SCCM SUP on existing Forefront server?
I had a few questions about using Forefront client security as well as SCCM for software updates. After reading some of the threads on these forums I think I may have my answers but I wanted to confirm.
These were my questions/concerns:
We are getting ready to deploy SCCM in an environment that is already using Forefront with WSUS installed on the Forefront server. From what I have read SCCM and Forefront must share a WSUS server and that WSUS server should not be running any other Forefront or SCCM roles (other than the SCCM SUP). We already have GPOs in place pointing the WUA to the Forefront server for definition updates. Would it be a problem to make the existing Forefront server, which is already running WSUS, the SUP for the central SCCM site?
Another concern I have with using both Forefront and SCCM, is the Forefront definition updates at remote sites. I will have SCCM secondary site servers with an active SUP at each remote site. If I have a GPO set to point the WUA to the Forefront server for definition updates, will that mean that SCCM clients at remote sites will also pull software updates from the SUP at the central office rather than the SUP located in the remote site?
These are what I THINK are the answers. Please let me know if I am wrong.
- The central SCCM site can use WSUS that is running on the Forefront server as its SUP. Instead of only downloading definitions, WSUS will now be downloading all classifications that I specify in the SCCM console under the SUP component properties (including definitions, critical updates, security updates, etc.).
- Everything that the central WSUS server downloads from MS will be synched out to all SCCM secondary site SUPS.
- In the WSUS console on the central WSUS server I will have an Auto-Acceptance rule to automatically accept updates of the category Definition Updates only. This will tell the Forefront clients to automatically install new definitions as they become available.
- In the GPO for SCCM clients, the WUA policy "Specify intranet Microsoft update service location" will be set to "Not Defined". The SCCM policy will tell the clients to get thier software updates and definitions from the secondary SUP located in thier site.
If this is correct, it will be an improvement because currently the Forefront clients in remote sites are pulling definitions from the Forefront server located in our central office because we have the GPO setting "Specify intranet Microsoft update service location" pointing to that URL.
Answers
- It's been my experience that of all the site systems the only one that I have trouble out of is the SUP. They tend to break from time to time so I try to limit my environment to as few as possible. If your bandwidth can't handle it then you have no choice but to place them at the secondary sites. Just so you know the patches don't come from the SUP they come from the DP, all the sup sends out is the scan data which is pretty small.
The exception is FCS, when you have FCS pulling updates from WSUS those packages get big and tend to require more WSUS servers and more SUPs unless you go an upsupported route as Steve explained in his blog.
You don't need the GPO and it may end up breaking stuff.
John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum- Marked As Answer byEric Zhang - MSFTMSFT, ModeratorMonday, November 16, 2009 3:40 AM
All Replies
- I run the SUP on the central site server all the time with all the other roles. The only role that I know of that is not best practice to run with other roles is the FSP.
1. I see no issues running the SUP on the FCS server.
2. I try to stay away from SUP's on secondary sites anytime possible. I understand that th FCS downloads are quite large and they can cause issues if they are pulled over the WAN. If you have the bandwidth I say stay away from the SUP's at the secondary though. If you do use them you will have to get rid of that GPO pointing clients to the WSUS server, the sccm client will create a local GPO and that one will override it. Also please see Steve's blog on FCS updates http://myitforum.com/cs2/blogs/sbobosky/archive/2009/08/06/a-pretty-good-forefront-definition-deployment-solution-part-2.aspx
All of your answers to your own questions sound accurate to me. Just note what I said about SUP's on secondary sites. ;-)
John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum - Hi,
As far as i know, there is no conflict when you install SCCM SUP and FCS on the same server.
Just remind that we do not support deploying FCS signatures using Configuration Manager software updates and it's recommended to use SCCM console to deploy updates instead of WSUS console. - Thanks for the replies. About the SUPs at the secondary sites.. we have 100's of remote sites, some with very low bandwidth. I was under the impression that having SUPs at the remote sites would reduce the amount of traffic SCCM clients would produce during patch scans and patch installs. Would it be preferable to have the remote clients use the SUP at the central site and configure them to do patch scans on a random schedule?
In this scenario, the clients use their locally cached scan results (as long as it is up to date) during a patch installation? This makes sense.. as the actual security patches themselves will be sent to the remote sites as SMS packages and wouldn't be installed by the clients directly from the SUP cache anyway. If I only have the one SUP at the central site (which is the same server running Forefront), would I want to leave the GPO in place so the clients can still retrieve FCS updates? - It's been my experience that of all the site systems the only one that I have trouble out of is the SUP. They tend to break from time to time so I try to limit my environment to as few as possible. If your bandwidth can't handle it then you have no choice but to place them at the secondary sites. Just so you know the patches don't come from the SUP they come from the DP, all the sup sends out is the scan data which is pretty small.
The exception is FCS, when you have FCS pulling updates from WSUS those packages get big and tend to require more WSUS servers and more SUPs unless you go an upsupported route as Steve explained in his blog.
You don't need the GPO and it may end up breaking stuff.
John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum- Marked As Answer byEric Zhang - MSFTMSFT, ModeratorMonday, November 16, 2009 3:40 AM
