Do SCCM 2012 SUP Clients Communicate with WSUS?

Points of My Scenario:
1. I need to deploy SCCM 2012 in a Windows Server 2008 R2 domain.
2. Many clients reside behind the firewall, although most are in the non-firewalled network
3. i am using SCCM to deploy Software Updates, for both firewalled clients and non-firewalled clients
4. My firewall is configured to have only ONE IP address with port 80 (http) traffic allowed
5. I plan to use that IP for the SCCM Site server
6. I plan to put WSUS on a separate server (i.e. different IP)

CONCERN: If clients require http access (port 80) to WSUS, then firewall clients will fail to get updates.
QUESTION: Do SCCM clients need to communicate to WSUS in order to get the software updates?
waltforbesSenior IT SpecialistAsked:
Who is Participating?
 
Mike TConnect With a Mentor Leading EngineerCommented:
Hi,

#Nagendra - are you sure?

I thought the process was:
clients talk to MP for policy
MP says "I have these updates"
clients pull updates from SUP via the DP


From TechNet
As soon as you enable the Software Update client agent in the SCCM console, the policy is updated for the client containing information that Software Updates should be managed by SCCM.

The next time the client contacts the MP and download the policy it enables the SUP agent on the clients and creates a local policy which points the WSUS agent to the SCCM server with the SUP role.
Ref : Jörgen Nilsson (MVP I think)
https://social.technet.microsoft.com/Forums/systemcenter/en-US/28601136-7e74-4b1f-a5aa-588339463a0b/sccm-client-and-wsus?forum=configmgrgeneral

The key bit is that the SUP syncs the WSUS meta-data and then syncs the patches either from the Windows Update site or locally (MS calls this "download" in the console). WSUS therefore does NOT supply any patches, SUP does it instead.

Refer to TechNet here: https://technet.microsoft.com/en-us/library/bb632618.aspx
for all the port info.

Mike
0
 
Nagendra Pratap SinghDesktop Applications SpecialistCommented:
Yes. they need to connect to wsus.
0
 
waltforbesSenior IT SpecialistAuthor Commented:
Hi Mike, this was exactly the advice/understanding and reassurance I needed. Wow: my life just became a ton less complex! I am so grateful; thanks a million!
0
 
Nagendra Pratap SinghDesktop Applications SpecialistCommented:
I did not say that they download the patches from WSUS. I mean to say that they scan against WSUS.

Updates are downloaded from DP but scanned against WSUS.

BTW I worked in SCCM support for Microsoft Global tech support in my last job. Software updates are a very common support topic there.

=====================================
https://technet.microsoft.com/en-us/library/bb632674.aspx

Having a software update point at a secondary site provides local access to client computers when scanning for software updates compliance. When the secondary site does not have a configured software update point, client computers will connect to the active software update point on the parent site.

http://blogs.technet.com/b/configmgrdogs/archive/2014/06/30/configmgr-2012-windows-update-client-process.aspx

The Windows Update Handler initiates the Windows Update service against the ConfigMgr SUP. (C:\Windows\WindowsUpdate.log)

https://technet.microsoft.com/en-us/library/bb632393.aspx


Software Updates Deployment Evaluation Cycle: Evaluates the state of new and existing deployments and their associated software updates. This includes scanning for software updates compliance, but may not always catch scan results for the latest updates. This is a forced online scan and requires that the WSUS server is available for this action to succeed.

Software Updates Scan Cycle: Scans for software updates compliance for updates that are new since the last scan. This action does not evaluate deployment policies as the Software Updates Deployment Evaluation Cycle does. This is a forced online scan and requires that the WSUS server is available for this action to succeed.

Group Policy Settings

The following Group Policy settings are required for the Windows Update Agent (WUA) on client computers to connect to WSUS on the active software updates point and successfully scan for software update compliance.

New versions of SCCM allow multiple WSUS servers. Are they for syncing of metadata? One server can do this job isn't it?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.