WSUS

1.What is WSUS? 2. The Architecture Server and Client 3.History 4.The Scale 5. How to use the GPs 6.Requirements 7.Planning 8.Auditing and Security 9.Installation And Configuration.

downloading process, the updates will be available to windows systems. Then the preconfigured windows update client will download necessary updates and if configured properly, will install them. This service can be distributed as required to scale to fit the business level. The latest WSUS available is WSUS 3.0 with SP1. This is included with Windows Server 2008. It has a varietyof services. The most significant improvement is that there is no need to manage this using the web browser. Instead, we can configure it to control and automate, which computer to receive which updates.

Background This is the Private version of MS update service as they call it. As the name implies it is used to automatically download updates to windows systems. T he most important task of the service is to Distribute updates with efficient usage of the bandwidth and offering total control to the admins and ease there task. When the service is up it will connect to the to the Microsoft Update site and with the approval and the administratively configured priority it will do the rest. The best thing is that “ This is fully automatic”. After the

The client component communicates with the server by verifying the DS using SHA1 hash algorithm, notifies and installs if configured. And it can restart the pc and automatically install the updates by scheduling. It is able to awake a pc from sleep mode also if the hardware supports. (In the earlier OSs, this client is known as Automatic Update Client- in Windows XP and Windows 2000.)

Designing the Architecture.
When designing, you have to consider the scale of the company. Organization with a single office. As we discussed earlier we can use a single WSUS server regardless of the number of client pcs. The design of the WSUS is smart because it will wait until the network not busy and it intelligently shares the bandwidth with other systems. AMAZING! So the impact on the network is minimized. Organizations with Multiple Offices. What happens with the company which has multiple offices? If we use a single server what happens is, because of the usage of WAN links to distribute the updates, especially huge packets flowing through, the overall performance of the link is degraded. To avoid this we have to configure a WSUS server at each regional office to distribute updates for busy clients. The best practice is to mirror the hierarchy of the WAN.

Scale and Architecture……… WSUS can be scale to fit and serve small to multinational huge enterprises. Scalability……….... Scalability is a vital factor for any organization. So a Microsoft has considered this fact also when designing WSUS. Say that if you have a regional office with more than 10 computers and each have an IT department. Then you will need a single WSUS server at each regional office and separate servers for IT departments that require control over how updates are approved. The best practice is to back-up the server to avoid a failure situation. If a failure occurs you have to replace the server within a week. Though it doesn’t affect on the users, it may not be able to deal with the time-critical updates which is required by the systems.

It is obvious to have the autonomy. You have to do only a simple thing. Do not configure servers as replica. Instead of that configure each server as autonomous systems to allow approval and management at each specific server.
US

UK

Russia

South Africa India

Sri Lanka

This illustrates the hierarchy. The efficient way to handle updates. (With out autonomy) Now in this hierarchy the one who gets the updates directly from Microsoft is the US Server. Other would be configured as replicas. The downstream servers would pull the updates from the upstream servers. If there is an office that is located at a far away, connect it to the nearest WSUS server. Or if it has fast internet connection download updates directly from the Microsoft servers. Organizations with Multiple IT Departments.

Practical And Practice. HOW THE GROUP POLICY ENFORCES WSUS………… ……
Group policy is the best way to distribute the settings . These settings are located at ……


• •

Type Start Then type R In the box type Gpedit.msc Expand Computer Configurations\Policies\Administrativ e Templates\ Windows components\Windows Updates. There you can see some properties……… • Specify Intranet Windows Update Location Specifies a WSUS server to host updates from the Microsoft Update Web sites. • Configure Automatic Updates… …… Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating. Also this can be configured to allow prompting users to download or to automate the download task • Automatic Update Detection Frequency Specifies the hours that Windows will use to determine

how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. By default it is a random time between 17 hours and 22 hours. • Allow Non-Administrators To Receive Update Notifications Specifies whether, when logged on, non-administrative users will receive update notifications based on the configuration settings for Automatic Updates. Non Administrators can use WU Client. • Allow Automatic Updates Immediate Installation Specifies whether the Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows. • Turn on Recommended Updates Via Automatic Updates Determines whether the client pcs install both recommended and critical updates. This driver updates. • No Auto-Restart For Scheduled Automatic Updates Specifies that to complete the installation the restarting should be done by a logged on user. • Re-Prompt For Restart With Scheduled Installations Specifies how often the prompting procedure occurs. Other configs

might delay this. But, WUC will prompt the use the user in the way which the frequency is configured Delay Restart For Scheduled Installations. WUC wait-time before restarting. Reschedule Automatic Updates Scheduled Installations Wait-time after the system started, to begin the missed installation. If not specified after a minute from the boot, it will begin.

Planning The Installation

Enable Client-Side Targeting Specifies which group the computer belongs. This can not be used with SUS Enables Windows Power Management To Automatically Wake Up The System To Install Scheduled Updates If there are supported hardware, by configuring this option the computers will automatically start up and install the updates if and only if there is an update available. Allow Signed Updates From An Intranet Microsoft Update Service Location Verifies XP SP1 or other OS verifies that the certificate is a signed oneMicrosoft or None-Microsoft. Additionally there are some more options available in User Configurations. An important one is Remove Access To All Windows Update Feature.

UPDATE SOURCE-As we discussed earlier, we have to consider the bandwidth issues. I f we are about to use a high speed LAN, it s good to configure one WSUS server to download updates from one of Microsoft’s Servers to retrieve updates from that Server. Or you can configure each server to use the internet to update themselves APPROVAL AND CONFIGURATION REPLICA If you are planning to use a hierarchy, you can choose to synchronize approval, settings, computers and groups from a parent server, and this is called a replica. Or you can configure to obtain complete autonomy.(If you have more than one IT department). Update Storage If u choose to install updates locally, WSUS server will require at least 6GB and this will vary depending of the languages and the clients will also reduce bandwidth by downloading updates across LAN. Database Installations require at least 3GB of windows internal database. Typically it is 1GB. Website Selection.

WSUS requires IIS, because it uses http or https if u configured certificates. You can us the default site or you can create one. Languages and Products Selection. You have to decide the languages ad products which you have currently installed such as ISA.

Deploying Updates With WSUS
Exercise1 Install WSUS 1. Download and install WSUS on Dcsrv1 following the instructions at http://www.microsoft.com/W SUS. To install IIS 7.0 on Windows Server 2008 1. Start the Server Manager (click Start, click Run, and then type CompMgmtLauncher). 2. In the tree view, select Roles, then in the Roles pane click Add Roles. 3. In the Add Roles Wizard, click Select Server Roles, select the Web Service (IIS) check box, click Next, and then click Next again. At this time you may see a message box Add features required for Web Server (IIS)? Click Add Required Features. 4. In the Select Role Services window, make sure that the following services are selected: •Common HTTP Features (including Static Content) •ASP.NET, ISAPI Extensions, and ISAPI Features (under Application Development) •Windows Authentication (under Security) •IIS Metabase Compatibility (under Management Tools, expand IIS 6 Management Compatibility) 5. Click Next, and then review your selections. 6. Click Install.

Configuring IIS 7.0 After installing IIS 7.0 on Windows Server 2008, you will need to update the IIS configuration file. 1. Open the IIS configuration file: %WINDIR%\system32\inetsrv\applica tionhost.config 2. In the <system.webServer><modules> tag, remove <add name="CustomErrorModule">, if it is present. 3. In the <system.webServer><modules> tag, add <remove name="CustomErrorModule">. The resulting tag should look like this:
<system.webServer> <modules> <remove name="CustomErrorModule"> </modules> </system.webServer>

2. Click Start->Administrative Tools->Microsoft Windows Update Service. 3. The Update Console Appears. 4. Select the computer Dcsrv1. In the details panel clicks Synchronize Now.

Accessing WSUS on a custom port

2.Configuring Client Computers To Retrieve Updates
Note:-

If WSUS is using a custom port to communicate with clients, you must use a custom URL to access the WSUS Web service. Use the following instructions to configure WSUS when it is running on port 8530.
•Include a custom port number in the URL

Client self-update
WSUS uses IIS to update most client computers automatically to WSUS-compatible Automatic Updates software. To accomplish this, WSUS Setup creates a virtual directory named Selfupdate under the Web site running on port 80 of the WSUS server. This virtual directory, called the self-update tree, contains the WSUScompatible Automatic Updates software.

directing the client computer to the WSUS server (for example, http://WSUSServerName:portnumber). • Open GPO. • Go to Computer Configurations\Policies\Administrativ e Templates\ Windows components\Windows Updates. • In details panel, double click Specify Intranet Windows Update Location • Select Enable. In both the set Intranet Update Service For Detecting Updates box and set the Intranet Statistics Server Box, type http://Dcsrv1. Click ok. • Double click, Configure Automatic Updates dialog box appears. • Select Enabled.

Using the WSUS custom Web site
If you configure WSUS on a custom port, you must have a Web site running on port 80. The Web site on port 80 does not have to be dedicated to WSUS. In fact, WSUS uses the site on port 80 only to host the self-update tree. Malicious programs can target port 80 for HTTP traffic. If WSUS is using a custom port, you can temporarily shut down port 80 throughout your network, but still be able to distribute updates to combat malicious programs. If you already have a Web site on the computer where you intend to install WSUS, you should use the setup option for creating a custom Web site. This option puts the WSUS Web site on port 8530. This port is not configurable.

If you change the WSUS port number after WSUS installation, you must manually restart the IIS service.

Sign up to vote on this title
UsefulNot useful