Windows Tip Sheet
SUS Without the Space
Control software updates, even for remote workers.
Software Update Services is starting to catch on in more companies. Many
admins now have SUS download all of Microsoft's posted updates, and they
then approve the updates that they want networked users to install on
their computers. Users then download updates directly from the SUS server,
conserving Internet bandwidth. I have one client, though, whose users
are mostly remote. Those admins wanted the control SUS provides over what
updates are applied to remote clients, but they didn't want clients having
to come across the VPN into the corporate network to actually download
Don't Download Updates
Fortunately, SUS does exactly what they want. First, they installed a
SUS server and used a Group Policy Object to configure all client computers
to use it. The GPO also disabled clients' access to the Windows Update
Web site, ensuring that the SUS server was the only possible source for
updates. Then, they configured the SUS server options to store updates
on the Windows Update Web site (as shown in the figure). Huh?
|Microsoft Software Update Services accessed from
the Windows Update Web site. (Click image to view larger version.)
Here's how it works: SUS downloads the complete catalog of updates, and
the company can approve the ones they want their clients to have. Their
clients check in with the SUS server to see what updates are approved.
Those updates are downloaded, however, from the Windows Update Web site,
essentially by referral from the SUS server. So the company gets complete
control over what updates are deployed, and the clients make a direct
connection to the Windows Update Web site to physically obtain approved
updates. It's a clever trick that makes SUS a lot more workable for remote
If you have a mix of local and remote clients, you can still use this
technique. Put up two SUS servers: One for local clients and one for remote
clients. Separate the clients by organizational unit and apply a GPO that
points them to the appropriate SUS server. The SUS server for local clients
can download updates from Microsoft and make them available locally, conserving
WAN bandwidth; the remote users' SUS server can store updates on the Windows
Update Web site, allowing clients to download the updates themselves.
Want a better remote server administration experience?
Install Windows 2003's AdminPak.msi on your Windows
XP machine and take advantage of the Remote Desktops
console. You can maintain multiple remote desktop connections
within a single window and can easily connect to the
new remote console connection provided by Windows 2003.
Remote Desktops console can connect to any RDP-compatible
server, all the way back to Windows NT 4.0 Terminal
Windows Update v5 and SUS 2.0 are coming soon and will be named WUS; read
the overview: http://download.microsoft.com/download/7/b/5/7b5ab54c-9b9e-46a7-9cc4-427c90122503/sus_2.0_overview.doc
SUS forums: http://forums.susserver.com/
With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.