locked
SUP for IBCM RRS feed

  • Question

  • Ok so I have one primary site sccm 2012 r2 with sup for intranet clients and one ibcm system with mp/dp and it works. Now i want to add sup for ibcm. I have couple questions about it:

    1. Do i have to install wsus server on that ibcm system or just console? I would like to have only one database on primary server...

    2. Do i have to open port 8531 on firewall for internet clients to check for updates or 443 which is used for mp is enough and clients will get the updates through mp?

    3. I want clients to get the updates from Microsoft so i checked on deployment to use MS if updates are not on dp. So how to get that to work so sup just tell clients what updates they should install?

    4. Will intranet clients switch by themself to use internet sup?? How does that work? 

    Thx a lot

    Tuesday, December 9, 2014 8:30 AM

Answers

    1. Yes, you would have to install WSUS on the Internet-facing site system;
    2. Yes, you have to open port 8531 on the firewall to allow clients to scan for updates (unless you installed WSUS on a different port);
    3. By default, Internet client will first try to download the content of the updates for Microsoft Update;
    4. The client detects whether it's on the intranet or the Internet and will connect to the environment based on the results of that detection.


    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Marked as answer by Daniel JiSun Tuesday, December 23, 2014 2:06 AM
    Tuesday, December 9, 2014 8:34 AM
  • Yes, the software update point will configure WSUS to look at the WSUS on the primary site for meta data. The content itself will be downloaded only with creating deployment packages and that will go through the Internet connection of the user that performs the action.

    The require SSL setting is more a server-site setting to tell the software update point that it has to use SSL to communicate with WSUS. So when you configured WSUS to require SSL you should definitely check that box (also, I would say that you have to configure WSUS to require SSL).


    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Marked as answer by Daniel JiSun Tuesday, December 23, 2014 2:06 AM
    Tuesday, December 9, 2014 8:44 AM
  • It finally works. I guess it needed some time and couple syncs. Maybe client needed some time too?! Thx :)
    • Marked as answer by Daniel JiSun Tuesday, December 23, 2014 2:06 AM
    Tuesday, December 9, 2014 8:02 PM

All replies

    1. Yes, you would have to install WSUS on the Internet-facing site system;
    2. Yes, you have to open port 8531 on the firewall to allow clients to scan for updates (unless you installed WSUS on a different port);
    3. By default, Internet client will first try to download the content of the updates for Microsoft Update;
    4. The client detects whether it's on the intranet or the Internet and will connect to the environment based on the results of that detection.


    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Marked as answer by Daniel JiSun Tuesday, December 23, 2014 2:06 AM
    Tuesday, December 9, 2014 8:34 AM
    1. Yes, you would have to install WSUS on the Internet-facing site system;
    2. Yes, you have to open port 8531 on the firewall to allow clients to scan for updates (unless you installed WSUS on a different port);
    3. By default, Internet client will first try to download the content of the updates for Microsoft Update;
    4. The client detects whether it's on the intranet or the Internet and will connect to the environment based on the results of that detection.


    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    about nr 1- can i install wsus server that way so it syncs with my primary site wsus server? and it doesnt download any updates to server? 

    and what about require SSL communication to wsus server- should i chack that to ensure that clients will use ssl?

    Tuesday, December 9, 2014 8:39 AM
  • Yes, the software update point will configure WSUS to look at the WSUS on the primary site for meta data. The content itself will be downloaded only with creating deployment packages and that will go through the Internet connection of the user that performs the action.

    The require SSL setting is more a server-site setting to tell the software update point that it has to use SSL to communicate with WSUS. So when you configured WSUS to require SSL you should definitely check that box (also, I would say that you have to configure WSUS to require SSL).


    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Marked as answer by Daniel JiSun Tuesday, December 23, 2014 2:06 AM
    Tuesday, December 9, 2014 8:44 AM
  • Ok so i installed sup and checked allow only internet clients like in mp or dp. Now mp and dp works fine but clients that were in intranet wont download any updates from internet sup. How can i force client that can be intranet/internet client to see if its using internet sup???? I want to see if client that left intranet (went to home or so) can get updates from internet sup....
    Tuesday, December 9, 2014 1:17 PM
  • If the software update point is in sync with the other software update point (you can check the Software Update Point Synchronization Status node for a quick overview), then the information, about the Internet-facing software update point, will be send to the client via a policy.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Tuesday, December 9, 2014 1:58 PM
  • As an additional note here, clients *never* get updates from a SUP/WSUS instance in ConfigMgr. The only get the update catalog. Actual updates come from the DP.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, December 9, 2014 2:52 PM
  • If the software update point is in sync with the other software update point (you can check the Software Update Point Synchronization Status node for a quick overview), then the information, about the Internet-facing software update point, will be send to the client via a policy.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    ok mine internet facing sup is synchronized with the top one but when i check logs on client from internet i cant find anything about wsus :( when i check windows update source in gpedit.msc it still shows sup from intranet :(

    what else can i check? what logs?

    Tuesday, December 9, 2014 3:46 PM
  • anyone? how can i check if client is checking for updates on internet sup??? locationservices.log has no entries about wsus on internet sup :( on intranet i can see in locationservices.log that client is communication with intranet sup. When on internet i also checked gpedit.msc and it still points to intranet server (dont know if that should change when on internet).
    Tuesday, December 9, 2014 5:55 PM
  • As an additional note here, clients *never* get updates from a SUP/WSUS instance in ConfigMgr. The only get the update catalog. Actual updates come from the DP.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    I know about that but how client gets the address to sup on internet? it changes update source in local group policy? if so why mine points all the time to sup on intranet? sup on intranet is only for intranet clients and the one on internet for internet clients. What should i look for in logs? Dont know what to do now :(
    Tuesday, December 9, 2014 7:16 PM
  • On the client you could look for errors in the CcmMessaging.log and on the server start with the WCM.log. For a list of all the log files see: http://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_SU_NAPLog

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Tuesday, December 9, 2014 7:33 PM
  • It finally works. I guess it needed some time and couple syncs. Maybe client needed some time too?! Thx :)
    • Marked as answer by Daniel JiSun Tuesday, December 23, 2014 2:06 AM
    Tuesday, December 9, 2014 8:02 PM
  • This might be helpful reading:

    http://blogs.technet.com/b/configmgrteam/archive/2013/03/27/software-update-points-in-cm2012sp1.aspx

    Key points:

    So that’s how software update point switching work.  The key takeaways are 1) unlike management point switching, software update point switching persists affinity whenever possible to avoid the client-side tax of switching scan sources, and 2) switching occurs if a client fails to scan 4 times at 30 minute intervals (2 net hours of scan failures).  Also, it’s important that your WSUS servers use a shared database to reduce the impact of switching scan sources.


    Don't retire TechNet! - (Don't give up yet - 13,085+ strong and growing)

    Tuesday, December 9, 2014 8:14 PM