WSUS is one of those old-school Microsoft products like Exchange, which were never really designed to work beyond the trusted corporate LAN. Given the proliferation of remote workers that rarely need to connect to the corporate VPN, it’s become necessary to expose WSUS to the internet in order to manage patching whenever, wherever.

During this task, it appears no one had before solved the challenge of getting WSUS working behind a TLS proxy before, so I’m pleased I got this working. This also allowed me to push the limits of my web security stack in a way I’ve not seen done before.

Challenges

We’ll need TLS for communications integrity, but as a Windows admin, I have better things to do than deploy a singular Let’s Encrypt service to handle the TLS certificate, I want to offload my certificate management to my existing automation.

Putting the server directly on the internet opens the door for a firewall or network misconfiguration, so I rejected a direct server access configuration.

I’m not interested in allowing privileged access from an internal ‘trusted’ network with LAN/DMZ or split records, because this is 2019 and no networks are trusted.

How I did it

In the end I managed to get my WSUS service in line with my existing hardened corporate services setup.

First of all, my wsus.corp.net domain is pointed to Cloudflare, as are all my web facing domains. (Servers which consume WSUS might be IP whitelisted if this gives me any problems in the future.)

My AWS WAF rule set is associated with Cloudflare’s IP ranges, allowing me to ‘lock’ a AWS resource to Cloudflare.

My main corporate services application load balancer (ALB) is configured to listen for wsus.corp.net on 443, then pass traffic back to my WSUS server target group.

The target group also uses port 443, using an IIS self-signed certificate. It was important not to do any port mappings here otherwise the non ALB-aware WSUS service will tell clients to communicate with it on the forward port which won’t work. Fortunately — or unfortunately depending on who you ask — ALBs don’t perform TLS validation of their targets, allowing me to 443 to 443 and avoid port mapping.

Benefits

This setup allows AWS and Cloudflare to manage my valid TLS certs automatically, avoiding the admin of having to manage a certificate on the server itself.

Forcing ingress through my WAF-hardened ALB allows me to centralise control of internet traffic into my VPC without creating any exception.

Placing my WSUS server on the internet allows me to push out a light GPO to any of my Windows clients whereby I manage WSUS update status and configuration from my server, but the actual updates are downloaded directly from Microsoft.

Thus, checking and fetching updates has no dependency on the internal network at all and WSUS is just another web service available to Windows clients.

Special thanks to: