This is hard to describe, so if something isn't clear, let me know.

We've got a WSUS server set up behind an external ISA server to provide external WSUS access to remote clients.

The internal server name is pfgdsmindwsus12.

The external access to it, and how we configure the clients to contact it, is through secure07.companyname.com.

This works all well and good, as long as we configure WSUS to have the clients download the updates directly from Microsoft.  But if we configure WSUS to have clients download the updates directly from the WSUS server, they try to download through the internal pfgdsmindwsus12/content path instead of the external secure07.companyname.com/content path.

Client communications for status checking and reporting still work fine, it's just that they use the wrong path to try to download the updates.

How do we get the clients to use the external server name URL to download updates from to be able to have clients download updates from the WSUS server instead of from Microsoft?

Thank you.

P.S., this is the document we used to set up WSUS behind the ISA server.  It's an old document, but it still works:

http://blogs.technet.com/b/wsus/archive/2005/10/21/412901.aspx

• Edited by clh42 Friday, February 27, 2015 7:46 PM

Hi,

I go through the document which you mentioned above. The ISA server is used as a web proxy to publish the internal WSUS server.

I can't find the official document about how exactly WSUS client gets the download URL of the update. From my point of view, when the client requests the download URL, the internal WSUS server return the internal download URL. For some reason, the ISA server doesn't inspect and replace the download URL in the message. Then the client gets the internal URL.

Could you tell me why do you want to force the client to download update from the WSUS server? The update file is transferred via HTTP. It's not encrypted. It will save your internet bandwith if we let the client just download the update from Microsoft Update.

Best Regards.

The real purpose of this is that we need to do a locally published update.  All the pieces are working, except this.  It works fine if we put a PC on the internal network pointing directly to the internal WSUS server, but we have this issue with external PCs coming in through the reverse proxy.

For regular MS updates, yes, we do just let it pull the install files from Microsoft.

Thanks again!

Any other ideas?

An additional piece of information...

As a test, I was able to put an entry in the HOSTS file of a test PC of the internal server name pointing to the external IP address of the external facing web URL.  Everything worked fine doing this, so overall the whole thing works fine.

But we have no feasible way to touch every existing external PC to make this HOSTS file entry.

So if we can figure out why the "download" URL is reported as the internal server name instead of the external URL used for client communications, I expect everything else would work fine.

• Edited by clh42 Thursday, March 05, 2015 9:39 PM

Hi,

>>But we have no feasible way to touch every existing external PC to make this HOSTS file entry.

Can we create a DNS record for the WSUS server? Then we can point it to the external IP address.

Besides, if the client can be configured by Group Policy, we can also change the HOSTS file by GP.

Best Regards.