Solved

Do SCCM 2012 SUP Clients Communicate with WSUS?

Posted on 2015-02-05
4
678 Views
Last Modified: 2016-02-20
Points of My Scenario:
1. I need to deploy SCCM 2012 in a Windows Server 2008 R2 domain.
2. Many clients reside behind the firewall, although most are in the non-firewalled network
3. i am using SCCM to deploy Software Updates, for both firewalled clients and non-firewalled clients
4. My firewall is configured to have only ONE IP address with port 80 (http) traffic allowed
5. I plan to use that IP for the SCCM Site server
6. I plan to put WSUS on a separate server (i.e. different IP)

CONCERN: If clients require http access (port 80) to WSUS, then firewall clients will fail to get updates.
QUESTION: Do SCCM clients need to communicate to WSUS in order to get the software updates?
0
Comment
Question by:waltforbes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 40592998
Yes. they need to connect to wsus.
0
 
LVL 18

Accepted Solution

by:
Mike T earned 500 total points
ID: 40593315
Hi,

#Nagendra - are you sure?

I thought the process was:
clients talk to MP for policy
MP says "I have these updates"
clients pull updates from SUP via the DP


From TechNet
As soon as you enable the Software Update client agent in the SCCM console, the policy is updated for the client containing information that Software Updates should be managed by SCCM.

The next time the client contacts the MP and download the policy it enables the SUP agent on the clients and creates a local policy which points the WSUS agent to the SCCM server with the SUP role.
Ref : Jörgen Nilsson (MVP I think)
https://social.technet.microsoft.com/Forums/systemcenter/en-US/28601136-7e74-4b1f-a5aa-588339463a0b/sccm-client-and-wsus?forum=configmgrgeneral

The key bit is that the SUP syncs the WSUS meta-data and then syncs the patches either from the Windows Update site or locally (MS calls this "download" in the console). WSUS therefore does NOT supply any patches, SUP does it instead.

Refer to TechNet here: https://technet.microsoft.com/en-us/library/bb632618.aspx
for all the port info.

Mike
0
 

Author Closing Comment

by:waltforbes
ID: 40597474
Hi Mike, this was exactly the advice/understanding and reassurance I needed. Wow: my life just became a ton less complex! I am so grateful; thanks a million!
0
 
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 40597637
I did not say that they download the patches from WSUS. I mean to say that they scan against WSUS.

Updates are downloaded from DP but scanned against WSUS.

BTW I worked in SCCM support for Microsoft Global tech support in my last job. Software updates are a very common support topic there.

=====================================
https://technet.microsoft.com/en-us/library/bb632674.aspx

Having a software update point at a secondary site provides local access to client computers when scanning for software updates compliance. When the secondary site does not have a configured software update point, client computers will connect to the active software update point on the parent site.

http://blogs.technet.com/b/configmgrdogs/archive/2014/06/30/configmgr-2012-windows-update-client-process.aspx

The Windows Update Handler initiates the Windows Update service against the ConfigMgr SUP. (C:\Windows\WindowsUpdate.log)

https://technet.microsoft.com/en-us/library/bb632393.aspx


Software Updates Deployment Evaluation Cycle: Evaluates the state of new and existing deployments and their associated software updates. This includes scanning for software updates compliance, but may not always catch scan results for the latest updates. This is a forced online scan and requires that the WSUS server is available for this action to succeed.

Software Updates Scan Cycle: Scans for software updates compliance for updates that are new since the last scan. This action does not evaluate deployment policies as the Software Updates Deployment Evaluation Cycle does. This is a forced online scan and requires that the WSUS server is available for this action to succeed.

Group Policy Settings

The following Group Policy settings are required for the Windows Update Agent (WUA) on client computers to connect to WSUS on the active software updates point and successfully scan for software update compliance.

New versions of SCCM allow multiple WSUS servers. Are they for syncing of metadata? One server can do this job isn't it?
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question