WSUS Installation for Offline/Disconnected Networks

This is a brief configuration guide highlighting the major points of installing a WSUS system on a disconnected or offline network, ie. a network, that for certain reasons, does not have an active internet connection. It will require two servers. One on the “internal” side and the other on the internet connected side, aka the external server. The process is downloading the updates on the external server, exporting them to some type of removable media, transferring them via “sneaker net” to the internal server and importing them.

Install Windows Server 2003

  • Configure with IIS with ASP.NET

Install Report Viewer 2008

Install WSUS Server 3.0 SP2

  • Ensure that the path for the content storage is the same on both servers. If it is stored on C:wsus, then it must be the same on the other server. If you use a differnet drive letter, then it must be mirrored on the internal server. If not, you can use the wsusutil.exe movecontent but it not guarnenteed to work properly.
  • During the installation, ensure the store updates locally is checked.
  • If using any type of SQL datebase or remote database, enter the correct information. Typically, disconnected installations are smallish, so the Microsoft internal database is sufficient.
  • Use the default IIS website. It is a lot of work to rework the IIS system. If your server is pulling double duty, I suggest that you create new sites for your other applications.
  • On the next page, take note of the -Client self update site: http:///selfupdate, you will need that for your group policy if you push one out to your clients.
  • You can use the the wizard for configuration if you want on the external server, but cancel it on the internal server. The wizard will get hung while trying to make a connection to the Microsoft Servers.

Configure WSUS

  • There are several settings that must be the same on both servers for the updates to be recognized properly. If you run into any troubles with your internal server. Double check these settings first.
  • Under Options > Update Files and Languages:
    • Update Files
    • Ensure that Store update files locally on this server.
    • Do NOT check Download express installation files. This will cause problems on the internal server.
  • Update Languages:
    • Check the languages that you require. It is suggested that you only choose your primary language. This will greatly reduce the amount of updates that you will have to transfer.
  • Under Options > Products and Classifications:
    • Products
      • Check the updates that you require.
      • Classifications
        • Check the classifications that you require.

Approving Updates

  • On the external server, start the initial synchronization. Once completed, you may approve the updates
  • You can select the updates that you want to download. Make sure that you approve any Microsoft Licensing agreements associated with the updates. If you don’t, your updates will not be imported correctly on the internal server.
  • Allow the updates to completely download their corresponding files. This can take quite a while and take up a large amount of disk space. My initial download was nearly 30GB. Click on the server name on the left column and in the Download Status field, it will show the number of updates still requiring files and the amount it needs to download.

Exporting and Importing the Updates

  • After your updates have completely downloaded their files, you may now export them so they can be transferred to your internal server.
  • You can use any backup tool you are familiar with, I used NT-Backup. Create a new backup, and make sure that it is an incremental backup. You don’t want to transfer the entire WSUS content each time you update your internal server.
  • Transfer the backup file to your server on media of your selection.
  • Reference article for more help –
  • For importing the updates to your internal server, simply restore them from your backup

Exporting and Importing the Metadata

  • The updates alone are not sufficient. You will need the metadata for WSUS. The metadata is always transferred in its entirety.
  • Using the command line tool in Program Files > Update Services > Tools > wsusutil.exe
  • The command require (3) arguments – wsusutil.exe export <filename>.cab <filename>.log
  • This will create (2) files that need to be transferred to your internal server.
  • The command wsusutil.exe import <filename>.cab <filename>.log will import the metadata to the server. This can take a while to finish and should not be interupted.
  • Reference article for help –

Once the updates and metadata have been transferred to the internal server, it may take a few hours for the server to acknowledge the new updates. You will need to re-approve the updates on the internal server and assign them to your computer groups. Once the updates have been re-approved, it appears as if the internal server has to ‘download’ them from itself. This should take but a few minutes.

If you have any problems, especially with the server saying that it is waiting for updates to finish downloading, then double check the products and classification’s settings. When new products are imported, they must me activated in that section.

Leave a Reply

Your email address will not be published. Required fields are marked *