URL in Group Policy

I currently use:
http://update.mycompanyname.com
as the URL in my GPO.
I am placing a replica server in the DMZ and will use be using SSL for my
remote clients.
Will I need to change the URL to https://update.mycompanyname.com?
And if so, I guess I would have to require my internal clients to use SSL as
well or not?

*I will have external facing dns will point to dmz server. My internal dns
already directs http://update.mycompanyname.com to internal server.

"JustSc0tt" <> wrote in message
news:3462819A-71A6-4404-9519-...
>I currently use:
> http://update.mycompanyname.com
> as the URL in my GPO.
> I am placing a replica server in the DMZ and will use be using SSL for my
> remote clients.
> Will I need to change the URL to https://update.mycompanyname.com?

All of the procedures necessary for deploying WSUS with SSL are contained in
the WSUS Deployment Guide. I would highly encourage you to refer to that
document *before* making any SSL-based implementations in your environment.

But, yes, the form of the URL for the REPLICA server using SSL will be
https://replicaServerName.myCompanyName.com

> And if so, I guess I would have to require my internal clients to use SSL
> as
> well or not?

No. In fact, I would recommend *against* implementing SSL on a closed LAN
environment.

If you do need encryption on your corporate LAN, IPSec is a better solution.


> *I will have external facing dns will point to dmz server. My internal
> dns
> already directs http://update.mycompanyname.com to internal server.

You should also know that (unless it's been changed, and I'm having a VERY
difficult time finding any copy of the document these days to confirm or
refute this point).. the WSUS EULA, historicaly, has prohibited the use of
publicly accessible Internet-facing WSUS Servers. That is to say, an
"Internet-facing" WSUS Server still needs to be:

a. Configured within the scope of a VPN-authenticated client session, or
b. Secured with Client-Side SSL certificates (which are capable of
authenticating the identity of the client accessing the WSUS Server).

So as to eliminate the condition of being "publicly accessible".

To that point, I would recommend *NOT* using External-facing DNS to identify
your Internet-facing WSUS Server, but rather to configure those machines
using a fixed IP Address (which is not published in DNS). (Not to mention
the obvious security benefits of not advertising the location of your update
management services for mobile clients.)


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Thank you for the reply. I have added additional info for some clarification:

I will have 2 servers, one on a secure internal network and 2nd one will be
a Replica server in DMZ. Communication/roll-up will be done thru SSL.

My external clients, not on the internal network nor VPN, will connect to
DMZ server using a client side SSL Certificate. Which per your statement
should be ‘ok’ with the WSUS EULA.
Now…providing I’m not complete off-base so far:

All computers on the same domain and obtain their WSUS settings thru 1 GPO.
Within this GPO I will set the URL to:
HTTPS://update.MyCompanyName.Com

This URL routes internal requests (thru DNS) to INTERNAL SERVER.
Even though I use HTTPS in the URL name, if I do not require client certs
they don’t use SSL but still connect ok…correct? I was under the
impression that accessing an HTTPS site required SSL, but I think that is not
the case.

This URL will also route (by way of my public DNS) to DMZ server which will
be secured by SSL and will require client side certs. (I understand your
recommendation of not identifying my internal server, but I want to use a
single GPO to allow my clients to move from outside to inside the network
without the use of additional scripting.)

Thus I can meet what I originally thought to be my simple goal:
1 GPO, 1 Primary internal server, 1 external(dmz) replica server, secured
thru SSL. I make a few DNS changes and my clients, wherever they make a
network connection (internal/external/vpn), only receive company approved
updates and report their status.

*Additionally, per the deployment guide, I will secure by WSUS Web site by
requiring SSL on certain virtual roots but to maintain functionality not
others.


