Wsus - Choose your best WSUS architecture

Here they are two official Microsoft Guide to explain you all options to better determine your company wsus infastructure.

here they are some options:

1. There is possibility to define an upstream server where approve patch and replicate to downstream servers. In this case you can decide, to preserve mpls connectivity, to download patch with local internet withouth downloading them from upstream server.
2. Support about roaming clients to point to nearest wsus server.
3. Manage branch offices
4. Centralized management
6. Distributed management

Branch offices

· Using the BranchCache feature:

BranchCache is a new feature in Windows 7 and Windows Server 2008 R2 that reduces
WAN link utilization and improves application responsiveness. To enable BranchCache
acceleration of content served by the WSUS server, install the BranchCache feature on the
server and the clients, and ensure that the BranchCache service has started. No other steps
are necessary. For information about installing BrancheCache, see the
BranchCache Early
Adopter's Guide

· Branch offices with low-bandwidth connections:

In some organizations, branch offices have low-bandwidth connections to the central office
but high-bandwidth connections to the Internet. In this case you may want to configure
 about how to set up this kind of configuration, see
Advanced Synchronization Options.

Support for roaming clients

If you have many mobile users who log on to your network from different sites, you may want to use the following configuration to allow them to update their computers from the closest WSUS server. In this configuration, shown in the "Roaming Clients Using Different WSUS Servers" illustration below, there is one WSUS server per region, and each region is a DNS subnet. All clients are pointed to the same WSUS server name, which resolves in each subnet to the nearest WSUS server. See Appendix D: Configure WSUS for Roaming Clients for more information about how to configure DNS to support roaming clients.

Centralized management

Centrally managed WSUS servers utilize replica servers. Replica servers are not administered separately, and are used only to distribute approvals, groups, and updates. The approvals and targeting groups you create on the master server are replicated throughout the entire organization, as shown in the "WSUS Centralized Management (Replica Servers)" illustration below. Remember that computer group membership is not distributed throughout the replica group, only the computer groups themselves. In other words, you always have to load client computers into computer groups.

It is possible that not all the sites in your organization require the same computer groups. The important thing is to create enough computer groups on the administered server to satisfy the needs of the rest of the organization. Computers at different sites can be moved into a group appropriate for the site. Meanwhile, computer groups inappropriate for a particular site simply remain empty. All update approvals, like computer groups, must be created on the master server.

For step-by-step instructions, see Create Replica Servers later in this guide.

You should also make sure that the upstream server is configured for all the languages required by its replica servers. If you add languages to the upstream server, you should copy the new updates to its replica servers. Changing language options on the upstream server alone might result in a mismatch between the number of updates that are approved on the central server and the number of updates approved on the replica servers

Distributed management

Distributed management offers you full control over approvals and computer groups for the
WSUS server, as shown in the "WSUS Distributed Management" illustration below. With the
distributed management model, there is usually an administrator at each site who decides which update languages are needed, creates computer groups, assigns computers to groups, tests and approves updates, and ensures that the correct updates are installed on the right computer groups. Distributed management is the default installation option for all WSUS installations.

Using express installation files

You can use express installation files to limit the bandwidth consumed on your local network, at the cost of bandwidth consumption on your Internet connection and disk space. By default WSUS does not use express installation files. To understand the tradeoff, you first have to understand how WSUS updates client computers.

Updates typically consist of new versions of files that already exist on the computer being
updated. On a binary level these existing files might not differ very much from updated versions.

The express installation files feature is a way of identifying the exact bytes that change between different versions of files, creating and distributing updates that include just these differences, and then merging the original file with the update on the client computer. Sometimes this is called delta delivery because it downloads only the difference, or delta, between two versions of a file.

When you distribute updates this way, there is an initial investment in bandwidth. Express
installation files are larger than the updates they are meant to distribute. This is because the
express installation file must contain all the possible variations of each file it is meant to update.

The upper part of the "Express Installation Files Feature" illustration shows an update being
distributed with express installation files; the lower part of the illustration shows the same update being distributed without using express installation files. Notice that with express installation files enabled, you incur an initial download three times the size of the update. However, this cost is mitigated by the reduced amount of bandwidth required to update client computers on the corporate network. With express installation files disabled, your initial download of updates is smaller, but the full size of the download must then be distributed to each of the clients on your corporate network.

Express Installation Files Feature

The file sizes in the "Express Installation Files Feature" illustration are for illustrative purposes only. Each update and express installation file varies in size, depending on what files need to be updated. Further, the size of each file actually distributed to clients by using express installation files varies depending upon the state of the computer being updated.


Express installation files are often larger than the updates they are meant to distribute.
On the other hand, it is always less expensive to distribute updates within a network
using express installation files than to distribute full update files.

Not all updates are good candidates for distribution using express installation files. If you select this option, you obtain express installation files for any updates being distributed this way. If you are not storing updates locally, you cannot use the express installation files feature. By default, WSUS does not use express installation files. To enable this option, see
Advanced Synchronization Options.

Secure WSUS 3.0 SP2 Deployment

This guide includes three ways to enhance the security of your WSUS server: