How to deploy WSUS Offline updates on Win Server 2008?

joe_H

Member
May 27, 2010
83
0
0
I currently administer a group of computers here at work running Windows XP. There are around 45 machines, and none of them are set up to a domain...they are all administered locally (I know...it was set up prior to my arrival). I've finally talked mgt into upgrading to new clients (Windows 7 Ultimate), connecting to 2 domain controllers (Win 2008 SP2), and a patch server (Win 2008 SP2).

Here is my issue. This is a closed network, and due to security reasons, cannot have any access to the outside world. My first issue was trying to find a way to patch Windows 7 offline. I found WSUS Offline updater (http://download.wsusoffline.net/), and tested on a mock up. This seems to patch the system very well. However, I don't want to carry a update CD to each machine locally again.

I was thinking of installing WSUS 3.0 on the patch server, but I'm unfamiliar with how to configure the WSUS program to point to the offline downloaded files (from WSUS offline updater), as opposed to trying to phone home to Windows Update. WSUS Offline updater will save the output to either an .iso file, or to a folder named 'client', containing the executable with needed repositories.

Anybody have experience with this issue? Can anyone point me to a good install guide for offline updates?

Thanks in advance.
 

joe_H

Member
May 27, 2010
83
0
0

Thank you for the link. The article seems more of an overview of WSUS offline updates. The meat was the small blurb about "The WSUS Server path should be given for your WSUS server and a proxy (if necessary)".

They show the WSUS Offline setting as

WSUS-Server.png


Is this the only setting I need to change? Should I save the WSUS Offline update output as a install folder, or as an .iso? Where should that be placed on the patch server? At the root?

Thanks for the help.
 

joe_H

Member
May 27, 2010
83
0
0

Thank you again for the link. I believe that I'm understanding how to set up WSUS better. This link shows the option of setting the local update directory as C://wsus. WSUS offline updated generates a folder named 'client' which houses the patch executable and the repositories. The computer downloading the updates is not on the same LAN as the WSUS server. Is it a simple matter of copying over the 'client' folder from a thumb drive into the c:\wsus directory on the server? Do I still need to set the http://wsus flag on the WSUS offline updater if it can't see the server over a network?

My apologies if this seems remedial...first time trying to set up a patch server.

Thanks again.
 

bruceb

Diamond Member
Aug 20, 2004
8,874
111
106
To be honest, I have never set one up either. Just did some searching and selected responses that seemed to provide the answers you need. If I don't know something, I research it and in some cases, it is trial and error to get the desired results. Or if I know a person that does know the info, I ask them for help.
 

joe_H

Member
May 27, 2010
83
0
0
To be honest, I have never set one up either. Just did some searching and selected responses that seemed to provide the answers you need. If I don't know something, I research it and in some cases, it is trial and error to get the desired results. Or if I know a person that does know the info, I ask them for help.

Thank you for your assistance. Nobody else on site has set up a patch server before...I'm really trying to get this place a bit more modern. The problem lies in how secure the network has to be, including not allowing any access to the outside world.

Does anyone else have any experience running WSUS Offline update and manually moving the generated patches over to a WSUS server?
 

Gamingphreek

Lifer
Mar 31, 2003
11,679
0
81
Check with the entity you are supporting with this network. Chances are they have some sort of Upstream WSUS server.

If not; however, you will need to "Sneakernet" the systems. Host your own WSUS Server on your unsecure channels and export the file. Then, every week, transfer over the files via an approved medium and import them to whichever server is hosting the WSUS Role in the secure environment.

The initial transfer will be quiet large depending on which downloads you choose to approve and export, but subsequent transfers will easily fit on a DVD-R.

-GP
 

joe_H

Member
May 27, 2010
83
0
0
Check with the entity you are supporting with this network. Chances are they have some sort of Upstream WSUS server.

If not; however, you will need to "Sneakernet" the systems. Host your own WSUS Server on your unsecure channels and export the file. Then, every week, transfer over the files via an approved medium and import them to whichever server is hosting the WSUS Role in the secure environment.

The initial transfer will be quiet large depending on which downloads you choose to approve and export, but subsequent transfers will easily fit on a DVD-R.

-GP

It's a small network, with only these servers and clients residing. I checked with our admin LAN support, and they are running WSUS 3.0 SP2, so I will probably wind up having them export the patches via backup, and I will then import them onto my WSUS server.

Thanks for all the suggestions.