WSUS 3.0 SP2: Understanding WSUS deployment topology

In order to counteract against outside threats such as bugs, malware,  spyware and vulnerabilities, systems administrators need to update the Microsoft products constantly. Microsoft Windows Software Update Services (WSUS) allows systems administrator centrally deploy windows products updates, hotfixes, service packs, features and patches. One of the importance benefits of using WSUS is that updates will only be deployed if they are authorized by the WSUS administrator. Microsoft Windows Software Update Services has advanced features like reporting, allowing the grouping of computers, setting up deployment time and auto installation. WSUS will make the life of a systems administrator a lot easier.

Microsoft Windows Software Update Services provides a robust, easy to deploy and easy to manage patch/update management system.Although there are third party products that accomplish the same thing, WSUS provides one advantage that none of its competitors provide and off course it’s free! In deploying WSUS 3.0, you have the option to create different topologies depending on your environment and specific needs. Most basic deployment is single server, Enterprise deployment using upstream and downstream server that is using multiple servers for load balancing, and most advance deployment would be multiple servers, remote database and WSUS contents in SAN.

Single Server Deployment

In the single-server topology, WSUS 3.0 runs on a single-server that downloads updates directly from the Microsoft Update site and then distributes them to servers, desktops, and laptops throughout the internal network. the WSUS server synchronizes with the Windows Update site on the Web. During synchronization, WSUS determines if any new updates have been made available since it last performed synchronization. During the initial synchronization, the download can take an hour or longer, depending on the bandwidth of your organization. Regardless of the bandwidth, any additional synchronizations should be significantly shorter than the initial one.

Multiple Server Deployment

  

If you have a large organization but you don’t want to overload a single server, or your network covers multiple geographic locations. Server hierarchies probably make the most sense. In a server hierarchy setup, one server acts as the primary upstream server directly synchronizing with the Windows Update site. Downstream servers on the network then perform the same synchronization but with the upstream WSUS server and not the Windows Update site. You can also deploy branch cache server with this type deployment to save bandwidth.

Load Balancing using back end SQL server 

This type of deployment include multiple WSUS servers, back end SQL and WSUS content in a SAN. This topology option involves failover capabilities. By using network load balancing servers, administrators can provide more reliability while also improving performance. It starts by setting a back-end SQL Server 2005 cluster, then installing multiple WSUS front-end systems with Network Load Balancing (NLB). Entire WSUS server farm share same SQL and WSUS contents. It will add more flexibility in terms of adding more servers and contents. An administrator will be able manage server farm using one WSUS console.

Roaming Clients Deployment

 

Laptops can be difficult to keep up to date on the newest patches and updates. These computers travel with their users (sales reps /support pros) from office to office and site to site. The roaming clients topology takes this into consideration. The roaming client topology allows the travelling laptop to pull its updates from the closest WSUS server, thereby reducing the chances of update traffic going across WAN lines. This topology is set up by entering (A) records in DNS for the WSUS servers but doing so with the same host name and different IP addresses. Once an administrator has done that, they set up netmask ordering and round robin on the DNS server. Netmask ordering restricts the name resolution to computers in the same subnet; if there is a location without a WSUS server, round robin will rotate through the list of available hosts on other subnets. As you see, there are many different setup options with WSUS that work in various network environments. This provides administrators with the flexibility they need to design and implement WSUS. Once the topology has been decided, we then need to install a WSUS server.

Relevant topics:

Install and configure WSUS 3.0 SP2 – Step-By-Step

Windows Server 2008: Windows Server Update Services Role–Step by Step Guide

Troubleshooting WSUS server

How to configure Windows Server Update Services (WSUS) to use BranchCache

share this

How to configure Microsoft SharePoint server 2007

Microsoft SharePoint Products and Technologies is a Content Management System with integrated search functionality developed by Microsoft that allows users to work in a web-based collaborative environment. Microsoft provides certain built-in functionality and third party developers can also develop custom modifications to extend functionality. Microsoft released SharePoint server 2010 64 bit beta. Here, I am going to talk about SharePoint Server 2007.

Systems requirements:

Windows server 2003 or windows server 2008

Internet Information Services (IIS) 6.0 or Higher

SMTP service is enabled in IIS

ASP.NET 2.0

.NET Framework 3.0

Windows Workflow Foundation

SQL Server 2000 or 2005 express or higher with Management studio

Antivirus & Forefront Protection for SharePoint

Hardware requirements:

Processor 2.5GHz minimum, dual processors, 3GHz recommended.

