IIS 5 access times
I've been searching for a solution and I can't find one. I know with IIS that you can create access rules based on ip addresses, ip ranges, and domains.
What I want to do is set permission based on time of day.
I have a certain Windows Server Update Services server that I use to deploy updates to a couple of remote offices. Those line speeds are HORRIBLE becasue that is the only service available in the area. It is good enough for business traffic, but when the workstations start downloading updates, the network chokes.
I have scheduled those workstations to install updates at night during off peak hours. However, the workstations still download the updates regarless of scheduled install time. I've been having to go in and deny access to the address range and then allow it later in the evening.
I'd like to do the following:
1. Deny access to the update server from certain ip ranges during certain hours.
2. Create a script of some sort to modify the IIS access rules to allow/deny traffic. Then schedule that script to allow/deny access at different times.
Can this be done? If so, how?
I've also thought about running the Windows Update Service as a specific user and denying access to that user during certain hours. I have not tested that and not sure if it'd work. I could then schedule the service to start and stop at certain hours.
I'd prefer to do this on the server side if possible.
Any insight or ideas are welcome. :)
Thanks in advance.
I don't know any way of doing that on a web server, but I do recall that some firewall software/cache software will do that sort of thing. Our squid cache will certainly do that, needs some setting up though.
I was considering setting up a spare cisco router that I had laying around and using the Time-Based ACLs on that. Unfortunately, the only spare cisco router that I have at the time is a personal one. If worse comes to worse, I'll donate it for a couple of months until they get their scheduled line upgrades. (I can't wait!)
That brings me to another thought... I have that specific WSUS server running in VMWare. I might be able to create another VMware session of a linux server (ipcop maybe?) and use the iptables time rules... It's more work than I had originally wanted... but not too bad.
Ahha! Maybe use IPCop with the "BlockOutTraffic" or BOT add on...
If m$ were not so restrictive on their licensing... I'd just copy the WSUS to another VMware session and give it a different server name, point the clients to that just run that during the hours I want... but I won't be able to get authorization to spend the $ on another m$ sever license at this time.
I was hoping for a "quick fix".... I wasn't really looking for "work" on Friday... ;)
I know it doesn't really answer the initial question but that is one of the main reasons that I really don't like WUS/SUS... SMS is by far a better package for managing distribution of updates to workstations in various geographical regions and at different times. You can control when the advertisements go to the PCs to start downloading the patches, and you can schedule when the patches will actually kick off and start to install.
Free does not always mean good. Even though the GNU people will argue that with you.