I'm trying to figure out the best way to deploy a WSUS/Patch Manager server in my network:
I will have 4 production subnets (A, B, C, D) all separated from each other by firewalls in the same physical location and 1 monitoring subnet (Z) accessible to each of the 4 subnets:
- Subnet A will have 36 Win7 workstations and 10 Win2012 Servers
- Subnet B will have 4 Win7 workstations and 10 Win2012 Servers
- Subnet C will have 2 Virtual Host servers with 10 VM instances
- Subnet D will have 2 Virtual Host servers with 10 VM instances
- Subnet Z contains my SolarWinds tools (Application server for NPM/SAM/iPAM and Orion DB server).
I would like to deploy a WSUS server with the Pimary Application Server Roles installed on WSUS server in this zone.
My goal would be to deploy the WSUS server and Patch Manager Primary Application Server in subnet Z. Because of security requirements and software constraints (not allowed to install agents) within my environment I have to limit the amount of ports open from each subnet to the outside.
Based on that constraint, I think I need to deploy the following additional roles on a server in each of the zones (A,B,C,D):
An Automation Role within each of the subnets (A,B,C,D) to limit the WMI polling to devices to within each zone. - This queries devices for patch inventory?
A Management Role within each of the subnets (A,B,C,D) to limit the outbound communication to 1 specific port (4092). - This reports back to the Primary Application Server?
Do I need an Application Role service within each of the subnets?
Do I need to deploy replica WSUS servers in each zone (A,B,C,D) or can my main WSUS server in Subnet Z function correctly using the above scenario?
(I think communication between my WSUS clients in each subnet and the WSUS server is on outbound ports [8530/8531]; as long as my clients initiate the request I am allowed to do this.)