Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 8092 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Throttle Windows update for all hosts except one

Louis-M

We need to throttle all clients who try to windows update eg 1mb shared

whereas we want our WSUS server to have 10mb

 

Would this be 2x traffic selectors, each applied to 2 bandwidth pools and then applied to the one interface?

The WSUS one being above the catch all rule?

And what would the WSUS or clients be?  the source or destination?



This thread was automatically locked due to age.
  • 0

    Why do the clients need access directly to the public Windows Update Servers?  If you have a WSUS Server, they should be able to get everything they need from there.

  • 0 in reply to Gary Burch

    Because there is a guest network with BYOD devices in there too. We're not going to deny them but rather throttle them.

  • 0 in reply to Louis-M

    EDIT 2019-11-25: NOT sure what I was thinking.  Ignore this post and use the approach in my post below dated today. 

    You just need a single Download Throttling rule on the External interface that limits the Windows Update downloads to 1Mbps for the guest network.  Your Traffic Selector might look like:

    You might consider using the 'Advanced' section to let them have full speed when not getting large updates.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Cheers Bob,

    great reply with pics. Just to expand it a little further, imagine they were on the same network. I would imagine this would be a case of 2 rules with the WSUS at the top??
    Treat it the same as the firewall rules ie the first rule to match (WSUS) and the catch all (all other clients) underneath?

  • 0 in reply to Louis-M

    Yes, Louis, two Download Throttling rules where the first is an "Exception" for the second:

    1. Limit 'Windows Update' to Hosts A & B to 100Mbps
    2. Limit 'Windows Update' to the subnet A & B are in to 1Mbps

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BAlfson said:

    Yes, Louis, two Download Throttling rules where the first is an "Exception" for the second:

    1. Limit 'Windows Update' to Hosts A & B to 100Mbps
    2. Limit 'Windows Update' to the subnet A & B are in to 1Mbps

    Cheers - Bob

     

    I try with yours suggestion but first rule (exceptions) has no affect. Second rule (general limitation) is working fine, but for all clients – like there is no rule for exceptions.

    Here is traffic selector for exceptions (for one HOST - IP of computer):

     

    And here is Throttling rule on external interface for exceptions – it is before second rule on list.

    If I disable second rule (general limitation for windows update), UTM is acting like there is no QOS rule for Windows Update…

     

    Any suggestions?

    Dušan

  • 0 in reply to Dušan Pirc

    Ahoj Dušan and welcome to the UTM Community!

    I'm glad you posted that my suggestion above didn't work.  It was immediately obvious to me why it did not - when traffic arrives from the Internet, it comes to a public IP, not an internal one.  Inbound response traffic is processed by QoS before it is forwarded by the connection tracker to the original requestor.  That means we need to work with Bandwidth Pools on the Internal interface (assuming the WSUS server is in that subnet).  I haven't played with the "Windows Update" application selector, so it may only work on the External interface, but give the following a try.

    Define Traffic Selectors and Bandwidth Pools like:


    If that didn't work we'll need to try a different approach to get the right traffic.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML