At the moment people from the company, who use company laptops at home, need to be connected via VPN to have Windows Update not throw errors, since the WSUS server is only for internal use.
I know it's possible to make WSUS public-facing; given it's, essentially, an IIS website, this is relatively simple (and should, hopefully, work with our firewall which offers a reverse-proxy).
However there are some thing I'm not sure of and I was hoping someone could clarify them:
- I've read that it's recommended to create a replica downstream server, and make THAT public-facing. Why?
- Are replica servers still recommended if I have a firewall capable of creating a secure reverse-proxy for local websites?
- Our main WSUS uses a regular SQL database (WSUS databases are notoriously annoying to manage and I can't imagine doing maintenance on them using only the "Windows Internal Database". Is the same true for replica WSUS servers?
- From what I can tell WSUS doesn't have any sort of "security", i.e. any computer which can access the DNS / IP and port of the WSUS server can use the service. How does this relate to, for example, setting up computers and computer groups in WSUS? I see nothing preventing someone from spamming a public-facing WSUS server with bogus computer information.
Best Answer
my answers in order:
1) I would say that you create a replica downstream because it's easier to rebuild.
2) I would still use a replica if you are relying on a firewall to allow access to anyone from the internet to your wsus server.
3) In my experience, the replicas are easier to manage, I can't remember if I used to do maintenance on them or only on the primary, sorry. I think it may have just been the wsus cleanup wizard.
4) Not sure about your question about spamming your server with bogus information, again, I would not expose this server to the internet.
I would consider staying with your vpn server to allow your remote computers to access your wsus server. If you are trying to limit vpn access, especially to your internal network, perhaps a separate network, that is firewalled, and you allow access through that firewall to your a replica server.
Some vpn solutions also offer ways to allow access to certain websites, so you're still limiting access to your server to authenticated users. I would probably prefer though to only allow access to a replica server in a DMZ.