Hello,

I have an issue with our current WSUS / ConfigMgr SUP installation. Due to security restrictions we need a WSUS Upstream Server for our high security area. We are not allowed to have direct or indirect (proxy) internet connection there so we are using two WSUS Server. One of the is in our DMZ, he has direct internet access and provides updates for our wsus in our HSA.

In our HSA there is also our ConfigMgr Environment. It's one primary site with a local SUP / WSUS installation which is connected to the second WSUS in HSA.

DMZ is our primary Domain Forrest
HSA is a separate Domain Forrest

Coming to the issue. Both WSUS servers are explicitly used by the SUP to get the updates. I turned on reporting of all WSUS events to be able to get the information about needed updates sent to the Upstream WSUS servers so that I can only approve the updates which are truly needed. Unluckily the WSUS from the ConfigMgr SUP is not reporting them to our upstream WSUS. I get the information that for example in the SUP are 100 updates needed by computers but not which updates exactly.

Is there any way to either report that information from ConfigMgr SUP to WSUS to get all needed updates down in our HSA without simply approving and downloading all updates?

We are using Windows Server 2012 R2 on all systems and ConfigMgr 2012 R2 SP1.

• Edited by Stephan Klaus 20 hours 5 minutes ago

So this is a standalone primary site, right? And there are two SUPs? Both are using the same WSUS? "It's one primary site with a local SUP / WSUS installation which is connected to the second WSUS in HSA." Connected in terms of what? I don't understand how/where the different roles are located.

Hello,

This is a standalone primary site, this is correct. This site includes a SUP which is using a WSUS server locally on the primary site (this wsus server is managed by ConfigMgr). There is also a upstream WSUS server in HSA. The Upstream Server has no direct internet access and is a replica server of the DMZ WSUS server.

We are using:

HSA  ---> 1 Upstream WSUS (replica of DMZ)
1 SUP on primary standalone site
1 Configmgr managed WSUS connected to the upstream wsus

DMZ ---> 1 WSUS connected to the internet providing updates for the replica WSUS in HSA.

Are the upstream WSUS instances used for anything other than use as upstream from ConfigMgr?

If not, then there's no reason to approve anything in WSUS as that has no purpose in ConfigMgr and thus no reason to submit events to WSUS either.

No they aren't used for anything else.

The main problem is that if you don't approve any updates from the upstream wsus you won't get the files downloaded into the WSUS Content Folder. ConfigMgr is only downloading update meta data from the WSUS server if you specify an upstream WSUS server not the update files themselves. Correct me if I'm wrong but to download the update files to ConfigMgr you need to specify a UNC path (we don't have internet connectivity on ConfigMgr) with the WSUS content folder as main target. So you actually need to approve updates on WSUS server.

That is correct. Why not approve them all then? Why micro-manage that portion at all? So what if you download an update binary that is never used?