none
WSUS via SCCM 2012 R2 LAN vs Internet

    Pergunta

  • We currently use WSUS 3.0 SP2.  One problem we have is that it doesn't handle laptops that rarely connect to VPN very well.

    I know we can set up a second WSUS server that only does approvals and then configure the actual downloads to come from Microsoft.  The problem with that is that the laptops will continue to download from Microsoft and waste our bandwidth even if the user brings the laptop into the office.

    We also have laptops that connect to VPN so rarely that they would even miss just getting monthly update approvals.

    With SCCM, we can set it up so that laptops can reach the server and get update approvals from just an Internet connection without VPN.

    Does  WSUS updating through SCCM allow you to to change where the updates download from on the fly based on whether the laptop is on the LAN or connected to an external network with Internet access, but no VPN access?



    sábado, 22 de março de 2014 17:23

Respostas

  • The default behavior is the clients download the updates from Microsoft when they are at Internet, if they cannot connnect to Microsoft Update, they would download updates from Internet based DP.

    If the clients that are configured as IBCM are domain-joined computers,

    They can automatically switch between Internet-based client management and intranet client management when they detect a change of network.


    Juke Chou

    TechNet Community Support

    • Marcado como Resposta MyGposts sexta-feira, 28 de março de 2014 18:28
    terça-feira, 25 de março de 2014 04:57
    Moderador

Todas as Respostas

  • Have you configured the Group Policy for WSUS right on the clients? If so, the problem should not happen.

    Juke Chou

    TechNet Community Support

    segunda-feira, 24 de março de 2014 09:50
    Moderador
  • Hi,

    If you have setup IBCM and use SCCM for patching then, yes you can have the client to get the updates from SCCM and then download the content from Windows Update.

    Regads,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    • Sugerido como Resposta MadLuka segunda-feira, 24 de março de 2014 11:10
    segunda-feira, 24 de março de 2014 10:03
    Moderador
  • The clients are already configured to download updates from WSUS via GPO.

    We need the update approvals to always come from our servers whether or not the laptop is local or remote, but we need to configure the clients to download updates from Microsoft servers when they are on a remote network on the Internet, but download from our internal WSUS content database whenever they are brought into the office.

    We do not want laptops temporarily brought into the office to download updates from the Internet while they are in the office and we also do not laptops on the Internet to pull updates out of our internal content database back out to the Internet.  We would like the content download to change automatically based on the location of the laptop.

    Can this be done?



    • Editado MyGposts segunda-feira, 24 de março de 2014 17:00
    segunda-feira, 24 de março de 2014 16:58
  • The update catalog always comes from a WSUS instance where a SUP is installed in your environment when you are using Software Updates in ConfigMgr -- if you change this using a GPO, ConfigMgr will not perform any update activity. The WSUS instance in ConfigMgr is only responsible for the update catalog (and EULAs), nothing more, nothing less.

    There is no such thing as approvals in ConfigMgr. ConfigMgr assigns deadlines for updates to systems or makes them available to be manually installed. After the deadline, the update is considered required or mandatory and the client agent will begin the process of installing it if it is out of compliance on a system. The assignment of an update as available or required is done using the standard ConfigMgr policy mechanism and has nothing to do with WSUS.

    Actual update binaries come from DPs in ConfigMgr unless the client is an Internet-based client in which case the client will try to download the update binaries from Microsoft first (as pointed out by Jorgen).

    Thus, as long as you've properly enabled the support Internet/Intranet clients in ConfigMgr, what you describe is default behavior.


    Jason | http://blog.configmgrftw.com

    segunda-feira, 24 de março de 2014 23:30
  • Someone had replied earlier today, but their post has disappeared.

    We have laptops that are mostly used away from the office that we want to manage as Internet Based clients so they can be updated without needing to wait for the user to connect to VPN.  However, sometimes these same laptops will be brought into the office for some reason, such as for a meeting.  When the use brings their laptop into the office and it also happens to have Windows Updates due, we would like these same Internet based laptops to pull these updates from our internal server so that Internet bandwidth is not wasted.

    When these same laptops are away from the office as they usually are, we would like the update files to be downloaded from Microsoft. 

    How can we do this (automatically change download source for Windows Updates on the fly based on the current location)?

    terça-feira, 25 de março de 2014 02:55
  • The default behavior is the clients download the updates from Microsoft when they are at Internet, if they cannot connnect to Microsoft Update, they would download updates from Internet based DP.

    If the clients that are configured as IBCM are domain-joined computers,

    They can automatically switch between Internet-based client management and intranet client management when they detect a change of network.


    Juke Chou

    TechNet Community Support

    • Marcado como Resposta MyGposts sexta-feira, 28 de março de 2014 18:28
    terça-feira, 25 de março de 2014 04:57
    Moderador