I am planning having 2 WSUS Servers but one in the DMZ to patch DMZ servers (Downstream-Replica) and the other in Internal network (Upstream)

I would like to use Replica mode option.Here are my questions

1. Can i patch all the DMZ servers in the DMZ using the downstream replica server or this is control from the Primary (upstream server)

2. Can i approve updates only in the Primary (upstream server) or either from the replica downstream server?

3. Confirm the following ports  8530 and 8531 is sufficent between upstream and downstream and all internal and dmz clients to the downstream servers. 

Thanks

1. Replica scenarios require that you perform approvals, create computer groups, on the USS. You can add computer into groups on the DSS.

https://technet.microsoft.com/en-us/library/dd939820(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/dd939893(v=ws.10).aspx

2. Only USS

3. Port 80 is required for some services (e.g. SelfUpdate).
Older WSUS implementations default to port 80, but can be configured for port 8530.
Newer WSUS implmentations (WS2012/WS2012R2) do not default to port 80, thee default to port 8530.
(but note that port 80 is still used for some services e.g. SelfUpdate)

Thanks Donpick. If I don't have replica in the dmz but just a normal to WSUS, then I can patch DMZ servers but it won't synchronised to the upstream

Thanks Donpick. If I don't have replica in the dmz but just a normal WSUS, then I can patch DMZ servers but it won't synchronised to the upstream...thanks