Use WSUS when local, MU when remote? (But still report to WSUS)

We currently have our single internal WSUS server configured for all computers, both desktops and laptops. The WSUS server is available internally only (either VPN or LAN). We have some remote users who are almost never on-site and semi-frequently VPN into the network. Instead of having them download Windows Updates across the VPN, I'd like to accomplish the following:

  • While the clients are on the local network, they check the WSUS server for the updates that are approved and download them from our local WSUS server.
  • While the clients are remote, they check in to the WSUS server and the WSUS server dictates which updates to download, but they download them straight from Microsoft.

From what I've read, this is probably possible by having a secondary WSUS server that tells the clients to download from Microsoft and utilizing DNS netmask ordering to tell the clients which WSUS server to contact; is there a way to do this with a single WSUS server? All remote clients are Windows 7 SP1, WSUS is v3 on Server 2008 R2 SP1. Utilizing Microsoft RRAS for VPN services (IKEv2/SSTP/L2TP/PPTP).


Solution 1:

I don't believe so, but one workaround is to implement an intercepting proxy server on your network. This means that you can configure the WSUS server to instruct clients to download from Microsoft, but still cache the content locally for machines on your network. (As an added bonus, updates will only be downloaded if they are actually needed, so you can be less selective about what you approve.)

A variation of this is to configure WinHTTP on your desktop machines to use a proxy server, although this means laptops that are on-site will still download from Microsoft. In principle you could write some software that detects the current location of the machine and reconfigures WinHTTP as necessary.

Solution 2:

We ended up creating a second WSUS server as a replica of the main server with the one difference that any clients reporting to it download their updates directly from Microsoft (instead of it caching the downloads locally). We will most likely just use a GPO for all of our remote clients to report to this new WSUS server instead of using any DNS solutions; 99% of the time they are outside of the office so it's just simpler in the long run.