locked
SCCM 2012 R2 / WSUS RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Can someone explain exactly how the client functions when it comes to SCCM and WSUS?  I was assuming that a client is configured to only scan for updates against the SCCM server, but in the WUAHandler.log file I see the following:

    Existing WUA Managed server was already set (http://WSUS01.DOMAIN.COM:8530), skipping Group Policy registration

    WSUS01.domain.com resides on a dedicated server, and SCCM lives on SCCM.domain.com.  For example, I have an ADR for SCEP definitions deployed.  I had a device in the DMZ that was failing to install the update because it was unable to connect to/scan against WSUS01.domain.com.  Once I resolved that issue, it was able to update definitions.

    My assumption was that a client shouldn't be required to hit WSUS01.  As long as it could connect to SCCM it should be able to pull updates.

    Can someone clarify how this works?  Google is failing me.

    Thursday, August 7, 2014 7:47 PM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    The Clients will/must be able to communicate with the WSUS server, the WSUS client will contact the WSUS server to scan for updates exactly the way you describe it, After the scan for updates the scan result is sent back to the MP and after that the WSUS server is no longer involved in patching, all content and informantion about which updates to install is delivered by the MP and DP.

    So yes all clients must be able to communicate with thge WSUS/SUP.

    Regards,
    Jörgen

    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    • Proposed as answer by Ronni PedersenMVP Thursday, August 7, 2014 8:16 PM
    • Marked as answer by Frentic Thursday, August 7, 2014 8:48 PM
    Thursday, August 7, 2014 8:06 PM

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    The Clients will/must be able to communicate with the WSUS server, the WSUS client will contact the WSUS server to scan for updates exactly the way you describe it, After the scan for updates the scan result is sent back to the MP and after that the WSUS server is no longer involved in patching, all content and informantion about which updates to install is delivered by the MP and DP.

    So yes all clients must be able to communicate with thge WSUS/SUP.

    Regards,
    Jörgen

    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    • Proposed as answer by Ronni PedersenMVP Thursday, August 7, 2014 8:16 PM
    • Marked as answer by Frentic Thursday, August 7, 2014 8:48 PM
    Thursday, August 7, 2014 8:06 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    The client will use the SUP for scanning. Where is that role installed? On WSUS01? Nothing would be wrong then.

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, August 7, 2014 8:08 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Other than you need to ensure that Configuration Manager can set the WSUS server to be used, and not set via group policy. If Configuration Manager can't implement its policy, even if it is the same WSUS server/URL, Configuration Manager patching won't work.

    Now that is not the scenario here, as you stated that once you allowed communications, then things were working (and the log didn't indicate that it was set by a higher authority). Just offering this as clarification for others who might view this thread.

    Often, people would consider putting an MP, DP and SUP in the DMZ so that you don't have to open up the firewall to allow communications to the intranet-based site systems. But that is not a requirement to do so - you just need to make sure that clients CAN communicate with the MP, DP and SUP.

    Wally Mead

    Thursday, August 7, 2014 8:23 PM