RAM 1GB minimum, 2GB or more recommended.

Disk 3GB free NTFS. More disk space is recommended, depending on your storage needs.

Network 1 gigabit per second is suggested

This was minimum spec. However, you must add more resources to SharePoint server depending on number of users and configurations you do.

Create and configure SQL

Once you have installed all pre-requisite. You need to configure SQL server before you start installing SharePoint. To do this open SQL Management studio from start menu>all program>Microsoft SQl server>SQL server management studio.

You will be presented SQL\SQLExpress database connection window. Click on connect using windows authentication. Create new database named SharePoint or your preferred. Right click on new database>property>options>Collation> Change to  Latin1_General_CI_AS_KS_WS.

 

Important! Change database collation to Latin1_General_CI_AS_KS_WS. Otherwise you get this error  "The specified database has an incorrect collation.  Rebuild the database with the Latin1_General_CI_AS_KS_WS collation or create a new database”.

Installation:

 

If you want to have more then one server then select Advanced>Complete Installation otherwise standalone installation will do. File location can be selected other then system partition. 

 

Initial Configuration

   

 

Publish SharePoint in ISA or Forefront TMG

Log on ISA server or Forefront TMG. Open management console>Task Pan>Publish new web sites (ISA) or Publish SharePoint (Forefront TMG). Follow these screen shots.

In this window, click new to add new listener.

Start Windows Services

 

Configure Wiki, Document Library in SharePoint

Log on to sharepoint server. Open sharepoint central administrator. provide domain user name and password. You will be presented with SharePoint Central Administration window. Click on operations>Topology and services>services on this server>start all the services. To Setup Incoming and outgoing emails, you must have SMTP services installed and started.

Click on Site Action>Create. In this window you can document library, Wiki etc.

 

 

SharePoint and DNS records

Log on to DNS server. In Active Directory environment, domain controller is a DNS server by default. Add Host(A) record and CNAME for SharePoint server if you want to call SharePoint by FQDN not by Netbios name.

Relevant Topics:

Deployment for 2007 Microsoft Office SharePoint Server

Microsoft SharePoint Server

share this

WSUS Health Check

Group Policy: Group Policies are the easiest way to configure automatic update settings for client systems in an Active Directory environment. To check WSUS policy has been applied or not, log on to client computer. Open command prompt>type gpresult.exe>hit enter. You will be presented with a list applied GPO in that machine including WSUS policy. Alternatively, you can do the followings.

1. Click Start>Administrative Tools>Group Policy Management.
The Group Policy Management Console will come up.
2. At the bottom of the Console Tree, you will see a node called Group
Policy Results. Right-click on it and choose Group Policy Results
Wizard.
3. It will come up to the Welcome to the Group Policy Results Wizard screen. Just click Next.
4. Now you will come to the Computer Selection screen. You have the choice of This computer or Another computer. Now click Next.

5. Now you can select a specific user or check Do not display policy settings for the selected computer in the results (display user policy
settings only). Since you are only interested in whether the Updates GPO
has run, you will not select a user.
6. Next the Summary of Selections screen comes up, allowing you to review your selections. Once you’ve verified them, click Next and the Completing the Group Policy Results Wizard will come up. Click Finish.

7.at the right, under Summary, click on Group Policy Objects> Applied GPOs. You should see the list of applied GPOs. In this case you are looking for the GPO WSUS Updates.

E-mail Notifications: WSUS 3.0 can send e-mail notifications of new updates and provide status reports to an administrator. To set this up do the following:
1. Create a user account for the WSUS server to use as an e-mail account. For instance, in our example we created a user account with a mailbox in our domain called WSUS.
2. Now open the WSUS Administrative Console, go to Options in the
Console Tree area, then in the Details Pane select E-mail Notifications.
3. In the General tab of E-mail Notifications, as seen in Figure 3.59, put a check beside Send e-mail notification when new updates are synchronized and type the e-mail addresses of the recipients. If you have more than one recipient, separate them by commas.
4. If you are sending status reports to these recipients, put a check beside Send status reports. Select the frequency with which each report is sent (Weekly or Daily) and the time the reports are to be sent, and type in the names of the recipients. You can also select which language you wish the reports to be sent in.

5. Now that the information on the General tab is complete, go to the E-mail Server tab and enter the information about the SMTP server, its port number, the sender’s name and e-mail address, and the username and password of the user that you created for the WSUS account earlier. 6. Once you’ve entered the correct information, click the Test button to verify your settings are correct. If everything looks correct, click OK and you’re done.

