Hello. My environment is SCCM 2007 SP2. We have a central server and several child primaries. The child primaries have secondaries servers that act as DPs only. The central and each child primary is a software update point. The child primary servers use the central server as their upstream server. All software update deployments are done from the central server. We also use maintenance windows with our software update deployments. The windows are currently closed.

This morning I got a call about a large increase in network from two of the child primaries to client assigned to them from the networking team. The traffic was coming over port 8530 which is the port our software update points use on these site. I examined the logs, status messages, and reporting for the servers and several of the clients. I could not find any evidence of SCCM doing anything with software updates.

Does anyone have advice on what I should be looking for?

Have you reviewed the iis.log and WindowsUpdate.log on the clients? Clients still update the update catalog from WSUS. When is your client software update scan scheduled?

Thank you for the response.

Since we installed WSUS on the primary with SCCM, we are using a custom website for it. There was no logging turned on for it. Our scan is every 3 days. I checked the WindowsUpdate.log earlier. Perhaps, I misunderstood part of the log. When it says that it has added an update to the search results, does that mean it had to download something?

There's no real logging to turn on. Are you checking WindowsUpdate.log on one of the clients? When adding an update to the search results, this has nothing to do with downloading updates. Unless you are managing WSUS by going into the WSUS console (which is a bad thing to do), updates the selves are downloaded for DPs and thus have nothing to do with your 8530 traffic. WSUS is only responsible for the update catalog once integrated into ConfigMgr which is the only traffic you should ever see on 8530. You can confirm this in WindowsUpdate.log on a client.

I do have the WindowsUpdate.log from some of the clients. What exactly would I be looking for traffic on 8530?

Anything back to the WSUS instance should be on 8530 so mainly you are just looking for excessive activity or out of the ordinary traffic or some indicator that unusual happened.

Hi

We have the exact same problem with our environment.

Our production environment has no internet connection so we have a WSUS installed on internet that we use wsusutil to export medatadata from and copy the content. after the export we import it to our SCCM 2007 central primary site server that have an active SUP (wsus installed). Then we have 2 child SCCM 2007primary sites with each have an active SUP, 10000 clients uses each SUP for scanning. when installing the softwareupdates we have local DPs so there should not be so much traffic to the Child primary sites.

We have a thought that when doing the export/import from internet WSUS to the SCCM central site WSUS, the WSUS database is updated as it looks like it is a new database everytime import is done with wsusutil. And therefore the clients thinks they always have to do a full scanfile sync after every time WSUS and SCCM have done their sync with eachother. the problem ocurs everytime a new import and a wsussync is done between WSUS and SCCM. the wsussync in sccm is set to sync every night at 02:00 am.

the export/import from internet wsus to sccm wsus is done once a month at patchtuesday

/Patrik