This article explains how to configure WSUS 3 SP2 located in a DMZ to deploy updates to clients that are behind Forefront TMG 2010 SP2. The topology for this scenario is described in the figure below:
Figure 1
On this scenario internal client workstations will receive updates from WSUS which is located in the DMZ. This WSUS Server is not joined to the internal domain. In order to configure the rules on Forefront TMG 2010 you will need to understand the traffic profile for this deployment, which is described below:
Figure 5
4. On the Protocols page click Add button and select the protocols HTTP, HTTPS and DNS. Click Close on the Add Protocols window. The Protocols page should look like figure below. Once you confirm that, click Next to continue.
Figure 6
5. On the Malware Inspection page click Do no enable malware inspection for this rule as shown in figure below and click Next to continue.
Figure 7
6. In the Access Rule Sources page click Add, click New and choose Computer. Type the WSUS computer name, right below type the IP address and click OK. Select the WSUS Server computer that you just created, click Add, select Internal network, click Add and click Close. Once you finish these steps the Access Rule Sources should look like figure 8. Click Next to continue.
Figure 8
7. Repeat the same procedures from step 6 in the Access Rule Destinations. 8. In the User Sets page leave the default selection (All Users) click Next and click Finish.
Now you will need to create the access rule from WSUS to the Internet. The procedures are pretty much the same, however you will need to make the following changes:
Once you finish creating these two rules click Apply, type a description for this change and click Apply.
The WSUS configuration will be similar to any other default configuration, for that reason the recommendation is that you use the Windows Server Update Services 3.0 SP2 Step By Step Guide in order to configure WSUS.
The following tasks should be done in the Domain Controller:
After finishing the configuration on all other servers you can start validating the configuration on the client computer by following the steps below: 1. Open command prompt and run the command gpupdate /force 2. Run the command rsop.msc and verify if the WSUS Server name is showing up in the Windows Update policy as shown below: Figure 9
3. Click Start, All Programs and click Windows Update. 4. Click Check for Updates.
Note: if you have live logging enabled on Forefront TMG you should see the traffic pattern similar to the one below:
Figure 10
5. Open the file %windir%\windowsupdate.log and check if the client is trying to get update from the WSUS Server as shown below:
Figure 11
6. Switch to WSUS Server and make sure that the computer is already reporting itself to WSUS.
Carsten Siemens edited Revision 6. Comment: Fixed misspellings
Richard Mueller edited Revision 4. Comment: Fixed zero in <a name> tag in heading in HTML so TOC works properly
Ed Price - MSFT edited Original. Comment: Wow, great article!
Great use of images!
Thanks for your comment Ed. I truly appreciate!
Nice and good work. :)
Hi Ahmet, thanks for your comments. I'm glad you liked :)
Hi Yuri,
another idea to put WSUS Server in a secure zone. Thanks for sharing
Greetings Marc Grote
Sure Marc, thanks for your comment !!
Nice work
Thank you Abdelhamid !
Yes, indeed. Great work on the images. It makes it more easy. Thanks for this.
Very helpful screenshots. :) thanks!