locked
Internet-Clients not communicating with SUP in DMZ (IBCM) RRS feed

  • Question

  •  

    Hi all,

    I have a problem with Software Updates for the Internet-based clients which i cannot figure it out.

    The infrastructure has Windows Server 2008 R2 and the following SCCM 2012 configuration:

    SCCM 2012 Primary server - MP,DP,SUP and WSUS 
    IBCM server in DMZ - MP,DP,SUP

    All clients must be able to move between Intranet and Internet and get apps and software updates over internet.Right now, application installation is working properly over Internet, i setup an HTTPS MP & DP, enroll required certificates did tests and successfully installed apps.

    The problem:

    I want to provide software updates so i did the following:
    I installed a downstream WSUS (replica) in DMZ with shared database on the recommended ports 80 & 443 and i used the existing Default Web Site (also recommended in wizard).
    I installed SUP (ports 80,443) on the site system in DMZ and specified "Allow Internet Only connections"
    Everything installed successfully and downstream WSUS synchronized  successfully with the upstream WSUS.I can now see all the updates in both WSUS consoles but i can't see any computers in the downstream WSUS. Is this ok?

    I tested software updates on a client connected to the Internet but in windowsupdate.log i can only see that it is only trying to connect to the intranet SUP and not switching to the internet-facing SUP.The common errors are 0x8024402c and 0x80072ee7.It is like the client doesn't know  about the existence of the second SUP.
    The GPO is set as Not Configured for Specify Intranet Microsoft update service location so the Local Group Policy can set the required SUP after it detects it is on the Internet. If i open a rsop.msc i see that the setting is configured by Local GP and if i start a gpedit.msc i see that the specified server is still the intranet SUP.
    I don't know how exactly how this policies applies but i'm thinking that after SCCM agent detects that the client is on Internet it should point to the Internet-facing SUP and it should try to download the information about updates from this server. This is not happening.

    If i connect client back to the VPN soon it downloads the information about updates and they appear in Software Center. If i disconnect then from VPN, the updates that were already added in Software Center start to download like they should, from the Microsoft site.

    I tried to reinstall WSUS, SUP no success. I've been reading tones of posts related to this issue but i can't find the problem.

    I would be very grateful for any ideas as i am out of any.

    Thank you,
    Dan


    • Edited by Dan V Pop Friday, February 26, 2016 10:48 AM
    Thursday, February 25, 2016 3:08 PM

Answers

  • Hi All,

    The problem was that internal SUP had some updates that failed when synchronizing due to some some licensing issues so the Internet-facing SUP could not get Content Version (found out in SQL, the value was NULL) and the internet client could not get the proper update server (locationservices.log).

    After i run  wsusutil.exe /reset  the internal SUP had a successful status in CM and the Internet SUP got the right values for Content Version and i could see in location services that the client started to change the SUP and to modify the registry with the internet-facing SUP/WSUS.

    However i still had to do a cleanup for WSUS as i had almost 6000 updates in the console which put the Primary server on heavy load (processor 100%) and i got a lot of Timed Out errors on the client. After the cleanup the processor was down to 20% and the client could successfully connect to the Internet-facing SUP and updates started to appear in Software Center.

    So make sure that synchronization is successful (even if on the intranet the update process is working properly) and you have a green status in CM Console for both SUPs and also clean your WSUS.

    • Marked as answer by Dan V Pop Monday, April 18, 2016 9:34 AM
    Monday, April 18, 2016 9:34 AM

All replies

  • Hi,

    The 0x8024402C error codes typically occur because an incorrect character exists in the proxy override settings.

    The 0x80072EE7 error code may occur if the client computer cannot find the correct IP address when it tries to resolve a URL for the Windows Update Web site or for the Microsoft Update Web site.

    For more information, please review the link below:

    You may receive an error message when you search for available updates on the Windows Update Web site or on the Microsoft Update Web site

    https://support.microsoft.com/en-us/kb/883821


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 26, 2016 8:31 AM
  • Thank you for your answer!

    I don't have any static IP in the host file and no proxy set.

    I'm thinking about uninstalling the internet-facing SUP and WSUS again and reinstall WSUS on 8530/8531 ports with new web site in IIS. I hope it helps

    Best regards,

    Dan



    Friday, February 26, 2016 9:50 AM
  • Hi All,

    The problem was that internal SUP had some updates that failed when synchronizing due to some some licensing issues so the Internet-facing SUP could not get Content Version (found out in SQL, the value was NULL) and the internet client could not get the proper update server (locationservices.log).

    After i run  wsusutil.exe /reset  the internal SUP had a successful status in CM and the Internet SUP got the right values for Content Version and i could see in location services that the client started to change the SUP and to modify the registry with the internet-facing SUP/WSUS.

    However i still had to do a cleanup for WSUS as i had almost 6000 updates in the console which put the Primary server on heavy load (processor 100%) and i got a lot of Timed Out errors on the client. After the cleanup the processor was down to 20% and the client could successfully connect to the Internet-facing SUP and updates started to appear in Software Center.

    So make sure that synchronization is successful (even if on the intranet the update process is working properly) and you have a green status in CM Console for both SUPs and also clean your WSUS.

    • Marked as answer by Dan V Pop Monday, April 18, 2016 9:34 AM
    Monday, April 18, 2016 9:34 AM