Hi Everyone,
Currently, I am planning to deploy two WSUS servers into my environment. I just wanted to clarify a question, If I have a firewall to support TCP outgoing connections only will that be enough for my Internal WSUS server to Sync to my External one to update its Patch repository or do the ports need to be fully opened both ways?
Now in the event that the port has to be opened both ways for the SYN packet to travel then the next issue I would have (Because I prefer not to do that) would be to allow the DMZ WSUS server access to the internet by opening the flood gates which I would also not want to do but after packet sniffing where the Patches are being pulled down its not directly from Microsoft it seems to be from different URL's all over the board. Anyone cross this bridge before? I'd like to do this as securely as possible and I think the first option would work wonders if it's a supported configuration.
Any suggestions would be appreciated! :)
-Agent