WSUS internal and external question
V@discussions.microsoft.com Daniel V
conenctions with no SSL. Very simple design and everthing works nice. We
want to try to setup a replica server in the DMZ that will patch laptops when
they are outside of our network. We find many users no longer use VPN since
many of the services are now available through a portal access (or systems
arent really being used for work as they where intended). My question is,
does anyone foresee any problems with setting up a public facing WSUS server
that is secured through SSL? Would using SSL and deploying a cert to our
laptops prevent unauthorized access (anyone not issues a cert through AD).
And last I thought using a single GPO setting on systems but using DNS to
either point a laptop to the internal network or the DMZ based on location,
how would a SSL cert be setup that responds to a single name but two
different servers work. I was thinking that on the outside when you try to
hit https://wsusserver it would redirect you to https://wsusserver2, but
would the cert need to have the first name or the second as the client is
requesting for one server but getting redirected.
Is my logic wrong?
Lawrence Garvin [MVP]
news:3331B8CA-1066-4BBD...@microsoft.com...
> My question is,
> does anyone foresee any problems with setting up a public facing WSUS
> server
> that is secured through SSL? Would using SSL and deploying a cert to our
> laptops prevent unauthorized access (anyone not issues a cert through AD).
That should serve part of the purpose, but the key component in using SSL
for authentication is that you also need to implement client-side
certificates, so that the WSUS Server knows that the client system is an
authorized user of its services.
> And last I thought using a single GPO setting on systems but using DNS to
> either point a laptop to the internal network or the DMZ based on
> location,
> how would a SSL cert be setup that responds to a single name but two
> different servers work.
> I was thinking that on the outside when you try to
> hit https://wsusserver it would redirect you to https://wsusserver2, but
> would the cert need to have the first name or the second as the client is
> requesting for one server but getting redirected.
Don't try to get fancy with complicated DNS and redirections.
Use two separate identities.
External, e.g. http://ext-wsus.mycompany.com
Internal, e.g. http://wsus.mycompany.com
So, you'd have a cert for each identity.
Cert #1 for the external-facing identity.
Cert #2 for the internal-facing identity.
When the GPO is applied on the LAN, the GPO contains the URL of the
"internal" identity, and the client talks to the DMZ WSUS server through the
firewall from the corporate LAN to the DMZ, and authenticates with the
internal cert.
Then, all you need is a way to configure the Windows Update Agent for when
the machines are outside the office, so they have the correct URL of the
external identity of the server. This can be as simple as a REG file on a
desktop that you trust the notebook user to engage; or it could be a startup
or logon script that imports the REG file.
However, if you use a startup/logon script, then you need to be aware that
such a script may temporarily overwrite the settings implemented by the GPO,
but they'll eventually be reset when group policy refreshes (every 30-90
minutes, by default). You could also adjust the group policy refresh
interval on an OU containing these notebooks, to minimize the time where the
LAN-connected notebook still has the external configuration active, or...
You could wrap conditional logic around the script, so that while it's
executed at every startup/logon, it only actually executes the REG IMPORT
when the machine is not physically connected to the corporate LAN, which can
be determined by IP Address, Subnet, and/or other identifiable attributes.
(e.g. something as simple as the result of a ping sent to the internal WSUS
identity -- if it answers, don't import the REG file; if it doesn't answer,
then the notebook is not on the corporate LAN, and it needs the external
configuration loaded)
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Daniel V
polies and certs for the two servers. Unfortunately I being required to only
use one DNS name and not redirect systems by upper management. It looks like
Im on the right track though.
With the requirment of using 1 dns name and keeping the internal and
external servers separate, would using the one cert then work or would I
still need to push both servers certs. The client will be requesting for one
name but being redirected to another server name, so would the cert need to
be the name the original client requested for, or the server it actually went
to?
Lawrence Garvin [MVP]
news:7FFAEBE0-005F-404F...@microsoft.com...
> Thank you for your reply. I do agree with your thoughts on usign separate
> polies and certs for the two servers. Unfortunately I being required to
> only
> use one DNS name
You should advise your "upper management" that only using one DNS domain for
both external and internal access violates every precept of Active Directory
best practices written since Microsoft introduced AD nine years ago.
Having said that... I'm painfully aware of the thousands of organizations
that have done exactly that. :-/
> With the requirment of using 1 dns name and keeping the internal and
> external servers separate, would using the one cert then work or would I
> still need to push both servers certs.
If you're only using one identity, and both internal and external DNS
resolves to the same physical machine (just different IP Addresses and
pathways), then you only need one SSL certificate.
> The client will be requesting for one
> name but being redirected to another server name,
Well.. now.. wait a second here. Do you have *one* DNS name or do you have
*two* names?
You just stated in this reply that you're being "required to ... not
redirect systems".
Perhaps I should ask you exactly what you mean by the statement "...will be
requesting for one name but being redirected to another server name" ??
Perhaps there is a misunderstanding/miscommunication around the word
"redirect", or in the methodologies by which web servers are made visible to
Internet clients?
> so would the cert need to
> be the name the original client requested for, or the server it actually
> went
> to?
To answer your question based on my assumption of what you're meaning to
ask -- the SSL certificate should be created in the name of the *actual*
webserver, not the firewall device that's routing/translating the traffic
from the IP Address that's resolved to external clients (which is not the
actual IP Address of the host being resolved).
Truly, what we have here is a question that has nothing to do with WSUS. It
has to do with the fundamentals of how does an organization make an
SSL-enabled website available to both internal and external customers from
the same machine, but at different identities, different pathways, and
likely from different DNS zones. There's two distinct questions to be
answered here: The simple one that involves how DNS is properly configured;
the complex one that involves how SSL is properly configured.
If your organization uses the same DNS name (e.g. companyname.com) both
internally and externally, then you really don't even have a choice. You
name the server wsusserver.companyname.com, you configure your external DNS
to point to the advertised IP Address on the Internet (which presumably is
mapped through the firewall to the DMZ), you configure your internal DNS to
point to the Internal address (on the DMZ). There's absolutely no reason in
the world by complicating this process by using differnent *hostnames* on
either side of the firewall (i.e. wsusserver-ext.companyname.com externally
and wsusserver-int.companyname.com internally is a bad idea).
If you have different domain names externally and internally (you
should!) -- then it doesn't matter whether you use the same hostname, or
not, you'll need to configure the IIS (WSUS) server to respond to both
hostnames. For example, wsusserver.mycompany.com externally and
wsusserver.mycompany.local internally.
Furthermore!!!---- you also have to be aware of the processes necessary to
handle the SSL traffic passing through your firewall and onto the WSUS
Server. If you're using Microsoft ISA Server, then you have the ability to
actually passthru the encryption, running SSL all the way to the WSUS
Server. The procedures for configuring ISA Server to use a published
server's SSL certificate are well documented. If you're using some other
manufacturer's device/software for your firewall -- then you have to
determine whether the firewall is the one answering the SSL connection
(which then brings us back to the question of whose name the SSL cert is
issued in)
If you're using a firewall that can passthru the SSL encryption to the
actual webserver, and you have the same hostname/domainname identity on both
sides of the firewall, then the SSL certificate is created in the name of
the server wsusserver.companyname.com.
If you have different domain names on either side of the firewall, then you
will need two different certs. Period. What the actual names on those certs
are is dependent on who's actually answering the "SSL call" from the client.
Daniel V
Just to make clear the design, we would have two different WSUS servers with
two different names, both on the same domain. Example: one server in the
internal network called wsusserver1 handling all internal clients and one in
the DMZ called wsusserver2 handling all clients on the road or at home.
These servers would be setup as replicas so the internal server rolls up info
from the DMZ server.
Now the fun part is having dns direct all clients internally to the internal
WSUS server, and a dns entry for all external clients on the road or at home
to point to the DMZ server. With this scenario we need to enable SSL on both
server and have one dns name in the group policy.
The GP would point to wsusserver1. Any time a system from the outside
queries on the name wsusserver1, it would be directed to wsusserver2.
All of that is actually fairly easy to setup for me, the question I really
face is with SSL when clients on the public side query wsusserver1 and get
directed to wsusserver2. The client thinks its talking to wsusserver1 so
which cert would be needed on the client to communicate or what am I missing
in my thoughts here. I hope I layed out the scenario clearly and I really
appreciate your thoughts
Dave Mills
in the HTTP header. That may be the FQDN, Netbios name or IP address. The header
will be constructed by the client when it sends the HTTP request.
Think about how it works for IE. The HTTP header arrives at the server with a
request to get data from whatever name the user typed into the IE address bar.
The cert must have been issued for the name that the user typed into IE. This
could be the FQDN, Hostname or IP address and it will get to the correct server
but the cert must be for the name in the header. Thus you may need 3 certs
installed if you with to be able to use FQDN, Hostname and IP to address the
server.
In your case it does not matter what the name of the server actually is as long
as the cert installed is issued for the name that the WSUS client will be
putting into the HTTP header. If the cert does not match then for IE the users
is asked if they trust the cert and can continue to access the server. For the
WSUS client there is no possibility to ask so the request simply fails.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
Daniel V
dont really need to generate a unique certificate for the second server that
will have hosts redirected to it from the internet, right? Do I just import
the certificate from the master server into the IIS of the DMZ server. I
beleive the option when assigning a certificate is to choose "Assign an
existing certifcate". Then when configuring SSL on the DMZ server do I run
wsusutil configuressl and use the name of the master server?
Daniel V
that container more than one common name. So the one cert can contain
wsusserver1 and wsusserver2 names so either computer can respond to either
name with WSUS requests.
I was having so much problem trying to use a cert with one name in it as
consoles would fail to open and all sorts of other errors.
So now I have another question, is the use of SelfSSL from the IIS resource
kit secure? I would like to generate a cert using our root authority but Im
having troubles figuring out how to use the multiple names in the request.
Is it as easy as just adding a comma between the name in the cert request? I
could use SelfSSL and deploy that cert to computers but Im not sure if there
is anything less secure with that cert than using the root authority. I know
this is more IIS and certificate questions than WSUS, but any help is much
appreciated. Once I get this all up I plan on posting detailed instructions
or a video on how to do this as it has taken a bit of research and many
people I see are also asking how to do the same thing.