Push Patches in DMZ using SCCM 2012

We have 1 MP and multiple DP's for our SCCM 2012 infrastructure.  We want to push patches using SCCM 2012 in the DMZ in 2 sites.  I hear we can setup IBCM.  I am curious what is the best way of setting it up, we just want one SCCM server in each site in the DMZ to push patches and we just want it to only communicate to the site server.  We will not need to push packages to internet clients, just servers in our DMZ.  What are your thoughts of best practice?  Do we need to setup certificates?  I appreciate the info!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The question is a bit generic for a best practice recommendation.
I guess you may have to value license cost against advantages / disadvantages of the one or other scenario.

a.) You can place a DP into the DMZ. From my point of view a question of administrative effort in comparison to the number of clients you want to patch....
In this case, you have to open your internal FW for communication between the MP and the DP (DMZ).
b.) You serve your DMZ servers via the internal MP / DP
In this case, you have to open your internal FW for communication between the client  and internal MP / DP.

As you do not want to serve internet clients, the posts have only to be open on the internal firewall, the situation would be different, if you also want to server internet clients.

Here you find a list with all needed ports for the different SCCM services:

From my opinion the client (DMZ) --> DP (internal) scenario is more easy to handle because there are less ports needed to be open and some of them maybe open anyway... But depends from the number of "clients" which has to be served through the internal firewall.

If you use SCCM, I would assume you use an internal PKI anyway...., the clients has mainly to trust the MP. If you are working with self signed certificates, they have to be distributed to the clients, so the clients can validate the certificates.

Last but not least the question, if WSUS is an option for you, as only the WSUS ports are needed. WSUS polls from the client side while SCCM allows also pushing the updates. The WSUS poll interval you can change, so the delay maybe not so large. But pushing allows a bit more control over the updates and time, when they should be installed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.