Delivery Optimization on Isolated Networks with remote sites

Jared Little 1 Reputation point
2020-07-27T16:36:13.377+00:00

Scenario: I have remote sites spread across the US; each connect back to Main Site via secure VPN connections. Main Site hosts all servers and services (including WSUS). I have one WSUS server connected to internet in order to download updates from Microsoft. Updates are then exported and imported to a second WSUS on the isolated network for deployment. I have a few sites that are still using T1 circuits to connect back to Main Site.

Goal: I would like to minimize the amount of connection to WSUS from remote sites in order to request and download updates/patches. Looking to leverage peer sharing of WSUS files and save bandwidth

Q1: What download modes will work on isolated networks with NO internet connection

Q2: What Delivery Optimization GPO settings will allow for workstations to share update/patch files on isolated networks

Q3. For my scenario, would another setting for Download Mode be a better fit? I would like to use Group (2), but the document states that these modes require internet access

Q4. What other settings should be disabled on an isolated network? I have read that all settings that require internet access should be disabled/turned off. Not sure which settings require internet access or will attempt to make calls to the internet.

Isolated Network & Sites with "NO" access to internet or DO Cloud Services:

  1. How do workstations/clients on isolated networks share updates/patches retrieved from Remote WSUS located at Main Site.
  2. Do workstations/clients use broadcast to query peers or direct query peers to look for and request needed files from peers that have already downloaded the same updates.
  3. Are the connections secure? How are the packages for download verified before shared between clients? What ports and protocols are used.
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,420 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,641 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,935 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Andrei Stoica 11 Reputation points Microsoft Employee
    2020-07-27T18:02:05.42+00:00

    Hi Jared,

    DO does not work for isolated network, this is the only applicable DownloadMode for such environments:
    Simple (99) Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching.
    https://learn.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization-reference#download-mode

    Does Delivery Optimization work with WSUS?: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
    https://learn.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization#frequently-asked-questions

    For point 1:
    Instead of DO, we can use BITS+BranchCache:
    https://learn.microsoft.com/en-us/windows/deployment/update/waas-branchcache

    For point 2:
    Which ports does Delivery Optimization use?: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound traffic through your firewall yourself. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).

    The DO clients contact the cloud service from which they obtain a list of peers, then try to contact those peers on port 7680.

    For point 3:
    Besides the inherent security of DO, WU also implements this mechanism to ensure the update files are not compromised:

    WSUS uses SSL for metadata only, not for update files. This is the same way that Microsoft Update distributes updates. Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. In addition, a hash is computed and sent together with the metadata for each update. When an update is downloaded, WSUS checks the digital signature and hash. If the update has been changed, it is not installed.
    https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#25-secure-wsus-with-the-secure-sockets-layer-protocol

    HTH,
    Andrei

    0 comments No comments

  2. Rajiv Baxi 21 Reputation points
    2020-12-12T03:40:13.343+00:00

    Could you give access for the WSUS server on the isolated network to the WSUS server which can access the Internet? This way you could make the WSUS server on the isolated network a replica server and you wouldn't have to export and import updates.

    0 comments No comments