Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Do SCCM 2012 SUP Clients Communicate with WSUS?

Posted on 2015-02-05
4
Medium Priority
?
784 Views
Last Modified: 2016-02-20
Points of My Scenario:
1. I need to deploy SCCM 2012 in a Windows Server 2008 R2 domain.
2. Many clients reside behind the firewall, although most are in the non-firewalled network
3. i am using SCCM to deploy Software Updates, for both firewalled clients and non-firewalled clients
4. My firewall is configured to have only ONE IP address with port 80 (http) traffic allowed
5. I plan to use that IP for the SCCM Site server
6. I plan to put WSUS on a separate server (i.e. different IP)

CONCERN: If clients require http access (port 80) to WSUS, then firewall clients will fail to get updates.
QUESTION: Do SCCM clients need to communicate to WSUS in order to get the software updates?
0
Comment
Question by:waltforbes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 40592998
Yes. they need to connect to wsus.
0
 
LVL 18

Accepted Solution

by:
Mike T earned 2000 total points
ID: 40593315
Hi,

#Nagendra - are you sure?

I thought the process was:
clients talk to MP for policy
MP says "I have these updates"
clients pull updates from SUP via the DP


From TechNet
As soon as you enable the Software Update client agent in the SCCM console, the policy is updated for the client containing information that Software Updates should be managed by SCCM.

The next time the client contacts the MP and download the policy it enables the SUP agent on the clients and creates a local policy which points the WSUS agent to the SCCM server with the SUP role.
Ref : Jörgen Nilsson (MVP I think)
https://social.technet.microsoft.com/Forums/systemcenter/en-US/28601136-7e74-4b1f-a5aa-588339463a0b/sccm-client-and-wsus?forum=configmgrgeneral

The key bit is that the SUP syncs the WSUS meta-data and then syncs the patches either from the Windows Update site or locally (MS calls this "download" in the console). WSUS therefore does NOT supply any patches, SUP does it instead.

Refer to TechNet here: https://technet.microsoft.com/en-us/library/bb632618.aspx
for all the port info.

Mike
0
 

Author Closing Comment

by:waltforbes
ID: 40597474
Hi Mike, this was exactly the advice/understanding and reassurance I needed. Wow: my life just became a ton less complex! I am so grateful; thanks a million!
0
 
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 40597637
I did not say that they download the patches from WSUS. I mean to say that they scan against WSUS.

Updates are downloaded from DP but scanned against WSUS.

BTW I worked in SCCM support for Microsoft Global tech support in my last job. Software updates are a very common support topic there.

=====================================
https://technet.microsoft.com/en-us/library/bb632674.aspx

Having a software update point at a secondary site provides local access to client computers when scanning for software updates compliance. When the secondary site does not have a configured software update point, client computers will connect to the active software update point on the parent site.

http://blogs.technet.com/b/configmgrdogs/archive/2014/06/30/configmgr-2012-windows-update-client-process.aspx

The Windows Update Handler initiates the Windows Update service against the ConfigMgr SUP. (C:\Windows\WindowsUpdate.log)

https://technet.microsoft.com/en-us/library/bb632393.aspx


Software Updates Deployment Evaluation Cycle: Evaluates the state of new and existing deployments and their associated software updates. This includes scanning for software updates compliance, but may not always catch scan results for the latest updates. This is a forced online scan and requires that the WSUS server is available for this action to succeed.

Software Updates Scan Cycle: Scans for software updates compliance for updates that are new since the last scan. This action does not evaluate deployment policies as the Software Updates Deployment Evaluation Cycle does. This is a forced online scan and requires that the WSUS server is available for this action to succeed.

Group Policy Settings

The following Group Policy settings are required for the Windows Update Agent (WUA) on client computers to connect to WSUS on the active software updates point and successfully scan for software update compliance.

New versions of SCCM allow multiple WSUS servers. Are they for syncing of metadata? One server can do this job isn't it?
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question