2

New to GPOs and have a multi-subnet domain that have site servers with WSUS on them for each subnet. Also have VPN users that go to a different WSUS server. The catch is I need the VPN users to access the site WSUS servers when the users are on-site instead of remote.

I have all the GPOs filtered by subnet using WMI Filtering and that seems to work in my testing. The question is when applying the GPO should I apply all the WSUS GPOs with filtering at the domain, so where ever the user is logged in they get the local WSUS or should I just apply to the individual OUs with VPN being the only one at the Domain level or do I add it to each individual OU as well?

Also would I need to use Enforced on either of them?

EDIT: Also if the user is tied to Site A and then relocates to Site B for a period of time. They want the user to be accessing Site B's WSUS server to minimize WAN traffic.

user2368621
  • 23
  • 3
  • Yes. That's what I'm saying about user A at site B. User A will get an ip address from site B and will "home" to the WSUS server at site B. – joeqwerty Apr 11 '17 at 16:19

1 Answers1

2

Here's what I did for a multinational client:

  1. Make sure that Active Directory Sites and Services is configured for all of your sites.

  2. Make sure you have the appropriate subnets created and associated with the appropriate sites.

  3. Create a WSUS GPO for each site that targets clients in those sites to the local WSUS server.

  4. Link each GPO to the appropriate site.

WSUS clients will then "home" themselves to the local WSUS site based on the subnet to site association.

For your VPN clients, assuming that they'll VPN into each location when needed, they'll also home themselves to the local WSUS server for whatever location they're VPN'ed into.

No need for Security Filtering in the GPO's and no need to link them to anything other than each site. You don't need to Enforce the GPO.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Thanks.. but they do not want to have the VPN users accessing the local WSUS as it kills the network bandwidth. Also if User from Site A is at Site B they want them to use Site B's WSUS server while at that location to minimize traffic over the WAN. – user2368621 Apr 11 '17 at 16:13
  • 1
    Yes. That's what I'm saying about user A at site B. User A will get an ip address from site B and will "home" to the WSUS server at site B. – joeqwerty Apr 11 '17 at 16:17
  • Also, I don't understand what you're saying about the VPN users. Where does the VPN terminate? Is there a VPN server at each site? Do they want the VPN users to get updates from WSUS at a central site? If a user connects to a VPN at site A where do they want that user to get updates from? Which WSUS server? – joeqwerty Apr 11 '17 at 16:18
  • VPN is it's own subnet but the users/Computers are tied to different sites. I just checked and that subnet is setup in the Sites and Services as well. So I am guessing just treat it like the other sites and create a GPO specific to it and link it there. – user2368621 Apr 11 '17 at 16:26
  • What site is the VPN subnet associated with? That's the site they'll get WSUS updates from. – joeqwerty Apr 11 '17 at 16:28
  • Thanks again for the proper direction on this. Just found this link that explained more to me since I am new to AD as well. VPN is it's own Site. https://4sysops.com/archives/use-active-directory-sites-to-automatically-assign-the-closest-wsus-server/ – user2368621 Apr 11 '17 at 16:39