SUS and off-network notebook users: repoint WUpdate somehow?

  • Thread starter Thread starter Scott Marquardt
  • Start date Start date
S

Scott Marquardt

We have a group policy that points users to our SUS source. However, when
notebook users leave the network and go home, they're not able to connect
to Microsoft's WUpdate source, because of the persistence of the policy.

What's the best practice for resolving this, so that off-network machines
covered by such policies will repoint to Microsoft for updates? The RPC
vulnerability is an obvious reminder that it's not sane to just rely on
"whenever they happen to get back on the network" for updates to be
available.

- Scott
 
That's a great question, unfortunately I have just set up our SUS Server and
don't know the solution to your problem. I do however have a question, when
you configure your GPO to point at the internal server, is the URL just
http://servername or do you use the path to the virtual directory ?
 
If your laptop are going to be offline more often than connected to the
office I would recommend configuring a separate GPO that specifies for them
to download and either prompt for or schedule the install but don't point
them to your internal SUS, just leave that second part of the policy
unchanged.
 
Daniel said:
If your laptop are going to be offline more often than connected to the
office I would recommend configuring a separate GPO that specifies for them
to download and either prompt for or schedule the install but don't point
them to your internal SUS, just leave that second part of the policy
unchanged.

Not a bad idea. Not the happiest, but not bad at all.

I wish there was a policy for "hey, when this machine is not getting the
policy fresh from the server, do this" -- where "do this" could be, wonder
to relate, another GP object. Something like that. Oh well.

Thanks for the reply.
 
I also wish SUS had more flexibility, BUT...

I think you'll have to train your users to go to the windowsupdate website
and download/install patches on their own volition when not attached to the
corporate network. The GPO persistence will disable the automatic updates,
but they should still be able to update manually (if they have local admin
access).

\\ MadDHatteR
 
MadDHatteR said:
I also wish SUS had more flexibility, BUT...

I think you'll have to train your users to go to the windowsupdate website
and download/install patches on their own volition when not attached to the
corporate network. The GPO persistence will disable the automatic updates,
but they should still be able to update manually (if they have local admin
access).

\\ MadDHatteR

Interestingly, no. The WUpdate site breaks on machines that inherit a
policy that points to a local SUS service.

Seems dumb, but there you have it. The only way to ensure that such
machines are protected (read: receive Wupdates immediately when they're
issued), then, is to be sure that they don't inherit a policy that repoints
Wupdate. Which is unfortunate, since it means we can't use SUS uniformly
across the enterprise (the way we have it set up, we're happy with it for
all our servers, too).

Notebooks sure can be a pain.

- Scott
 
Have you tried an IPSEC firewall policy that restricts file and printer
sharing ports to the corporate network? That would help a lot, by
clamping a lot of ports when the users take the notebooks home.
 
Interestingly, no. The WUpdate site breaks on machines that inherit a
policy that points to a local SUS service.

Scott --

I verified this today on our computers (XP, by the way) -- we have all of
them pointed to an internal SUS server, and I (as a domain admin) can still
use the Windows Update website to manually update them any time I need. One
of our junior admins (a local, not domain, admin) said he could also
manually update the computers as needed. I can only imagine that you are
unecessarily disabling something in your GP.

Here's how we're configured:
Configure Automatic Updates: Enabled
Auto-download and schedule install for Every Mon @ 2am
Specify Intranet Microsoft Update Service Location: Enabled
HTTP://ILGDOR
Reschedule Automatic Updates scheduled installations: Not Configured
No auto-restart for scheduled Auto-update installations: Not Configured

Make sure you haven't disabled access to Windows Update in the user
configuration part of your GPOs.

\\ MadDHatteR
 
That's actually a very good idea. Having a fallback setting that
makes the SUS client connect directly to MS if the internal
SUS server isn't available would be very useful.

Perhaps MS should consider adding something like this to the
next version of SUS? Of course there are some problems,
such as the client downloading updates from MS that aren't
approved on the internal server. Still, I think having the option
would help more than it would hurt.

Regards,
Mattias
 
Back
Top