Keeping a network of Windows based computers up to date with the latest patches from Microsoft is an essential way to close security holes and fix OS instabilities; WSUS (Windows System Update Services) is Microsoft’s central patch management system designed to simplify this process. The regular stream of updates both downloaded directly from Microsoft’s servers and between the internal WSUS stores places a considerable strain on the WAN link between sites and creates regular “update storms” once new patches are authorised for installation on the famous "Patch Tuesdays".
Even with the best configuration involving local office stores and strict group policies, each of those stores need updating, will report back to their primary server and the occasional client contacting Windows Update directly or will download from a remote repository adds up to a still significan overhead on your WAN infrastructure.
For our scenario we tested a WSUS deployment downloading updates from Microsoft’s servers and pushing these out to a client machine located on the other side of a WAN emulator running at 2MB with 30ms of latency and with a Sangfor S5000 on either side, as shown in the network diagram below.
To simulate a WSUS deployment, on one side of the emulated WAN we created an Active Directory domain controller, installed WSUS onto the DC and configured the required group policy settings. On the other side we set up two Windows 7 client computers and joined them to the domain. After ensuring each of the clients had successfully applied the group policy settings, we began the Windows Update procedure on the first client and observed first pass data reduction rates of 23%, as shown in the screenshot below.
Updates by the second client PC saw benefits from the content caching, reducing the amount of data by up to 99% and dramatically speeding up the time it took to update the machine, since the limit was no longer how long it takes to download the updates but how quickly it could install them. Scale this up to tens and hundreds of PC's and the reduction in bandwidth consumption becomes quite noticable.
The amount of bandwidth lost to windows updates and the nature of the release patterns lead to so called "Update Storms" as machines attempt to download the - often sizable - patches within the same timeframe, which often impacts on latency and bandwidth sensitive services such as VOIP, Citrix and Remote Desktop connections.
By introducing WAN optimisation technologies, this flood of bandwidth demand can be substantially reduced through compression and block-level caching, leaving a minimal amount of traffic between each client and server and the inevitable few clients who still try to connect directly to Microsoft's update servers. This remaining traffic can be further controlled by using the built-in Bandwidth Management capabilities to set minimum and maximum bandwidth values for the various services using the link. That means you can guarantee the amount of bandwidth available for your Remote Desktop/Citrix connections and VOIP communications to run without degrading performance or sacrificing important OS updates.