I work on a network that is completely isolated from the internet. Therefore, I have two WSUS servers; one connected to the internet, which harvests the updates and the meta data, and the second is on the isolated LAN. Each week, I check for updates on the internet WSUS server and if anything new pops up, I export the metadata, burn the downloaded files to DVD, then copied it all to the isolate network.
Setting up the WSUS servers was easy. However, understanding how the two WSUS servers interacted was a different story. Here are a few problems I encountered, but have since resolved. If you’re finding that the updates on your disconnected WSUS server are not downloading even after you have imported the metadata and copied the files to the server, check and confirm the following:
- The WSUSContent directory should be in exactly the same location on both servers. If on WSUS server #1 the directory path is C:\WSUSWsusContent it should be the same on WSUS server #2. If you have the updates going to a different drive letter or folder, then the meta data in the database from server #1 will not point to the right place when you import it into WSUS server #2. You can run C:\Program FilesUpdate ServicesToolswsusutil.exe help movecontent as a possible solution.
- Make sure Store update files locally on this server is selected
- Make sure Download update files to this server only when updates are approved is checked
- Make sure Download Express installation files is checked
- Make sure the language settings under Options=>Update Files and Languages are exactly the same on both servers.
Bottom line is, make sure these settings are the same on both servers. If you check additional languages, you will need to go back to your internet connected WSUS server and re-download those versions of the files. You will then need to copy those files to the disconnected WSUS server.
When you approve the updates on the internet connected server, they will not be approved on the disconnected server (the approvals are not stored in the meta data). You’ll have to re-approved the updates on the disconnected WSUS server.
I did notice when you approve an update on the disconnected WSUS server, it appears as if the server has to download the updates from itself. If you click between one of the Update views and the Server Name where the “Updates needing files” count is displayed, it will refresh the updates needing files count.