| Author |
 Topic  |
|
|
MadCow
Honorable But Hopeless Addict
Canada
1484 Posts
Status: offline |
 Posted - 07/22/2008 : 09:04:36 AM
|
We have quite few number of PC users at home and they VPN in the office.
Is it possible that when they VPN in, their windows update clients pulls the windows updates from the WSUS server parked in the office? How can we do that???
They dont have local admin rigths so they cannot download directly from MS site??? Whats the best way to do this???
Advise Please.
Thank you
|
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
|
|
mitachu
Honorable But Hopeless Addict
United Kingdom
1768 Posts
Status: offline |
Posted - 07/22/2008 : 10:20:39 AM
|
In theory this should work "out of the box" should it not?
Assuming the WSUS server is resolvable or you're specifying the server in IP format, and the VPN is up... the updates should get pulled down. As automatic updates uses BITS then in theory the VPN connection wouldn't be flooded with update traffic.
That said, I can't say that I've tried it.
If you don't want them to use the WSUS server then I believe you can configure their machines to download updates from the MS site. The process runs as the Automatic Updates service rather than the user so permissions don't matter.
|
Tim |
 |
|
|
MadCow
Honorable But Hopeless Addict
Canada
1484 Posts
Status: offline |
Posted - 07/22/2008 : 11:40:32 AM
|
Thank you for your response mitachu ..
I know there is a way to configure updates for these home vpn users ...... via WSUS.
Once they connect to office via VPN they will download the approved updates by WSUS .....but they will download those from the internet directly not from the WSUS.
I hope I am making sense here ...
I have to find out that how its done ...because we want them to have the same updates as we have on our office PCs.
Advise Please.
Thank you. |
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
|
|
|
mitachu
Honorable But Hopeless Addict
United Kingdom
1768 Posts
Status: offline |
Posted - 07/22/2008 : 12:38:38 PM
|
I think I follow.
You want the machines to always update themselves from the WSUS server whether they are in the office or offsite. Correct?
|
Tim |
|
|
|
MadCow
Honorable But Hopeless Addict
Canada
1484 Posts
Status: offline |
Posted - 07/22/2008 : 1:17:01 PM
|
Thank you for your response.
Yes you got it.
Any ideas?
|
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
|
|
|
mitachu
Honorable But Hopeless Addict
United Kingdom
1768 Posts
Status: offline |
Posted - 07/22/2008 : 3:40:34 PM
|
Are you saying that you have this in place already and it's not working, or are you just looking at if it's possible? I would hazard a guess and say that what you want to do IS possible and will work staight away assuming the configuration is correct (ie: ensure that the remote client can communicate with the WSUS server when it's working offsite).
I would personally be wary of letting users drag updates down over their VPN connection but like I say, the BITS mechanism should take care of that worry.
Hope that helps.
|
Tim |
|
|
|
MadCow
Honorable But Hopeless Addict
Canada
1484 Posts
Status: offline |
Posted - 07/22/2008 : 3:49:53 PM
|
Thank you for your response.
Yes, all is in place already and not working for the home/remote users.
I will pick one home user and see if the PC is regsitered with WSUS and then take it from there. I can also triger some scripts when the VPN connection is made ....liek gpupdate /force.
I am thinking ..that once the pc is registered properly with WSUS and if the VPN connetion is not made and only internet connection is made the client will only download approved updates. I hope I am right! |
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
|
|
|
mitachu
Honorable But Hopeless Addict
United Kingdom
1768 Posts
Status: offline |
Posted - 07/22/2008 : 3:56:05 PM
|
See if clientdiag.exe gives you some helpful information on connectivity to the wsus server as well.
From what you've said in your previous post, it sounds to me like you are expecting the clients to update from the Microsoft site if the VPN connection is not there. I'm a touch confused now...! |
Tim |
|
|
|
arek73
Moderator
Poland
4592 Posts
Status: offline |
Posted - 07/22/2008 : 7:19:46 PM
|
There is no mechanism in WSUS to allow for these 2 scenarios to work. If you connect via VPN and are able to resolve your WSUS server then you should be able to pull the updates (provided you don't block BITS or HTTP).
There is no automated way for WU/MU client to know if it is on VPN or just Internet and do any kind of switch from downloading from internal WSUS to Microsofgt Update (other than manual update from MU website initiated by user).
The other alternative might be to put WSUS in DMZ, exposed to Internet if you want to have control over which patches are approved and applied. I never tried this scenario though. |
----
Arek |
|
|
|
mitachu
Honorable But Hopeless Addict
United Kingdom
1768 Posts
Status: offline |
Posted - 07/23/2008 : 04:15:53 AM
|
| That's exactly what I thought. |
Tim |
|
|
|
joe_elway
Honorable But Hopeless Addict
Ireland
6673 Posts
Status: offline |
Posted - 07/23/2008 : 05:33:39 AM
|
Yeap. The AU client should download from the WSUS server via the VPN as long as the client has the ability to communicate with the WSUS server via VPN.
