SUS Without the Space
Control software updates, even for remote workers.
- By Don Jones
- June 02, 2004
Software Update Services is starting to catch on in more companies. Many
admins now have SUS download all of Microsoft's posted updates, and they
then approve the updates that they want networked users to install on
their computers. Users then download updates directly from the SUS server,
conserving Internet bandwidth. I have one client, though, whose users
are mostly remote. Those admins wanted the control SUS provides over what
updates are applied to remote clients, but they didn't want clients having
to come across the VPN into the corporate network to actually download
Don't Download Updates
Fortunately, SUS does exactly what they want. First, they installed a
SUS server and used a Group Policy Object to configure all client computers
to use it. The GPO also disabled clients' access to the Windows Update
Web site, ensuring that the SUS server was the only possible source for
updates. Then, they configured the SUS server options to store updates
on the Windows Update Web site (as shown in the figure). Huh?
|Microsoft Software Update Services accessed from
the Windows Update Web site. (Click image to view larger version.)
Here's how it works: SUS downloads the complete catalog of updates, and
the company can approve the ones they want their clients to have. Their
clients check in with the SUS server to see what updates are approved.
Those updates are downloaded, however, from the Windows Update Web site,
essentially by referral from the SUS server. So the company gets complete
control over what updates are deployed, and the clients make a direct
connection to the Windows Update Web site to physically obtain approved
updates. It's a clever trick that makes SUS a lot more workable for remote
If you have a mix of local and remote clients, you can still use this
technique. Put up two SUS servers: One for local clients and one for remote
clients. Separate the clients by organizational unit and apply a GPO that
points them to the appropriate SUS server. The SUS server for local clients
can download updates from Microsoft and make them available locally, conserving
WAN bandwidth; the remote users' SUS server can store updates on the Windows
Update Web site, allowing clients to download the updates themselves.
Want a better remote server administration experience?
Install Windows 2003's AdminPak.msi on your Windows
XP machine and take advantage of the Remote Desktops
console. You can maintain multiple remote desktop connections
within a single window and can easily connect to the
new remote console connection provided by Windows 2003.
Remote Desktops console can connect to any RDP-compatible
server, all the way back to Windows NT 4.0 Terminal
Windows Update v5 and SUS 2.0 are coming soon and will be named WUS; read
the overview: http://download.microsoft.com/download/7/b/5/7b5ab54c-9b9e-46a7-9cc4-427c90122503/sus_2.0_overview.doc
SUS forums: http://forums.susserver.com/
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.