locked
Using same WSUS for both SCCM & standalone usage / and HA for SUP role RRS feed

  • Question

  • Hello,

    We are planning to use SCCM for patch management. We have a central site + several remote physical sites (between 100 and 5000 computers). I am planning 1 primary site server + 1 secondary site server for each remote site.

    Our current WSUS infrastructure is made of 1 WSUS upstream server + 1 WSUS downstream server (in replica mode) for each remote site.

    Unfortunately not all computers across each site will be managed by SCCM (because of licence agreement). For those computers, we will keep standalone usage of WSUS as of today.

    My question... Is it possible to build each SUP role (one on primary site server + one on each secondary site server) relying on the existing WSUS infrastructure. Ideally I would like to leverage WSUS infrastructure :

    • SCCM managed computer will be patched using SCCM console
    • WSUS managed computer will be patched using WSUS console

    2. Another question about high availbility of SUP role. According to the documentation, we should rely on NLB. As an alternative, is it possible (does it make sense) to build multiple SUP roles per secondary site ?

    Regards.

    Tuesday, June 19, 2012 11:05 AM

Answers

  • 1) No, ConfigMgr will require a full WSUS that is not shared with any other systems or acting as a stand-alone WSUS

    2) I never build WSUS/SUP's at secondary sites. Updates are not installed from a WSUS, they are downloaded and installed from DP's.


    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund

    • Marked as answer by Sylvain06 Tuesday, June 19, 2012 2:34 PM
    Tuesday, June 19, 2012 11:17 AM
  • That's correct. Without a local SUP, clients will connect to the SUP in the HQ.

    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund

    • Marked as answer by Sylvain06 Tuesday, June 19, 2012 2:34 PM
    Tuesday, June 19, 2012 11:40 AM
  • "each SCCM client will directly contact my primary site server, which I don't want"

    Not that this is a bad thing as it is perfectly valid, but why? Client communication to the SUP is very small after the intial catalog synchronization.


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    • Marked as answer by Sylvain06 Tuesday, June 19, 2012 2:34 PM
    Tuesday, June 19, 2012 2:05 PM

All replies

  • 1) No, ConfigMgr will require a full WSUS that is not shared with any other systems or acting as a stand-alone WSUS

    2) I never build WSUS/SUP's at secondary sites. Updates are not installed from a WSUS, they are downloaded and installed from DP's.


    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund

    • Marked as answer by Sylvain06 Tuesday, June 19, 2012 2:34 PM
    Tuesday, June 19, 2012 11:17 AM
  • Hello Kent,

    Thanks for your quick feedback.

    One clarification for 2). I agree updates will be downloaded from DP. Still I was under the impression than local SUP is required because update assessment by each client is done relying on usual WSUS client. If there is no local WSUS downstream server + local SUP, it would mean each SCCM client will directly contact my primary site server, which I don't want. Am I wrong ?

    Regards.

    Tuesday, June 19, 2012 11:39 AM
  • That's correct. Without a local SUP, clients will connect to the SUP in the HQ.

    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund

    • Marked as answer by Sylvain06 Tuesday, June 19, 2012 2:34 PM
    Tuesday, June 19, 2012 11:40 AM
  • "each SCCM client will directly contact my primary site server, which I don't want"

    Not that this is a bad thing as it is perfectly valid, but why? Client communication to the SUP is very small after the intial catalog synchronization.


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    • Marked as answer by Sylvain06 Tuesday, June 19, 2012 2:34 PM
    Tuesday, June 19, 2012 2:05 PM
  • "each SCCM client will directly contact my primary site server, which I don't want"

    Not that this is a bad thing as it is perfectly valid, but why? Client communication to the SUP is very small after the intial catalog synchronization.


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Basically my requirement behind this implementation is about existing firewall between our sites. It's definitely easier to avoid all clients to have site to site communication. But I fully agree about your point on the small amount of data.

    Thanks for your feedback.

    Regards.

    Tuesday, June 19, 2012 2:33 PM
  • That's not possible though. Secondary sites will not prevent communication from clients to the primary MP. Secondary sites are *not* gateways and clients must still be able to communicate with the primary site's MP.

    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Tuesday, June 19, 2012 2:38 PM