Solved

Do SCCM 2012 SUP Clients Communicate with WSUS?

Posted on 2015-02-05
4
553 Views
Last Modified: 2016-02-20
Points of My Scenario:
1. I need to deploy SCCM 2012 in a Windows Server 2008 R2 domain.
2. Many clients reside behind the firewall, although most are in the non-firewalled network
3. i am using SCCM to deploy Software Updates, for both firewalled clients and non-firewalled clients
4. My firewall is configured to have only ONE IP address with port 80 (http) traffic allowed
5. I plan to use that IP for the SCCM Site server
6. I plan to put WSUS on a separate server (i.e. different IP)

CONCERN: If clients require http access (port 80) to WSUS, then firewall clients will fail to get updates.
QUESTION: Do SCCM clients need to communicate to WSUS in order to get the software updates?
0
Comment
Question by:waltforbes
  • 2
4 Comments
 
LVL 23

Expert Comment

by:Nagendra Pratap Singh
ID: 40592998
Yes. they need to connect to wsus.
0
 
LVL 17

Accepted Solution

by:
Mike T earned 500 total points
ID: 40593315
Hi,

#Nagendra - are you sure?

I thought the process was:
clients talk to MP for policy
MP says "I have these updates"
clients pull updates from SUP via the DP


From TechNet
As soon as you enable the Software Update client agent in the SCCM console, the policy is updated for the client containing information that Software Updates should be managed by SCCM.

The next time the client contacts the MP and download the policy it enables the SUP agent on the clients and creates a local policy which points the WSUS agent to the SCCM server with the SUP role.
Ref : Jörgen Nilsson (MVP I think)
https://social.technet.microsoft.com/Forums/systemcenter/en-US/28601136-7e74-4b1f-a5aa-588339463a0b/sccm-client-and-wsus?forum=configmgrgeneral

The key bit is that the SUP syncs the WSUS meta-data and then syncs the patches either from the Windows Update site or locally (MS calls this "download" in the console). WSUS therefore does NOT supply any patches, SUP does it instead.

Refer to TechNet here: https://technet.microsoft.com/en-us/library/bb632618.aspx
for all the port info.

Mike
0
 

Author Closing Comment

by:waltforbes
ID: 40597474
Hi Mike, this was exactly the advice/understanding and reassurance I needed. Wow: my life just became a ton less complex! I am so grateful; thanks a million!
0
 
LVL 23

Expert Comment

by:Nagendra Pratap Singh
ID: 40597637
I did not say that they download the patches from WSUS. I mean to say that they scan against WSUS.

Updates are downloaded from DP but scanned against WSUS.

BTW I worked in SCCM support for Microsoft Global tech support in my last job. Software updates are a very common support topic there.

=====================================
https://technet.microsoft.com/en-us/library/bb632674.aspx

Having a software update point at a secondary site provides local access to client computers when scanning for software updates compliance. When the secondary site does not have a configured software update point, client computers will connect to the active software update point on the parent site.

http://blogs.technet.com/b/configmgrdogs/archive/2014/06/30/configmgr-2012-windows-update-client-process.aspx

The Windows Update Handler initiates the Windows Update service against the ConfigMgr SUP. (C:\Windows\WindowsUpdate.log)

https://technet.microsoft.com/en-us/library/bb632393.aspx


Software Updates Deployment Evaluation Cycle: Evaluates the state of new and existing deployments and their associated software updates. This includes scanning for software updates compliance, but may not always catch scan results for the latest updates. This is a forced online scan and requires that the WSUS server is available for this action to succeed.

Software Updates Scan Cycle: Scans for software updates compliance for updates that are new since the last scan. This action does not evaluate deployment policies as the Software Updates Deployment Evaluation Cycle does. This is a forced online scan and requires that the WSUS server is available for this action to succeed.

Group Policy Settings

The following Group Policy settings are required for the Windows Update Agent (WUA) on client computers to connect to WSUS on the active software updates point and successfully scan for software update compliance.

New versions of SCCM allow multiple WSUS servers. Are they for syncing of metadata? One server can do this job isn't it?
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question