question

SkipB-0659 avatar image
0 Votes"
SkipB-0659 asked Jason-MSFT commented

Best practice for multiple WSUS servers?

What is the WSUS best practice when you are going to service internet-connected clients?

Is it to have separate WSUS servers for internet and intranet clients?

Or to use 1 server that services internet and intranet clients?

Skip

mem-cm-generalwindows-server-update-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered Jason-MSFT commented

As noted, you need more than just a SUP. Clients must also be able to communicate with an MP and a DP. Ultimately, this is all just web traffic so you can present these roles to the clients on the Internet in multiple ways. The two most common (and recommended ways) are using an existing site system (or systems) in a DMZ to host these roles or to use a reverse proxy to enable client communication to reach the roles on an existing site server or site system. I would strongly recommend, for security reasons, not to reverse proxy to the roles hosted on the site server though if that's the path you choose. We don't have an explicit documentation covering these scenarios anymore although the ConfigMgr 2007 documentation to cover it. Also, keep in mind that device authentication for Internet clients requires PKI-issued client authentication certificates.

Using a CMG makes all of the above moot though and is quite easy to deploy with no infrastructure cost or additional security burden.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

At this point I've got an IBCM server as MP and DP. Devices are checking in and receiving application deployments. So they've got the cert.

So is it basically a matter of adding the SUP role at this point?

Skip

0 Votes 0 ·

Yes, that is correct. Internet clients will then automatically download update content directly from Microsoft.

0 Votes 0 ·

Swell. Things are making more sense now.

Do I need the SUP role on the IBCM server to use SSL to communicate with WSUS? If so, do I just need a cert for server authentication with the FQDN of the WSUS server?

Thanks for your patience.

Skip

0 Votes 0 ·
Show more comments
AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered SkipB-0659 commented

It's all dependant on your setup. If you have a VPN and so forth, 1 WSUS can handle thousands of clients. You can also add multiple WSUS servers in either autonomous or replica mode (replica is easy and centralized administration).
You can see some options here:
https://www.ajtek.ca/wsus/externally-facing-wsus-servers/

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I guess I am more worried about security because I don't think capacity is an issue. We have VPN but we still need to update clients that connect to VPN either very infrequently or for only brief periods of time.

I shall check out the link.

Thanks,
Skip

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered SkipB-0659 edited

Is this question specific to ConfigMgr? If so, are you planning on using a CMG? If not, why not?

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We do use ConfigMgr, yes.

There is no CMG in the plan. I am not management and do not make decisions such as migration to CMG.

Skip

0 Votes 0 ·

You don't migrate to a CMG, it's an additional role that you add to ConfigMgr to enable management of clients the Internet which sounds like your goal and is the easy -button path to getting there. Simply adding an additional WSUS instance isn't sufficient for deploying updates to Internet-based clients managed by ConfigMgr.

There are a few paths in ConfigMgr for this:

  1. Implement a CMG

  2. Implement Internet Based Client Management (IBCM).

  3. Enable co-management, a CMG, and WUfB (technically you could do this without a CMG, but I would strongly recommend against this as it was not designed to work this way specifically).

  4. Enable WUfB (this would only enable updates and not management of systems on the Internet).



0 Votes 0 ·

I agree, CMG sounds optimal. I will definitely look into this. I am not sure if we have our own Azure space or not.

With IBCM, can I just add the SUP role to the IBCM server? If so, would I then add the server certificate to the IBCM server with both internet and intranet FQDNs in it? And WSUS would need its own cert as well, it appears.

Thanks,
Skip

0 Votes 0 ·
SkipB-0659 avatar image
0 Votes"
SkipB-0659 answered Jason-MSFT commented

Right. By IBCM I mean the internet-facing server that has the MP and DP roles. I am going to add the SUP role to it. But does the SUP role on this server need to communicate with WSUS via SSL ("Require SSL communication to the WSUS server")? If so, wouldn't I need a certificate for the WSUS server to bind to the site in IIS? Our WSUS is not currently using SSL.

Skip

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WSUS uses IIS for communication similar to the MP and DP so your cert is already installed there. The SUP role communicates with WSUS via the WSUS API and not using IIS and thus HTTPS and certs are irrelevant for this specific communication. You must configure your WSUS instance for SSL though.

0 Votes 0 ·