CAS with no Internet Access: How to deal with my SUP? RRS feed

  • Question

  • Looking for some advice on a ConfigMgr 2012 design in regard to a Central Admin Site not having access to the internet.  Will be near 100K clients and regionally dispursed) - so Central/Primary architecture is well deserved.  I've dealt with a lot of challenging design aspects - but have not run into this.  Rather than spend days on this - I thought the forums could potentially help me out....

    The current issue is that the CAS can't access windows update directly due to a new implementation of a firewall which cannot handle the "dynamic" IPs of Windows Update.  There is no proxy server option there - so the network team wants a solution to "isolate" the server making the calls to Windows Update as much as possible.  As I am not really interested in isolating my CAS (risky) - so I am considering some alternative options.  Would love some feedback from an MVP, MSFT - or someone with experience around this type of scenario.

    Option:  Offload WSUS from the CAS to another server - and only give that WSUS/SUP access to the internet:

    • This would allow the other server to be better "monitored/controlled" with their Intrusion protection, be seperated on a network connection, and only allow specific ports to connec to and from.  This would help keep my CAS "more secure" - but allow the patch meta-data to be downloaded by that WSUS server.  I would have to allow my primaries access to that WSUS server internally to sync from, and allow certain ports back to the CAS to sync the WSUS DB into the Configmgr SUP tables.  To perform this - I just need to install the WSUS console on the CAS, install WSUS on the other server - and then install the SUP and point to that other server.  Any other gotchas or things I missed?
    • I believe my patch content download would not work for ADR's - but WOULD work from consoles if they ran them from workstations with internet access since the downloads occur from the console computers.
    • Is this option well documented anywhere - I struck out with Technet....

    I know this probably sounds a little extreme, but I would love any thoughts as this is a real scenario I'm facing.  I see a proxy server in their future - but for now this may be my only option....


    Thursday, July 5, 2012 9:16 PM


  • Hope this is of assistance and helpful to support your situation and  are considering, the option does sound technically feasible and do able, please consider the below:

    + Site to Site Communication

    + Site Server <-- to -- > Site System , By default, communication between the site server and site systems is bi- port 445

    + Site Server <-- to -->  Sofware update point, ports 445, (80  or 8530) and (443 or (8531)

    + Client --> Software Update Point communication ((80  or 8530) and (443 or (8531),

    + if these ports map out well on your hierachy, it should be possible.

    + When your hierarchy contains a central administration site, install a software update point at this site that synchronizes with Windows Server Update Services (WSUS) before you install a software update point at any child primary site. When you install software update points at a child primary site, configure it to synchronize with the software update point at the central administration site.

    Do consider links to:

    Planning for Sites and Hierarchies in Configuration Manager: http://technet.microsoft.com/en-us/library/gg712681.aspx

    Planning for Site Systems in Configuration Manager  : http://technet.microsoft.com/en-us/library/64aa34e1-c465-4eb8-820b-5c1702ab55ae#Plan_Where_to_Install_Sites

    Planning for Software Updates in Configuration Manager: http://technet.microsoft.com/en-us/library/gg712696.aspx

    Prequisites for Software Updates in Configuration Manager : http://technet.microsoft.com/en-us/library/hh237372.aspx

    Ihopei have not missed  anything to take into consideration and planning.

    Tuesday, July 31, 2012 12:27 PM