In WSUS, you download two separate pieces of information, the update metadata (which informs you when new updates are available) and the update files themselves. There are also two supported ways to deploy and use WSUS in your enterprise, a simple and complex model. The simple deployment model is used when the organization has one instance of WSUS on their network. In this model, the single WSUS server downloads both types of information directly from Microsoft Update, and this model is secure by default because Microsoft secures the synchronization for you.
In the complex model, an organization has multiple WSUS servers (for example one for the engineering department and another for operations). Using this deployment model, you can have each WSUS server download all information for each department separately, but this wastes precious bandwidth. The optimal configuration in the complex model is to have a "master" WSUS server; the "master" then downloads all information directly from Microsoft Update and then disperses the update metadata and updates to the other "slave" WSUS servers in the organization. In WSUS terminology, the server we call the "master" is the upstream server, and the server we are calling "client" is the downstream server.
There is another option for the complex deployment model I have described called Replica Mode. In Replica Mode, the upstream server not only cascades out the updates but it also is the central WSUS server used to define update approvals and computer groups. The other WSUS servers in the organization then mirror the upstream server.
In this model, the main security consideration is whether client machines should use SSL for added security or not. You should be aware that if you do opt for the additional security it has a price; it is known to decrease overall performance by roughly 10 percent because of the workload associated with encrypting all the metadata sent over the wire. Also consider that if the WSUS server uses a remote SQL Server for its backend, that remote connection will not be secure. In the end, however, Microsoft recommends using SSL for your WSUS deployments.
If you wish to use SSL for client machine access, there are two steps to implement it:
Install a certificate on the WSUS server
Configure client computers to trust the server certificate
Using SSL on the WSUS server requires two ports, one for encrypting metadata with HTTPS and another for clear HTTP. You should require SSL only for the following virtual roots of the WSUS web site:
You should not require SSL for the following virtual roots of the WSUS web site:
If you install WSUS to the default web site, and then set up SSL using standard ports, you would use https://YourWSUSServer/WsusAdmin/ to access the WSUS Administrator Console. In the event you wish to use non-standard ports, you would use https://YourWSUSServer:YourCustomSSLPort/WsusAdmin/ to access the WSUS admin console. The same applies for configuring the client machine's automatic updates to point to your WSUS server; you would direct them to either https://[YourWSUSServer] or https://YourWSUSServer:YourCustomSSLPort.
The other main security configuration in the simple deployment model is for networks that use a proxy server. Proxy servers act as an intermediate node between the servers and workstations and the Internet, which helps enforce security, control, and caching. To configure WSUS, navigate a browser to the admin console, click Options in the upper-right corner of the page, and click Synchronization Options. You should now see the page shown in Figure 14-2.
Now perform the following steps:
In the Proxy server box, click Use a proxy server when synchronizing, and then enter the server name and the port number (port 80 is the default) of the proxy server in the corresponding boxes.
If you wish to connect to the proxy server using specific credentials, click Use user credentials to connect to the proxy server, and then enter the user name, domain, and password of the user in the corresponding boxes. If you wish to enable basic authentication for the user connecting to the proxy server, click Allow basic authentication (password in clear text).
Under Tasks, click Save settings, and then click OK when the confirmation box appears.
In the complex deployment model (again this is when you have multiple WSUS servers in your organization), all the same options and configurations apply. SSL can be implemented in the complex model; you may wish to configure secure communications between an upstream WSUS server and a downstream WSUS server. In addition, you can configure SSL from the downstream WSUS server(s) to the clients, as in the simple deployment model. If there is a proxy server between a downstream WSUS server and an upstream one then you must configure the proxy settings as described previously.