"Lawrence Garvin [MVP]" wrote:

> "JustSc0tt" <> wrote in message
> news:3462819A-71A6-4404-9519-...
> >I currently use:
> > http://update.mycompanyname.com
> > as the URL in my GPO.
> > I am placing a replica server in the DMZ and will use be using SSL for my
> > remote clients.
> > Will I need to change the URL to https://update.mycompanyname.com?
>
> All of the procedures necessary for deploying WSUS with SSL are contained in
> the WSUS Deployment Guide. I would highly encourage you to refer to that
> document *before* making any SSL-based implementations in your environment.
>
> But, yes, the form of the URL for the REPLICA server using SSL will be
> https://replicaServerName.myCompanyName.com
>
> > And if so, I guess I would have to require my internal clients to use SSL
> > as
> > well or not?
>
> No. In fact, I would recommend *against* implementing SSL on a closed LAN
> environment.
>
> If you do need encryption on your corporate LAN, IPSec is a better solution.
>
>
> > *I will have external facing dns will point to dmz server. My internal
> > dns
> > already directs http://update.mycompanyname.com to internal server.
>
> You should also know that (unless it's been changed, and I'm having a VERY
> difficult time finding any copy of the document these days to confirm or
> refute this point).. the WSUS EULA, historicaly, has prohibited the use of
> publicly accessible Internet-facing WSUS Servers. That is to say, an
> "Internet-facing" WSUS Server still needs to be:
>
> a. Configured within the scope of a VPN-authenticated client session, or
> b. Secured with Client-Side SSL certificates (which are capable of
> authenticating the identity of the client accessing the WSUS Server).
>
> So as to eliminate the condition of being "publicly accessible".
>
> To that point, I would recommend *NOT* using External-facing DNS to identify
> your Internet-facing WSUS Server, but rather to configure those machines
> using a fixed IP Address (which is not published in DNS). (Not to mention
> the obvious security benefits of not advertising the location of your update
> management services for mobile clients.)
>
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> My Blog: http://onsitechsolutions.spaces.live.com
> Microsoft WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

"JustSc0tt" <> wrote in message
news:28339A76-B94D-400A-B2A5-...
> Thank you for the reply. I have added additional info for some
> clarification:
>
> I will have 2 servers, one on a secure internal network and 2nd one will
> be
> a Replica server in DMZ. Communication/roll-up will be done thru SSL.

Then you have two different SSL environments to configure.

The SSL environment on the replica server that allows the Internet-based
clients to execute detections using SSL through the firewall.

The SSL environment on the upstream server that allows the DMZ Replica
Server to synchronize with the upstream server through the firewall.

Both scenarios are described in the Deployment Guide.


> My external clients, not on the internal network nor VPN, will connect to
> DMZ server using a client side SSL Certificate. Which per your statement
> should be ‘ok’ with the WSUS EULA.

Yes.


> All computers on the same domain and obtain their WSUS settings thru 1
> GPO.
> Within this GPO I will set the URL to:
> HTTPS://update.MyCompanyName.Com
>
> This URL routes internal requests (thru DNS) to INTERNAL SERVER.
> Even though I use HTTPS in the URL name, if I do not require client certs
> they don’t use SSL but still connect ok…correct?

Correct. If the client is not required to "authenticate using SSL" then the
client SSL certs will be ignored.

> I was under the
> impression that accessing an HTTPS site required SSL, but I think that is
> not
> the case.

Well. strictly speaking, yes. HTTPS is a protocol identifier that means,
essentially "HTTP using SSL".

> This URL will also route (by way of my public DNS) to DMZ server which
> will
> be secured by SSL and will require client side certs. (I understand your
> recommendation of not identifying my internal server, but I want to use a
> single GPO to allow my clients to move from outside to inside the network
> without the use of additional scripting.)

This is reasonable -- in fact, it's necessary if you've not implemented the
Microsoft AD recommended practice of using split domains (e.g. company.com
outside the firewall, and corp.company.com, company.local, or some such
alternate name inside the firewall). Note, btw, that even with split domain
scenarios, you can still configure =DNS= inside your corporate network to
route https://outsideserver.company.com to an internal resource on some
other AD domain (e.g. https://insideserver.corp.company.com or
https://insideserver.company.local).


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin