WSUS and VPN
Is there an easy way to prevent updates being pushed through a VPN tunnel?
I have a few people who vpn in, and I've finally managed to get WSUS up and running, after it was 6 months out of action (Previous techies had not managed to get it running).
However, with so many updates being approved, i don't want thos who vpn in to get flooded. I know that it'll use BITS but it still could be a couple of hundred meg being pushed out.
Thanks in advance!
As far as I'm aware no you can't, other than moving those computer accounts (in WSUS) to a group which doesn't have any updates approved.
The whole purpose of VPN is to fool the device into thinking you're on site connected to the domain.
The only thing you can really do here is wither move the hosts that are using the VPN to connect into a different group and not approve any patches etc (As above) or move the hosts that VPN in into a different OU and not apply the WSUS server policies to the GPO\OU.
The idea behind the VPN is that the host has a presence on the LAN, this means that domain policies will be applied if the host is connected to the domain.
I figured that was the case.
Thanks fellas :)
you can set the wsus server to not offer the downloading of the updates (just manage their approval) so the client would download the updates directly from M$. If your VPN doesn't redirect the web traffic this should unbung the tunnel.
Depending on the VPN tech you are using it might be possible to put in place a block rule to prevent the clients from talking to your WSUS server.
Microsoft Direct Access could do something similar as well by telling the clients to look at the wrong DNS server.
you could create a firewall rule on the wsus server to deny traffic from a given ip range. (if your vpn clients are given a specific range that is:)
The typical way in which WSUS is implemented for supporting VPN clients is to deploy an additional replica server WITHOUT a local content store. (i.e. Updates, Groups, and Update Approvals only). Because there are no files on the replica WSUS server, the VPN clients will download those files direct from Microsoft (but still get approvals from the central management server). More notably, the clients will continue to get those updates, and install them, even if they do not remain connected to the VPN -- the files will be downloaded over the regular Internet connection.
Originally Posted by aerospacemango
In addition to this implementation, using a separate target group for those VPN clients, as Michael has suggested, is also a good idea. In this way you can also control the when regarding the deployment of those updates. (e.g. Maybe you want to focus only on High-Priority Security Updates during the week after Patch Tuesday, then do Critical Updates in the 2nd week after Patch Tuesday, and defer all non-critical/non-security updates to the 3rd week after Patch Tuesday -- which is also when Microsoft typically releases those non-critical/non-security updates.)