At the moment people from the company, who use company laptops at home, need to be connected via VPN to have Windows Update not throw errors, since the WSUS server is only for internal use.
I know it's possible to make WSUS public-facing; given it's, essentially, an IIS website, this is relatively simple (and should, hopefully, work with our firewall which offers a reverse-proxy).
However there are some thing I'm not sure of and I was hoping someone could clarify them:
- I've read that it's recommended to create a replica downstream server, and make THAT public-facing. Why?
- Are replica servers still recommended if I have a firewall capable of creating a secure reverse-proxy for local websites?
- Our main WSUS uses a regular SQL database (WSUS databases are notoriously annoying to manage and I can't imagine doing maintenance on them using only the "Windows Internal Database". Is the same true for replica WSUS servers?
- From what I can tell WSUS doesn't have any sort of "security", i.e. any computer which can access the DNS / IP and port of the WSUS server can use the service. How does this relate to, for example, setting up computers and computer groups in WSUS? I see nothing preventing someone from spamming a public-facing WSUS server with bogus computer information.