at all). If you use an additional site system, then yes, it will need its own server auth cert.
Sign in to comment

3 additional answers

Adam J. Marshall 8,801 Reputation points MVP

2021-03-30T20:20:54.007+00:00

It's all dependant on your setup. If you have a VPN and so forth, 1 WSUS can handle thousands of clients. You can also add multiple WSUS servers in either autonomous or replica mode (replica is easy and centralized administration).
You can see some options here:
https://www.ajtek.ca/wsus/externally-facing-wsus-servers/
Please sign in to rate this answer.
Skip B 91 Reputation points

2021-03-30T20:40:37.647+00:00

I guess I am more worried about security because I don't think capacity is an issue. We have VPN but we still need to update clients that connect to VPN either very infrequently or for only brief periods of time.

I shall check out the link.

Thanks,
Skip
Sign in to comment
Jason Sandys 31,171 Reputation points Microsoft Employee

2021-03-31T04:53:34.193+00:00

Is this question specific to ConfigMgr? If so, are you planning on using a CMG? If not, why not?
Please sign in to rate this answer.
Skip B 91 Reputation points

2021-04-02T13:39:03.147+00:00

We do use ConfigMgr, yes.

There is no CMG in the plan. I am not management and do not make decisions such as migration to CMG.

Skip

Jason Sandys 31,171 Reputation points Microsoft Employee

2021-04-02T14:55:11.167+00:00

You don't migrate to a CMG, it's an additional role that you add to ConfigMgr to enable management of clients the Internet which sounds like your goal and is the easy -button path to getting there. Simply adding an additional WSUS instance isn't sufficient for deploying updates to Internet-based clients managed by ConfigMgr.

There are a few paths in ConfigMgr for this:

Implement a CMG

Implement Internet Based Client Management (IBCM).

Enable co-management, a CMG, and WUfB (technically you could do this without a CMG, but I would strongly recommend against this as it was not designed to work this way specifically).

Enable WUfB (this would only enable updates and not management of systems on the Internet).

Skip B 91 Reputation points

2021-04-02T17:09:44.537+00:00

I agree, CMG sounds optimal. I will definitely look into this. I am not sure if we have our own Azure space or not.

With IBCM, can I just add the SUP role to the IBCM server? If so, would I then add the server certificate to the IBCM server with both internet and intranet FQDNs in it? And WSUS would need its own cert as well, it appears.

Thanks,
Skip
Sign in to comment
Skip B 91 Reputation points

2021-04-09T17:37:43.043+00:00

Right. By IBCM I mean the internet-facing server that has the MP and DP roles. I am going to add the SUP role to it. But does the SUP role on this server need to communicate with WSUS via SSL ("Require SSL communication to the WSUS server")? If so, wouldn't I need a certificate for the WSUS server to bind to the site in IIS? Our WSUS is not currently using SSL.

Skip
Please sign in to rate this answer.
Jason Sandys 31,171 Reputation points Microsoft Employee

2021-04-09T18:48:51.213+00:00

WSUS uses IIS for communication similar to the MP and DP so your cert is already installed there. The SUP role communicates with WSUS via the WSUS API and not using IIS and thus HTTPS and certs are irrelevant for this specific communication. You must configure your WSUS instance for SSL though.
Sign in to comment