1

I am trying to find out if this scenario is possible, here is the situation:

We have several remote sites that can have their own WSUS server and force the clients to connect via the subnet they are on. We also have lots of remote or field users that often never come into the office but do VPN in.

I want my in office people to get their updates from WSUS, and my field/remote users to get updates from WU. If for some reason my field/remote users are in the office, id like them to hit the WSUS server. Can someone point me in the right direction?

We're running Server 2008 R2 and would like to achieve this via Group Policy if possible.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Kyle G
  • 11
  • 1
  • 1
    Why not use a central WSUS server to simply control the updates but have the users download them from the Microsoft servers? – TheCleaner Mar 23 '15 at 13:54
  • We are trying to stop all our internal users from killing the bandwidth of our inner office by downloading from WU. That is the issue we are trying to fix. We have very limited bandwidth =/ – Kyle G Mar 23 '15 at 13:57
  • 1
    Gotcha. See here: http://serverfault.com/questions/331712/use-wsus-when-local-mu-when-remote-but-still-report-to-wsus?rq=1 – TheCleaner Mar 23 '15 at 14:01
  • Super awesome!! I have searched and searched for this as it was my original idea but couldnt find anyone confirming it would work. Thanks a bunch! – Kyle G Mar 23 '15 at 14:03
  • The suggested link could be made to work with n+1 WSUS where n is number of sites. all but one are set to cache the files, the other set so the clients will download from WU. Once you have this, you follow the Appendix D link and set the last WSUS in a specific site for the VPN users. This should give you the desired state. – Stoinov Mar 24 '15 at 19:44
  • Ya i think we are going to go this route and see how it works. Thanks for the replies everyone! – Kyle G Mar 25 '15 at 12:08

1 Answers1

2

The bit about having remote users contact Windows Update might require a bit of effort, depending on how your VPN is set up, but the rest is very possible. It's pretty easy to use GPOs to assign different WSUS servers to client at different AD sites, and AD sites are defined by subnet. So assuming that's all configured properly, this is a fairly simple task. Basically, you just create a GPO for each site to define the appropriate WSUS server, and link it to the appropriate OU.

As to your VPN users, that depends on how the VPN is configured, and if VPN users have their own site or OU in Active Directory. If not, it may be worth considering setting one up for your VPN users to make this easier to accomplish.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • Ya thats the issue, our OUs arent configured to filter out field users as they often change. The internal users is easy, its when people go in and out of the office that im having a problem with. I think TheCleaner answered my question, I am going to explore that roue – Kyle G Mar 23 '15 at 14:06