Question on WSUS design

Im have been working on a WSUS 3.0 SP1 design for some time with the purpose
to support laptops on the road as well as internal hosts. Currently the
setup we are testing is to have two WSUS servers. One in the DMZ to host
laptops on the outside, this will use a SSL with certs to secure. The
internal server will not use SSL. The internal server is the master with the
DMZ being a replica.

Since we dont have computers go straight to containers, but move manually
this adds a bit of extra work moving systems on both WSUS servers. Nothing
big to do but adds a little work and requires space for patches and
synchronization between the two servers.

My question is would using a High availability design sharing one database
and DFS share be a better solution? In my design it would not be exactly for
clustering the WSUS servers for high availability as it would be more for a
using a single database and DFS share to reduce or eliminate replications and
rollups while allowing laptops to connect from the outside and internal host
connecting to the inside. Would this work or is there something I am
overlooking in this design?

"Daniel V" <> wrote in message
news:917607E4-E3F4-4B82-BE2B-...

> My question is would using a High availability design sharing one database
> and DFS share be a better solution?

Not really. Consider your primary objective (or what should be your primary
objective) for using a separate server for mobile systems. Normally this
motivation is because downloading content across VPN connections is
expensive, not to mention somewhat unreliable because of the transient
nature of VPN-connected machines. By configuring a separate server for
mobile clients, without a content store, these mobile clients can obtain
*content* directly from microsoft.com when any Internet connection is
active, and only require the VPN connection to obtain *approvals* from the
central authority.

Second, I doubt an NLB environment would far well across a firewall. Among
other things the DMZ server would have to access the database inside the
firewall, and I doubt you really want to open SQL Server ports from the DMZ
to the Internal LAN. In addition, the DFS share would require that resource
to also be open from the DMZ to the Internal LAN, and you'd be moving mobile
computer content traffic.. not only across the VPN, but also through the
DMZ/Internal firewall interface.



--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin