Enterprise wide install of WSUS, few questions

"Chem73" wrote in message
news:

We've been using WSUS 3.0 to patch our servers for a while but are now
looking to do a full new installation for a 10,000 PC estate across 4 core
sites with remote workers, etc.

I've been looking for some help to a few questions we have regarding the
install:

1. We propose 2 servers for each of the 4 sites (for redundancy) maybe
using
Network Load Balancing.

I'd consider that overkill... if you're really committed to using NLB, then
you can easily serve all 10,000 clients from one NLB cluster.

The only reason for installing remote server farms is if:
[a] you have insufficient bandwidth to support the client load from the
remote site to the corporate site
(approx 5kb/sec per client is needed; 10kb/sec per client if you
envision deploying service packs via WSUS),
[b] you already have the remote infrastructure in place, including
personnel to manage the servers,
[c] you have a large number of clients at a specific site (in which case
[a] is probably also true).

Would we need 4 SQL 2005 back-end clusters or do they all communicate with
the 1 SQL cluster?

You will need a separate SQL Server for each NLB front-end farm. Whether
those need to be SQL clusters is a matter of opinion.

Additional deployment details are in the WSUS Deployment Guide, and I highly
recommend reading that document cover-to-cover before proceeding with any
further deployment planning.

While the WSUS team responded to customer demand by providing NLB and
Cluster support, I've been hard pressed to identify an environment that
truly *needs* NLB or SQL Cluster capabilities -- though, obviously, many
*want* that capability. With updates generally being a monthly event, and
the rebuild time (from scratch) of a WSUS server measured in hours, the
$cost$ of maintaining (administrative, licensing, and human resources) a NLB
front-end or a SQL Cluster rarely justifies the risk of the potential
downtime.

If we need 4 SQL clusters then the licensing costs are going to be huge.

Absolutely!

In fact, assuming an even distribution of those 10k clients across each of
four sites (2500 clients/site), the truth is you can easily support 2500
clients on a single standalone WSUS server using the built in WID, provided
the hardware requirements are sufficient.

2. If we don't use SQL and end up using MSDE and go with 1 WSUS server per
site, what is the capacity of MSDE - will it handle up to 3000 clients per
server?

"MSDE" isn't an option. "WMSDE" isn't an option (because you're not going to
deploy WSUS 2.0).

WSUS 3.0 will deploy the "Windows Internal Database", which is the SQL 2005
equivalent of WMSDE. The capacity of that database is estimated at about
4,000 clients, based on the published capacity of a WSUS2.0/WMSDE server,
the known performance enhancements of SQL2005 over SQL2000, and the
programming enhancements in WSUS3 over WSUS2 however, the WSUS3
Deployment Guide does not specifically document database capacity.

3. We would be looking to put an additional server in our DMZ to service
the
remote workers - does anyone have any experience of this and how well does
it
work?

Placing a dedicated server in the DMZ to support VPN clients is a common
practice and it works quite well. Typically such servers do not maintain
content stores, so that the VPN clients are redirected to microsoft.com to
download content (thus removing that load from the VPN tunnel).

Lawrence Garvin, M.S., MCTS, MCP
MVP - Software Distribution (2005-2007)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pr...nce.Garvin