What port is your WSUS server listening on? Can you telent from a typical failing client to the WSUS server on that port via the VPN? |
Aidan Finn
MCSE, MVP (Virtual Machine: Systems Administration)
IT Blog: http://www.aidanfinn.com
My Photography: http://www.aidanfinnphoto.com/
My Hyper-V Book: Mastering Hyper-V Deployment
Twitter: http://twitter.com/joe_elway |
Edited by - joe_elway on 07/23/2008 05:34:24 AM |
|
|
|
MadCow
Honorable But Hopeless Addict
Canada
1484 Posts
Status: offline |
Posted - 07/23/2008 : 08:23:41 AM
|
Thank you all for your response.
I will check out the telnet and troubleshooting tips droped here.
I have setup https:// for my WSUS and it works fine from the internal network. I also like the idea of parking WSUS in the DMZ.
Question is how long does the home/remote users stays connected to the WSUS to download all the updates, will this not clog the connection ...everybody these days have high speed?????
How do I check if BITS is not blocked.
Advise Please.
Thank you |
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
|
|
|
arek73
Moderator
Poland
4592 Posts
Status: offline |
Posted - 07/23/2008 : 09:41:32 AM
|
I haven't touch ISA for years now, but I believe there is a rule for BITS traffic there.
Client will stay connected as long as it takes to pull all the updates. Good thing about BITS though is that if connection drops, client will resume where it left off. |
----
Arek |
|
|
|
joe_elway
Honorable But Hopeless Addict
Ireland
6673 Posts
Status: offline |
Posted - 07/23/2008 : 10:00:30 AM
|
Checking on BITS being blocked will depend probably on application filters in the firewall.
We do a lot of through-firewall networking and most of my AU clients are in untrusted networks. We just need to open up the TCP port for the WSUS server inbound to the WSUS server from the AU clients. The firewall knows it's http traffic so the filtering is appropriate.
How long downloads take - how long is a piece of string? On the client side, BITS only downloads when the PC's network connection is not used by something else. This is efficient for a single user on a single DSL line. BITS does not coordinate multiple users on a single WAN connection. If you have lots of people in a site then you might want to look at local WSUS.
As for clogging your central site's link over VPN. Yeap. That's always a possibility. You'll need to monitor your traffic to see how much WSUS is consuming and scale your pipe as required. |
Aidan Finn
MCSE, MVP (Virtual Machine: Systems Administration)
IT Blog: http://www.aidanfinn.com
My Photography: http://www.aidanfinnphoto.com/
My Hyper-V Book: Mastering Hyper-V Deployment
Twitter: http://twitter.com/joe_elway |
|
|
|
MadCow
Honorable But Hopeless Addict
Canada
1484 Posts
Status: offline |
Posted - 09/16/2008 : 06:54:52 AM
|
How often the the Widows Update Client check for updates from WSUS?
We use Juniper I have to check with my Firewall guys. Is there a specific port number for BITS??
Should I be opening 80 and 443 ports going to my WSUS or just 443? I have my WSUS admin cosnole running on https?????
I also read by setting the server name to its IP Address in the Set Server Options Page can also help the clients to update from WSUS but I cannot seem to find this option in my WSUS admin console?????
Advise Please.
Thank you
|
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
Edited by - MadCow on 09/16/2008 08:37:36 AM |
|
|
|
MadCow
Honorable But Hopeless Addict
Canada
1484 Posts
Status: offline |
Posted - 10/22/2008 : 11:11:36 AM
|
ok guys ... I was successful to perform windows updates from my WSUS server in the office via a VPN user.
Thanks to all for your support like always. |
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
|
|
|
arek73
Moderator
Poland
4592 Posts
Status: offline |
Posted - 10/22/2008 : 2:18:24 PM
|
| Glad it works. So what kind of magic was involved? |
----
Arek |
|
|
|
MadCow
Honorable But Hopeless Addict
Canada
1484 Posts
Status: offline |
Posted - 10/23/2008 : 07:05:03 AM
|
Actually not really a magic ..... just opened Port 443 and 80 inbound pointing to our WSUS |
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
|
|
|
MadCow
Honorable But Hopeless Addict
Canada
1484 Posts
Status: offline |
Posted - 10/24/2008 : 10:20:03 AM
|
Was working fine .... re-imaged the same test notebook and now I VPN into the network ...I can telnet to our WSUS server and WSUS Client Diag also passes ...
but updates not being pushed and I see this notorious err in the WindowUpdate.log file...
SelfUpdate Failure Software Synchronization Windows Update Client failed to detect with error 0x80072efd.
From the client I am able to access
https://wsuserver/selfupdate/wuident.cab
Advise Please.
Thank you |
Sunny
__________________________________________________________________________
"Everyone is susceptible to the notion that when you begin to do well, you begin to see no boundary lines and forget the rules apply" - Eliot Spitzer
|
Edited by - MadCow on 10/24/2008 11:20:24 AM |
|
|
| |
Topic |
|
WSUS client updates via VPN