Personalization : If you want to personalize the way information is displayed for a WSUS server you can do so by clicking on Personalization within Options. This option allows administrators to choose how server rollup data is displayed, what items will be listed in the To Do list and how validation errors are displayed.

Automatic Approvals:  The Automatic Approvals option allows an administrator to automatically approve updates to be installed based on product and classification, and gives the ability to target which computers to set the automatic approval for. Automatic approvals are based on rules.

1. To create a new rule, first click on Automatic Approvals, found in Options.
2. In the Update Rules tab, select New Rule.

3. There are two steps in the Add Rule box. The first step is to select properties. For our example, we chose an update based on product, so we selected When an update is in a specific product. We could also specify a certain classification if we wanted to. Type Name of Rule such as Windows 7 Approval
4. The second step is to edit the properties or values. Click on the link for any product and in the list of products remove the check from All Products. Now scroll down to the listing for Windows and select Windows 7 Client. Click Approve the update for link and select Windows 7 Computer Group, Click when update is in and select update rollups, features or whatever you need. When click OK.
5. We are now back at the Add Rule box. Click Windows 7 approval rule>click run rule.

6. Repeat step2 to step 5 for all other computer groups such windows server 2008 x64.

Server Cleanup Wizard:  The Server Cleanup Wizard is used to help administrators manage their disk space by removing unused updates and revisions, deleting computers not contacting the server, deleting unneeded update files, declining expired updates, and declining superseded updates.

Important!  If you have WSUS 3.0 downstream servers, you may see discrepancies in both upstream and downstream servers. Be extra careful when cleaning server.

Reports and logs : You can monitor WSUS events information in the Application Event Log of Windows. You can check detailed update reports, computers reports and synchronization report from WSUS console>reports.

share this 

How to configure Exchange 2010 Hub Transport (HT) Server

Hub Transport server role manages all mail flow inside the organization, applies transport rules, applies journaling policies and delivers messages to a recipient’s mailbox. Hub Transport server is placed internal network with an Active Directory Forrest. Messages that are sent to the Internet are relayed by the Hub Transport server to the Edge Transport server role that’s deployed in the perimeter network. Messages that are received from the Internet are processed by the Edge Transport server before they’re relayed to the Hub Transport server. If you don’t have an Edge Transport server, you can configure the Hub Transport server to relay Internet messages directly or utilize a third-party smart host. You can also install and configure the Edge Transport server agents on the Hub Transport server to provide anti-spam and antivirus protection inside the organization. It is best practice to keep two separate servers for HT and ET roles.

You must deploy a Hub Transport server role in each Active Directory site that contains a Mailbox server role. Deploying more than one Hub Transport server per site provides redundancy. When you install more than one Hub Transport server in an Active Directory site, the connections are distributed. HT server or HT servers read Active Directory for user authorization. That means you can deploy Single Sign on (SSO) in your organization.

To configure HT and ET, DNS record maintaining is vital part. The Edge Transport server queries the configured external DNS servers to find the DNS records that are required to deliver the message. The DNS servers that are configured for external DNS lookups are queried in the order in which they’re listed. If one of the DNS servers is unavailable, the query goes to the next DNS server on the list. The DNS servers are queried for the following information:

Mail exchange (MX) records for the domain part of the external recipient.   The MX record contains the fully qualified domain name (FQDN) of the messaging server that’s responsible for accepting messages for the domain, and a preference value for that messaging server. To optimize fault tolerance, most organizations use multiple messaging servers and multiple MX records that have different preference values.

Address (A) records for the destination messaging servers.   Every messaging server that’s used in an MX record should have a corresponding A record. The A record is used to find the IP address of the destination messaging server. The subscribed Edge Transport server uses the IP address to open an SMTP connection with the destination messaging server. The required combination of iterative DNS queries and recursive DNS queries that start with a root DNS server is used to resolve the FQDN of the messaging server that’s found in the MX record into an IP address.

In HT server or HT servers, you must obtain certificates from a Windows Enterprise Root Certificate Authority before you start installing HT role.

Prepare Windows Server 2008 x64

Install windows Features:

Windows Server 2008 x64 SP 2 or Windows Server 2008 R2

HT server must be a member of Active Directory Domain

Microsoft .NET Framework 3.5

WCF Activation

Windows Remote Management 2.0

Windows PowerShell V2

Active Directory Lightweight Directory Services (AD LDS)

Net TCP port sharing services started and automatic start-up

Microsoft Office Filter Pack installed.

