+ Post New Thread
Results 1 to 8 of 8
How do you do....it? Thread, WSUS and VPN in Technical; Afternoon all, Is there an easy way to prevent updates being pushed through a VPN tunnel? I have a few ...
  1. #1

    aerospacemango's Avatar
    Join Date
    Apr 2010
    Location
    Northants
    Posts
    1,994
    Thank Post
    283
    Thanked 249 Times in 200 Posts
    Blog Entries
    2
    Rep Power
    295

    WSUS and VPN

    Afternoon all,

    Is there an easy way to prevent updates being pushed through a VPN tunnel?

    I have a few people who vpn in, and I've finally managed to get WSUS up and running, after it was 6 months out of action (Previous techies had not managed to get it running).

    However, with so many updates being approved, i don't want thos who vpn in to get flooded. I know that it'll use BITS but it still could be a couple of hundred meg being pushed out.

    Thanks in advance!

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,241
    Thank Post
    239
    Thanked 1,567 Times in 1,249 Posts
    Rep Power
    339
    As far as I'm aware no you can't, other than moving those computer accounts (in WSUS) to a group which doesn't have any updates approved.

    The whole purpose of VPN is to fool the device into thinking you're on site connected to the domain.

  3. Thanks to Michael from:

    aerospacemango (3rd July 2013)

  4. #3
    MattRVBC's Avatar
    Join Date
    Jul 2011
    Location
    Lancashire
    Posts
    20
    Thank Post
    4
    Thanked 2 Times in 2 Posts
    Rep Power
    7
    The only thing you can really do here is wither move the hosts that are using the VPN to connect into a different group and not approve any patches etc (As above) or move the hosts that VPN in into a different OU and not apply the WSUS server policies to the GPO\OU.

    The idea behind the VPN is that the host has a presence on the LAN, this means that domain policies will be applied if the host is connected to the domain.

  5. Thanks to MattRVBC from:

    aerospacemango (3rd July 2013)

  6. #4

    aerospacemango's Avatar
    Join Date
    Apr 2010
    Location
    Northants
    Posts
    1,994
    Thank Post
    283
    Thanked 249 Times in 200 Posts
    Blog Entries
    2
    Rep Power
    295
    I figured that was the case.

    Thanks fellas

  7. #5
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,774
    Thank Post
    213
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    you can set the wsus server to not offer the downloading of the updates (just manage their approval) so the client would download the updates directly from M$. If your VPN doesn't redirect the web traffic this should unbung the tunnel.

  8. Thanks to chazzy2501 from:

    aerospacemango (3rd July 2013)

  9. #6
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,185
    Thank Post
    133
    Thanked 340 Times in 287 Posts
    Rep Power
    84
    Depending on the VPN tech you are using it might be possible to put in place a block rule to prevent the clients from talking to your WSUS server.

    Microsoft Direct Access could do something similar as well by telling the clients to look at the wrong DNS server.

  10. Thanks to jamesfed from:

    aerospacemango (3rd July 2013)

  11. #7
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,774
    Thank Post
    213
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    you could create a firewall rule on the wsus server to deny traffic from a given ip range. (if your vpn clients are given a specific range that is

  12. #8

    Join Date
    Dec 2012
    Location
    Austin
    Posts
    7
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by aerospacemango View Post
    However, with so many updates being approved, i don't want thos who vpn in to get flooded. I know that it'll use BITS but it still could be a couple of hundred meg being pushed out.
    The typical way in which WSUS is implemented for supporting VPN clients is to deploy an additional replica server WITHOUT a local content store. (i.e. Updates, Groups, and Update Approvals only). Because there are no files on the replica WSUS server, the VPN clients will download those files direct from Microsoft (but still get approvals from the central management server). More notably, the clients will continue to get those updates, and install them, even if they do not remain connected to the VPN -- the files will be downloaded over the regular Internet connection.

    In addition to this implementation, using a separate target group for those VPN clients, as Michael has suggested, is also a good idea. In this way you can also control the when regarding the deployment of those updates. (e.g. Maybe you want to focus only on High-Priority Security Updates during the week after Patch Tuesday, then do Critical Updates in the 2nd week after Patch Tuesday, and defer all non-critical/non-security updates to the 3rd week after Patch Tuesday -- which is also when Microsoft typically releases those non-critical/non-security updates.)

  13. Thanks to LawrenceGarvin from:

    aerospacemango (16th July 2013)

SHARE:
+ Post New Thread

Similar Threads

  1. WSUS and domain controllers?
    By Kyle in forum Windows
    Replies: 4
    Last Post: 6th July 2008, 02:03 AM
  2. Linux and VPN
    By Richie1972 in forum *nix
    Replies: 9
    Last Post: 19th May 2008, 09:58 PM
  3. WSUS and clients
    By button_ripple in forum Windows
    Replies: 11
    Last Post: 6th February 2008, 09:32 AM
  4. WSUS and Internet Explorer 7
    By Jobos in forum Windows
    Replies: 0
    Last Post: 21st November 2007, 01:55 PM
  5. WSUS and remote SQL
    By Jobos in forum Windows
    Replies: 1
    Last Post: 19th August 2007, 09:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •