WSUS server Deployment scenario

WSUS servers can be deployed in the following three scenarios:

1. Single WSUS server environment

This is the most common WSUS service deployment scenario, as shown in:

A wsus server is deployed in the enterprise network. The WSUS server connects to Microsoft Update to obtain the updated program, which is called synchronization. When the WSUS server is synchronized with Microsoft Update, WSUS checks whether Microsoft Update has a new Update program and downloads it. When the first synchronization is performed, WSUS downloads all updates required by local settings.

WSUS servers use HTTPTCP 80) and HTTPSTCP 443) to obtain the Update program from Microsoft Update. If an enterprise deploys a firewall between its internal and external networks, you must allow access from the WSUS server to the Microsoft Update site on the firewall. The specific access rules are as follows:

Allow HTTP/HTTPS access from the WSUS server to the following Web Sites

Http://windowsupdate.microsoft.com
• Http: // * .windowsupdate.microsoft.com
• Https: // * .windowsupdate.microsoft.com
• Http: // * .update.microsoft.com
• Https: // * .update.microsoft.com
• Http: // * .windowsupdate.com
Http://download.windowsupdate.com
Http://download.microsoft.com
• Http: // * .download.windowsupdate.com
Http://wustat.windows.com
Http://ntservicepack.microsoft.com
　

WSUS and IIS servers are used together to create a Web site to distribute update programs. You can configure WSUS Web site sharing to use the default Web site service port of TCP 80) or use another port to provide services for the client computer. When installing the WSUS server, if you do not select the default Web site, WSUS will create a custom Web site and listen for HTTP connection requests on TCP port 8530, we recommend that you use the default Web site.

The WSUS server requires that the WSUS client be run on the client computer. The WSUS client can run on Windows 2000, Windows XP, and Windows server 2003 that have been patched with SP3 or later, in other words, WSUS servers support the client computers running these operating systems to obtain update programs from them. Windows XP SP2 and Windows server 2003 SP1 have built-in WSUS clients. In other operating systems, apart from Windows XP with no SP installed, the built-in auto-update component has the self-Update feature. You can use the self-update package provided by WSUS to automatically update to the WSUS client. For Windows XP without any SP installed, you must install the SUS client to update yourself to the WSUS client through the SUS client.

Because the automatic update component of the client computer can only implement self-update through the TCP port 80, if you do not use the default Web site to customize a Web site when installing WSUS, you must also create a virtual directory named Selfupdate in the Web site listening for TCP port 80 to provide the client computer with a self-update package. Otherwise, the computer without the WSUS client cannot perform self-update normally, therefore, you cannot obtain the update program from the WSUS server.

In WSUS, You can group client computers. In WSUS, there are two computer groups: All computers and unspecified computers. By default, when a client computer accesses the WSUS server, it is added to these two groups. You can create a computer group and move the client computer objects to a computer group that has never been specified, however, you cannot move client computer objects from all computer groups to other groups. This is because all computer groups allow you to apply update programs to all client computers, while different computer groups allow you to apply different update programs to different client computers.

One of the advantages of using a computer group is that it is easy for you to test the update program. For example, for an important update program, you can create a computer Group Test Group containing a small number of client computers and apply the update program to this computer Group. After the update program runs successfully, then you apply the update program to another computer group or all computer groups.

 

Note: Do not use WSUS to distribute unauthorized updates to the client computer. This is forbidden by the WSUS authorization protocol.

2. chained WSUS server environment

The WSUS server not only obtains the Update program from Windows Update, but also from other WSUS servers. When an enterprise network has a large scale, one WSUS server may not meet your needs. In this case, you can use multiple WSUS servers to form a chain structure, as shown in, one WSUS server acts as the upstream server and one WSUS server acts as the downstream server.

You can use the chained WSUS structure to meet the needs of different regions in the enterprise network or the updated service requirements after the enterprise network scale is expanded. There is no limit on the number of levels of chained WSUS servers. However, because each level of WSUS server increases the latency of updating programs, we recommend that you deploy a chain WSUS service structure that does not exceed three levels. The upstream server cannot synchronize with the downstream server; otherwise, WSUS cannot provide services normally.

In the deployment of chained WSUS server, the downstream WSUS server inherits the advanced synchronization options of the upstream WSUS server. You cannot modify the advanced synchronization options on the downstream server. By default, the upstream WSUS server only synchronizes the update metadata and update files to the downstream WSUS server, without other information, such as the computer group and update approval information. If you want the upstream WSUS server to synchronize the computer group and update approval information to the downstream WSUS server, the downstream WSUS server must be configured as a replication server in centralized management mode, for more information, see the subsequent sections of the document to select a management mode.

3. WSUS server environment disconnected from the Internet

When you deploy the WSUS service, you do not need to connect to the Internet. You can deploy the WSUS service in a network environment that is not connected to the Internet. By exporting update program data on other WSUS servers connected to the Internet, copying data to this WSUS server through other media, and finally importing update program data, this process allows you to synchronize the WSUS Server Update Program, as shown in.