If you are *only* doing software updates, then there would be no need for the DP for the Internet clients - I never said there was. I only mentioned the DP to point out that the SUP and WSUS instance have nothing to do with the updates themselves.
J From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, April 15, 2014 6:32 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches If the clients are going to Microsoft Update, what is the need for the DP as you have mentioned in your email below? I don't want my clients going to the DP (in DMZ) to get updates. Thanks, Brian ________________________________ From: troy.mar...@1e.com<mailto:troy.mar...@1e.com> To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches Date: Tue, 15 Apr 2014 21:20:25 +0000 Before they go to Microsoft to download the update binaries, where would they get the catalog from to scan against? You need an Internet-facing SUP so IBCM clients can still download the catalog. WSUS Catalog = SUP (in DMZ) Binaries = 1st - Microsoft Update, 2nd- DP (in DMZ) Troy L. Martin | Principal Consultant 1E | Empowering Efficient IT US Mobile: +1 (678) 898-6147 UK Phone : +44 208 326 9141 troy.mar...@1e.com<mailto:troy.mar...@1e.com> | www.1e.com<http://www.1e.com/> Facebook<http://www.facebook.com/1eglobal> | Twitter<https://twitter.com/1e_global/> | YouTube<http://www.youtube.com/1enews> | Blogs<http://blogs.1e.com/> | RSS<http://blogs.1e.com/index.php/feed/> Please consider the environment before printing this e-mail From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, April 15, 2014 5:10 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches Jason, Much appreciated. One more question around this. What happens if I don't have a WSUS instance and SUP on the internet facing MP? Will my internet clients still go to Microsoft Update? Thanks, Brian ________________________________ From: ja...@sandys.us<mailto:ja...@sandys.us> To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches Date: Tue, 15 Apr 2014 20:54:19 +0000 Updates don't come from the SUP (or the WSUS instance) in ConfigMgr, they come from the DP (for internal clients). The WSUS instance provides the update catalog (and EULAs), and not updates. For clients on the Internet however, they will get the updates from Microsoft instead of the DP - the SUP (and its underlying WSUS instance) plays no part in clients getting the updates. This is simply the defined behavior. I said "default" before although that's not accurate because default implies that you can change this behavior which you can't. So, as mentioned, you still need an Internet facing MP to deliver policy and an internet facing WSUS instance (with the SUP role installed to control and communicate with that WSUS instance) to deliver your organization's update catalog to clients on the Internet. J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, April 15, 2014 3:01 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches I'm a little confused by this. I have an IBCM MP/DP right now and IBCM clients are working properly. I want my clients while on the internet to go to Microsoft Update (not my internet facing MP/DP/SUP). Are you saying the default behavior is for my internet clients to go to Microsoft Update to get updates, not my IBCM SUP? Is this correct? How does it know to go to Microsoft Update and not my IBCM SUP? Finally, my requirements would be an internet facing MP/DP/SUP and clients would still go to Microsoft Update? Thanks, Brian ________________________________ From: ja...@sandys.us<mailto:ja...@sandys.us> To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches Date: Tue, 15 Apr 2014 19:54:44 +0000 Yes, MPs are mandatory. All ConfigMgr clients must be able to communicate with an MP to retrieve policy and submit inventory, state messages, status messages, etc.. For Internet based clients, this must be an Internet-facing MP. And yes, for software updates, a SUP with an underlying WSUS is also mandatory. All ConfigMgr clients that you wish to update using Software Updates must be able to communicate with the WSUS instance to download the update catalog for your organization and EULAs. For Internet based clients, this must be an Internet facing SUP & WSUS instance. These don't have to be on the same system but certainly can be and usually are in many organizations. J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, April 15, 2014 2:42 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches For clarification, I need to have WSUS installed/configured on the internet facing MP? What is this mandatory? Brian ________________________________ From: ja...@sandys.us<mailto:ja...@sandys.us> To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches Date: Tue, 15 Apr 2014 19:36:52 +0000 This is default behavior in 2012. They still need access to the Internet facing MP and WSUS instance, but actual binaries for the updates will come from Microsoft. J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, April 15, 2014 2:21 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] IBCM clients go to Microsoft Update for patches Hey everyone, Is it possible to configure IBCM clients to go to the Internet for security updates when not on the intranet? Is there a GPO that needs to be configured to enable this to switch back/forth (e.g. on the intranet go to local SUP, on internet go to Microsoft Update)? Thanks, Brian ________________________________ DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of this email address. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
