[RndTbl] squid caching of Windblows Updates

Mike Pfaiffer high.res.mike at gmail.com
Thu Apr 15 10:32:37 CDT 2010 

On 2010-04-15, at 9:29 AM, Trevor Cordes wrote:

> On 2010-04-15 Robert Dyck wrote:
>> The organization I work for is wants to set up a proxy server for
>> Windows updates. We work with older computers, XP and 2000. We have a
> 
> The setup I suggest *should* also support Win2k ok.  I *think* I
> remember it being ok back in the day when I had customers with w2k.
> For sure it supports wpad.dat, so as long as it hits windowsupdate.com
> for updates, it should work.  Even w98 may work.

	We're part of the same group (it was yours truly who brought up the original topic).

	The thing is we can't really control what machines we get. Sometime it's XP and other times it's 2K. Some times we are lucky and the XP machines have been updated to the previous update. It doesn't look like we'll be getting Vista or W-7 licenses in the near future. The machines couldn't run it anyway.

	In addition to the Windows updates we also have firewall, anti-virus, and anti-spyware. We also install a ZIP package. It used to be Winzip but we found 7-zip does more things. 7-zip installs directly from the net. The idea was we could knock off 45min - 1 hour per machine installation. The connection to the net gets pretty slow sometimes. That's another issue beyond our control.

>> server available, and a couple of us want to use Ubuntu server. The
> 
> Any distro should work fine.  I prefer Fedora, but that's just me!

	The thing is we are "lightweights" when it comes to how to install this sort of thing. The reason I suggested Ubuntu server is because it's available and it is a very quick install. I have an hour at the end of the day to do extra things around the lab so I figured we could do it a little at a time.

	We don't actually have a web server. I mention it because previous discussion suggested it. The machine we have at the moment is a single FreeNAS box. We have hardware ready to go. Just no idea how to proceed.

>> Trevor, you offered to send your entire squid.conf file; could I get
>> that please?
> 
> I will email it directly.  Obviously it will have to be tweaked for
> your site.

	Again, we are "lightweights". The more directions the better.

>> Also, my college suggested getting software to make the server a
>> router, while I had considered getting a hardware router and just
>> configuring the server as a proxy server. Any recommendations about
>> topology or software?
> 
> All my squid caches are also routers/firewalls.  Seems silly to
> dedicate multiple boxes to what 1 can do quite well, but that's my
> personal preference.

	Here is our current setup...
AC Router <--> CLL Hub <--> Various machines

	We don't control the AC Router. We can put in requests but they are having problems with Barracuda at the moment so it will be quite a while before they can help out.

	My thoughts are if we can make the whole process transparent to the machines being installed/repaired it would save us a bunch of time. To do this I figured we'd need a router between the incoming connection and the hub. OTOH, if the machine were on the other side of the hub we'd end up having to configure the machines and restore them when we were done.

	This is what *I* think we'll have to do...
AC Router <--> CLL Router/Squid <--> CLL Hub <--> Various machines

	I don't know enough about Squid to know if we can get rid of the router part of the machine then have it sit between the AC Router and our machines. Our machines are generally set up for DHCP so my concern would be where we get the IPs from.

>  All my routers/firewalls are 100% custom.  If
> you're looking for an inexpensive turnkey and 100% managed solution,
> let me know as that's what my company does, we can even use your old
> hardware (tailored for micro and small business).

	Bear in mind this may or may not last a while. Given the games M$ seems to be playing with licenses it may come down to Linux (and old Macs) or nothing. AFAIC, that would be fine. Unfortunately the short sighted behaviour of many employers means unless we give out M$ machines the clients are mostly ignored. It would be very hard to justify coming up with money to pay someone to install it for us (I don't get paid and I'm the senior volunteer - I don't think the supervisor gets paid either). I think I could persuade them to buy you a lunch at Subway though... :-)

				Later
				Mike

More information about the Roundtable mailing list