Computer Certificate and web certificates installed

  

Install HT server

Configure HT Server

 

Add IP address of HT server as internal connector.

Specify local IP ranges.

 

Test Outlook Web App

Relevant Topics

How to configure Exchange 2010 Client Access Server (CAS) Role

Step by Step Guide on Exchange Server 2010 Edge Transport Role

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

share this

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Log on to Forefront TMG 2010 server using admin credential.  Open Forefront TMG Management from start menu.  Expand Forefront TMG>Firewall Policy>Select Tasks>Click Publish Exchange web client access.

 

Click New button to add Exchange Farm i.e. Exchange CAS servers you have installed.

Click yes to accept changes you made.

In this step you will be adding Exchange web listener or CAS servers.

Select an web server certificate you have installed before hand.

 

Important! You have to install web server certificate before you proceed adding publishing rule.

Publishing Mail Server

Expand Forefront TMG>Select Firewall Policy>Select Tasks>Click Publish Mail Servers

 

  

Share this

How to configure Exchange 2010 Client Access Server (CAS) Role

The Client Access server (CAS) role is one of five server roles for Microsoft Exchange Server 2010. CAS is placed in a DMZ or perimeter network facing internet that means CAS configured with a public IP accessible to external network. There are six components of CAS. Components are Outlook Web App, Exchange ActiveSync client applications, Post Office Protocol version 3 (POP3), Internet Message Access Protocol (IMAP) version 4, the Availability service and Auto discover Service. The Client Access server role also provides access to free/busy data by using the Availability service and enables certain clients to download automatic configuration settings from the Auto discover service.

The Client Access server role accepts connections to Exchange server 2010 from software clients such as Microsoft Outlook Express, Microsoft office Outlook and Eudora use POP3 or IMAP4 connections to communicate with the Exchange HT server. Hardware clients such as mobile phones, use ActiveSync, POP3 or IMAP4 to communicate with the Exchange server. You must install the Client Access server (CAS) role in every Exchange organization and every Active Directory Domain site that has the Mailbox server (HT) role installed.

Prerequisites

Operating System requirement is similar to other Exchange Server roles. CAS does not store any mailboxes. CAS acts as a media in-between clients and HT server. you don’t need big storage for CAS server but the following Windows Server 2008 features must be installed. Outlook web access is a secure https web access. Web certificate and computer certificates must be installed in CAS server. To configure Outlook Anywhere you need to buy a SSL certificate from third party vendor such as verisign or godaddy.

Installation

 

Configuration

 

Once you finish installation and configuration of CAS role. You have to create Outlook web publishing rule in Forefront TMG 2010 or ISA server otherwise you will be blocked by Forefront TMG.

 

Relevant Topics

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Step by Step Guide on Exchange Server 2010 Edge Transport Role

Exchange Server 2010: Server Roles

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

share this

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Microsoft Forefront Protection 2010 for Exchange Server provides ultimate protection for Microsoft Exchange server 2010 from viruses, worms, spyware and spam. Forefront Protection 2010 is an additional component included in Forefront TMG 2010 Enterprise version. However you can download and install Forefront Protection 2010 in a server that is assigned Microsoft Exchange Client Access Server (CAS) role. CAS is internet facing server placed in a perimeter (DMZ). To ensure comprehensive protection, Microsoft Forefront Protection 2010 for Exchange Server (FPE) can be deployed on Exchange Edge Transport, Hub Transport, Mailbox server, or combined Hub/Mailbox roles. Forefront Protection 2010 for Exchange Server can be install combined with Forefront TMG 2010 if TMG 2010 installed in an Edge Transport server. Systems requirement for Forefront Protection 2010 is similar to other Exchange Server Roles. You need additional 2GB free RAM and 2GB free disk space on top of all other requirements.

Installation of Forefront Protection 2010

 

Monitoring Configuration

Once you finish installation. Open Forefront Protection 2010 from start menu. Now configure monitoring of Incident, quarantine and notifications.

Policy Management Configuration

Now configure Policy Management. enable Edge Transport, Proxy, Antispam. Setup Engine, Setup internal and external scan. Place internal IP addresss in allow list.

Relevant Topics:

Download Forefront Protection 2010

Microsoft Forefront Protection 2010

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Share this on