Wednesday, March 17, 2010

Multiple WSUS servers and on in the DMZ

I worked in an environment where there were traveling laptops, site to site vpns, and large offices. We wanted all machines to download and update patches for the fastest sources without impacting site to site vpn tunnels. The site to site vpns offices had split tunnel enabled and could download directly from the Internet so there is the configuration that was used:

Wsus1 - stored patches locally
Wsus2 - redirect clients to download from ms download site ( in the DMZ )
Wsus3 - at a large office > 50 machines - pull list of patches and updates from Wsus1
Wsus4 - at a large office > 50 machines - pull list of patches and updates from Wsus1
Wsus5 - at a large office > 50 machines - pull list of patches and updates from Wsus1


On my external DNS I setup
A record - wsusserver.wsus.domain.com - ip x.x.x.x
On my internal dns I setup a delegation for the sub domain wsus.domain.com using Bind on Windows.
Bind lets you have client view which allows you to give different answers depending on the requesting ip address/subnet.
for mask
172.16.1.x - A record - wsusserver.wsus.domain.com - ip y.y.y.y - to point users to Wsus1
172.16.21.x - A record - wsusserver.wsus.domain.com - ip x.x.x.x - to point users to Wsus2 - this was so that any site-to-site offices for our small offices would be directed to use the WSUS server in the DMZ and pull the updates from MS without impacting VPN traffic.
172.16.3.x - A record - wsusserver.wsus.domain.com - ip 172.16.3.y - to point users to Wsus3 that subnet's local wsus with local patches
172.16.4.x - A record - wsusserver.wsus.domain.com - ip 172.16.4.y - to point users to Wsus4 that subnet's local wsus with local patches
172.16.5.x - A record - wsusserver.wsus.domain.com - ip 172.16.5.y - to point users to Wsus5 that subnet's local wsus with local patches

For WSUS1 and WSUS2, I had to approve patches separately, I tried working with some WSUS scripts to export then import the approved patch list but didn't spent to much time trying to get that working and started approving the patches manually.

No comments: