WSUS: Upstream (DMZ) / Downstream (Internal) Installation - Best Practice

Question

Hello all

I am looking for an understandable enterprise best practice guide for the installation of the scenario described in the title.

I would like to install a WSUS server in the DMZ, which collects the patches from the Internet (Microsoft), but also supplies the servers in the DMZ with updates (own domain) and a WSUS server in an isolated internal network (own domain, no Internet access) which collects the updates from the DMZ server and internally serves two networks with updates (server and client).

How do I set something like this up securely?

Is there a comprehensible best practice guide that illustrates such a scenario and describes how the servers must be configured?

DMZ and internal network must be able to be configured differently in terms of update distribution.

I have attached a graphic for better understanding.

Many thanks for your support

Answer 1

The best practise is to have one WSUS ( upstream ) connect to the internet to download updates as per your options choice.

At the downstram , you will configuire the WSUS to download the update from the WSUS upstream one. this can be done from the option setup.

Be sure to open the required port from the firewall.

You will need to have an OU for servers , workstations that will be getting the update from the WSUS downstream.

Once you identified the OU, Link it in GPO to the WSUS computer group.

You will find these computer groups will apear at the Upstream WSUS server

Now , to approve , decline the update. this will be done from the upstream level.

Hope this will help.