Jason, Your are correct that SUS has the ability to act as a filter, where updates are approved on an "internal" server and the clients are re-directed to the "external" windowsupdate site for the download of the update itself. However, SUS also facilitates building an internal infrastructure of distribution servers which the managed clients can access for approved update download and installation. One server can be configured as the interface to Microsoft for the receipt of new updates and this server is the source of updates for the downstream distribution servers. Each distribution server can support up to 15,000 clients, according to MS. SUS uses a file transfer protocol know as BITS (Background Intelligent Transfer Service) to deliver the updates (SUS is a pull technology). BITS is network bandwidth aware and will suppress itself to avoid impacting the end user when other traffic is detected. It is also state aware and will continue a download from the point it left off in the event the client is disconnected from the network or re-booted mid-transfer. Our testing showed this technology to be effective with both network connected and dial-up clients. The autoupdate client is self-aware of updates available and those it needs and will chain multiple updates together and install with just one re-boot. Downside, it currently only supports Windows 2000 and Windows XP as clients. It also has fairly weak reporting capabilities (raw IIS log). It currently only supports critical updates and security rollups (service packs are in the works I am told). From what I've seen of the product (it is free) it can provide substantial assistance with patch maintenance for many organizations. http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp
Jeff Hargreaves [EMAIL PROTECTED] -----Original Message----- From: Jason Coombs [mailto:[EMAIL PROTECTED] Sent: Thursday, March 13, 2003 11:38 AM To: Jed Needle; [EMAIL PROTECTED] Subject: RE: Critical/Security Updates as well as other Patch Management SUS is nothing more than a filter for windowsupdate.com that tells managed boxes not to allow windowsupdate.com to install anything other than the subset of updates approved by the SUS administrator. Each Windows box still uses Windows update directly, so all vulnerabilities that impact Windows update and the client-side code that talks to windowsupdate.com are still present when SUS is used. Jason Coombs [EMAIL PROTECTED] -----Original Message----- From: Jed Needle [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 12:24 PM To: [EMAIL PROTECTED] Subject: RE: Critical/Security Updates as well as other Patch Management On Microsoft platforms there is a patch management util called SUS "software update service?? (I think) Once configured, the server will automatically download relevant patches, you then point the clients to the sus server and push updates to clients that way. Jed