Hi, we have three sites, one central primary & 2 secondary sites each with a MP and distribution point - operating in mixed mode. While trying to deploy systems using OSD we're having an issue where clients at the secondary sites try to connect to the primary site management point to receive policy / task sequence advertisements. This wouldn't really be a problem except that the primary site is in a secure network so only the secondary site systems are able to conect directly to the primary site, thus we need the clients to only communicate with the secondary site MP's.. an overview of the systems setup: SCCM-P1 : 'central/primary site 1' : MP/DP/SLP/SUP/RP/SQL DB - boundaries : local subnet only (A01) SCCM-S1 : 'site 1' secondary site : MP/DP - boundaries 'site 1' AD site (S01) SCCM-S2 : 'site 2' secondary site : MP/DP - boundaries 'site 2' AD site (S02) network access accounts are configured, schema has been extended, have checked 'system management' container and objects have been published correctly. also MP is published in DNS. client installation settings for SCCM-S1 are: SMSSITECODE=S01 SMSSLP=SCCM-P1 SMSMP=SCCM-S1 SMSCACHESIZE=10000 it is my understanding that clients (at the secondary sites) do not need to contact the primary site and are able to use secondary MP's instead to receive policy, send inventory etc etc... is someone able to confirm this is the case? and assuming it is the case do you have any idea what I've missed (or isn't working correctly)? Also do I need to add a SUP at the secondary sites or do the clients proxy their policy scan cycles through the MP also? I'm assuming I need to add a SLP at each of the sites since the one at the primary site is essentially useless to clients right now (except clients on the local network)

That's not possible. Secondary sites are meant for bandwidth control, not traffic isolation. Clients require connectivity to their primary site MP even when in the boundaries of a secondary site having a proxy MP. Traffic isolation can be acheived using a child pirmary site.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

Thanks for confirming Jason, I was also wondering if that may be the case.. So I can either built two primary sites at each site to completely isolate the traffic (..each one would only have 40 client systems!) or I can open the ports for the clients to connect to the primary: 80 (client HTTP) 8530 (custom SUP port) 445 (SMB) .. that should be all? (we're not using PXE / DHCP / WoL / remote tools etc.)

Thanks for confirming Jason, I was also wondering if that may be the case.. So I can either built two primary sites at each site to completely isolate the traffic (..each one would only have 40 client systems!) or I can open the ports for the clients to connect to the primary: 80 (client HTTP) 8530 (custom SUP port) .. that should be all? (we're not using PXE / DHCP / WoL / remote tools etc.)

See http://technet.microsoft.com/en-us/library/bb632618.aspx for a detailed list about port requirements.Torsten Meringer | http://www.mssccmfaq.de

Thanks Torsten - that's actually the link I pulled that information from :-) We've decided to open the ports we need for the clients to be able to talk directly to the Primary site, so we've opened port 80 & 8530 from client-->primary site only. This now has the clients functional and they are picking up the OSD task sequences okay.. however this uncovered another problem where during the dependency checking process the client attempts to look for required packages on available distribution points, it finds the local source DP first but since the primary site also has a DP it was looking there for 'remote' versions of the package - even though they were available locally and because we are blocking SMB the client was retrying and causing the dependency checks to make 10+ minutes to run.. anyway after making the primary site DP a protected DP it's not picking it up as an available location and everything's working great! Thanks for your assistance guys, much appreciated as always.