none
SCCM Clients connecting directly to WSUS server and not DP? RRS feed

  • Question

  • We recently changed things around in our environment and are having the following issues.

    The Old Setup: DomainA and DomainB, with 2-way trust. In DomainA, a single Primary Server, 2xMP/DP servers, 1xDP/WSUS Server. We use 1E NOMAD and PXE lite.

    The more devices we added to Domain B, the traffic across the firewall increased and affected the entire estate.

    The New Setup: DomainA - 1x Primary, 2x MP/DP, 1x Dp/WSUS. DomainB - 1xMP/DP

    Boundaries were reconfigured to make clients on each domain use only their local MP/DP servers.

    We have noticed a lot of traffic from clients in DomainB going directly to the DP/WSUS server. Always seems to be the worst when a new update has been released.

    1.  We now have errors in the update deployments: "Same as HTTP status 401 - the requested resource requires user authentication."

    2. Shouldn't clients be getting updates from the local DP servers and not directly from the WSUS server? How do we force this?

    Google has not been very helpful. Thanks for looking.


    Matthew Currie

    Wednesday, November 27, 2019 12:30 PM

All replies

  • Hi

    For  HTTP status 401  error , check network access account credentials are set correctly and Check in IIS that SMS_DP_SMSPKG$ have Windows Authentication Enabled. 

    For connecting local DP, ensure you have configured boundary and boundary group correctly and check location service log for any error

    Also refer the below blog

    https://www.petervanderwoude.nl/post/how-a-client-chooses-a-distribution-point/

    Wednesday, November 27, 2019 2:43 PM
  • > Shouldn't clients be getting updates from the local DP servers and not directly from the WSUS server? How do we force this?

    Update files: yes. Update catalog: no.

    The update catalog always comes from the WSUS instance on your SUP (or one of your SUPs if you have multiple). For what you've described above, you need to add a SUP to the MP/DP on each side of the firewall. I generally recommend not having the SUP (or MP or DP) on the primary site server at all.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, November 27, 2019 3:01 PM
  • Hi,

    I agree with Jason. In addition, please allow me to add the following information:

    The software updates are copied from the package source to the content library on the site server, and then copied to the content library on the distribution point. When a client computer in the target collection for the deployment receives the machine policy, the Software Update Client Agent starts an evaluation scan. The client agent downloads the content for required software updates from a distribution point to the local client cache at the Software available time setting for the deployment and then the software updates are available to install.

    Best regards,
    Larry


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 28, 2019 8:53 AM
  • Thanks for the info.

    What Larry says is exactly what I know should be happening.

    Why are the clients in DomainB contacting the WSUS server? They are separated by the boundary associations.

    So, the Wsus server gets the updates, gives it to the primary server, which goes across the firewall to the DP server, he clients should get it from that DP server? Is that right?

    I agree we should put a server on the other side of the firewall, but I trying to get it working without extra infrastructure, that's why we use 1E NOMAD and PXElite.

    Do the clients need to talk to WSUS at all? What about signalling (ports 8530/8531)


    Matthew Currie

    Thursday, November 28, 2019 11:40 AM
  • > So, the Wsus server gets the updates, gives it to the primary server, which goes across the firewall to the DP server, he clients should get it from that DP server? Is that right?

    No. You are confusing WSUS metadata (aka the catalog) with the update binary files.

    Please read my initial reply: as I called out, clients always communicate with WSUS to get the update metadata and thus if you don't want them to cross the firewall for this, you need to place an additional SUP on their side of the firewall. Nomad is not involved with WSUS metadata at all and plays no part in this.

    > Do the clients need to talk to WSUS at all? 

    Once again, yes. 

    > What about signalling (ports 8530/8531)

    I have no idea what you are asking here or what "signalling" is. Communication from the Windows Update Agent to WSUS is over port 8530 (or 8531 if you have enabled HTTPS) by default.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, November 28, 2019 11:29 PM