This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 12%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Hello,
I have a question regarding a WSUS setup.
Is it possible for a WSUS server to have two upstream servers for two different purposes?
The idea is to have a WSUS (branch) instance which fetches the approval for updates from one source (internal),
but the actual content/updates from another one that is external (even the Internet).
Something like this.
WSUS (approvals) WSUS (content)
Internal External/Public
| |
| |
| |
>--------------------<
|
WSUS
branch
|
|
Targets
My humble research resulted in having the option "Do not update files locally; computers install from Microsoft Update" activated on the approval WSUS server.
And then have a GPO for the branch WSUS which points to the exact location. However, my concern is that this setting is for the actual targets but not for the downstream WSUS instance.
I would highly appreciate any help or possible solution on this topic!
I would venture to re-organize the flow. Single Upstream with full content, downstream replica in the DMZ, branch office either replica with storing updates or without storing updates and an alternative download server of the DMZ or not.
Why are you looking for this flow?
Thanks for the answer!
The problem is that the flow is "fixed" and cannot be re-organized.
The reason is a complex mixture of mainly contracts constraints and technical limitations.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 24%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
Hi SvetlomirPetrov-9368,
Thanks for your posting on Q&A.
What is the purpose of the above? In my opinion, a WSUS server could not have two upstream servers. But an upstream can have multiple downstream WSUS servers.
And the option "Do not update files locally; computers install from Microsoft Update" are used for computers which means that the WSUS Server approves updates for the clients and the clients get updates from the Internet. The WSUS doesn't store updates locally.
Reference picture:
Regards,
Rita
If the response is helpful, please click "Accept Answer" and upvote it.
This was my guess too.
Just to confirm this setting must be set on the "approval/Internal" WSUS server.
Then the branch WSUS will see only the approved updates and download them from Microsoft.
Correct?
Hi SvetlomirPetrov-9368,
Thanks for your response.
Please allow me to explain here the relevant files about WSUS approving updates to clients.
1. Metadata
2. Binary update file
The updates shown in the WSUS console are metadata. Here is a related picture about metadata for your reference:
The Binary update file will be download after approving and it will store in the wsuscontent folder.
In my opinion, if we check the option- Do not store update files locally; computer install from Microsoft Update, the downstream WSUS server will sync metadata and get the Binary update file from Microsoft Update in Autonomous mode.
Regards,
Rita
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.