Thanks Troy. Is it considered best practice to share the WSUS database in this particular scenario where I have an intranet facing SUP on my Primary and an internet facing SUP in the DMZ? Should there also be a separate internet facing WSUS (e.g. not shared with the WSUS instance I have on my Primary site)?
Thanks, Brian From: troy.mar...@1e.com To: mssms@lists.myitforum.com Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches Date: Thu, 17 Apr 2014 02:11:15 +0000 It’s not so much of a “need”, as it is a “Plan B” or backup. If for whatever reason, those clients cannot get to Microsoft Update website, then the DP (in DMZ) is an option is the only alternative. My thinking is about “minimizing risk” - avoid orphaning IBCM clients (e.g. not being able to access site systems). To do this, you build redundancy and HA into the design…for site systems on the Intranet AND those in the DMZ. Along with Microsoft Update, putting a DP in the DMZ would be part of that design/plan. Restating Jason’s point, but in a question – If you’re “only” distributing software updates to IBCM clients, then you could get away with not having a DP in the DMZ…but I seriously doubt that was the “only” use-case considered for your design to support. With that said – unless Cloud DPs are part of the design -, what’s the plan for deploying non-software updates to IBCM clients if you don’t have a DP in the DMZ? Troy L. Martin | Principal Consultant 1E | Empowering Efficient IT US Mobile: +1 (678) 898-6147 UK Phone : +44 208 326 9141 troy.mar...@1e.com | www.1e.com Facebook | Twitter | YouTube | Blogs | RSS Please consider the environment before printing this e-mail From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, April 15, 2014 7:32 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches If the clients are going to Microsoft Update, what is the need for the DP as you have mentioned in your email below? I don't want my clients going to the DP (in DMZ) to get updates. Thanks, Brian From: troy.mar...@1e.com To: mssms@lists.myitforum.com Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches Date: Tue, 15 Apr 2014 21:20:25 +0000 Before they go to Microsoft to download the update binaries, where would they get the catalog from to scan against? You need an Internet-facing SUP so IBCM clients can still download the catalog. WSUS Catalog = SUP (in DMZ) Binaries = 1st - Microsoft Update, 2nd- DP (in DMZ) Troy L. Martin | Principal Consultant 1E | Empowering Efficient IT US Mobile: +1 (678) 898-6147 UK Phone : +44 208 326 9141 troy.mar...@1e.com | www.1e.com Facebook | Twitter | YouTube | Blogs | RSS Please consider the environment before printing this e-mail From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, April 15, 2014 5:10 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches Jason, Much appreciated. One more question around this. What happens if I don't have a WSUS instance and SUP on the internet facing MP? Will my internet clients still go to Microsoft Update? Thanks, Brian From: ja...@sandys.us To: mssms@lists.myitforum.com Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches Date: Tue, 15 Apr 2014 20:54:19 +0000 Updates don’t come from the SUP (or the WSUS instance) in ConfigMgr, they come from the DP (for internal clients). The WSUS instance provides the update catalog (and EULAs), and not updates. For clients on the Internet however, they will get the updates from Microsoft instead of the DP – the SUP (and its underlying WSUS instance) plays no part in clients getting the updates. This is simply the defined behavior. I said “default” before although that’s not accurate because default implies that you can change this behavior which you can’t. So, as mentioned, you still need an Internet facing MP to deliver policy and an internet facing WSUS instance (with the SUP role installed to control and communicate with that WSUS instance) to deliver your organization’s update catalog to clients on the Internet. J From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, April 15, 2014 3:01 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches I'm a little confused by this. I have an IBCM MP/DP right now and IBCM clients are working properly. I want my clients while on the internet to go to Microsoft Update (not my internet facing MP/DP/SUP). Are you saying the default behavior is for my internet clients to go to Microsoft Update to get updates, not my IBCM SUP? Is this correct? How does it know to go to Microsoft Update and not my IBCM SUP? Finally, my requirements would be an internet facing MP/DP/SUP and clients would still go to Microsoft Update? Thanks, Brian From: ja...@sandys.us To: mssms@lists.myitforum.com Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches Date: Tue, 15 Apr 2014 19:54:44 +0000 Yes, MPs are mandatory. All ConfigMgr clients must be able to communicate with an MP to retrieve policy and submit inventory, state messages, status messages, etc.. For Internet based clients, this must be an Internet-facing MP. And yes, for software updates, a SUP with an underlying WSUS is also mandatory. All ConfigMgr clients that you wish to update using Software Updates must be able to communicate with the WSUS instance to download the update catalog for your organization and EULAs. For Internet based clients, this must be an Internet facing SUP & WSUS instance. These don’t have to be on the same system but certainly can be and usually are in many organizations. J From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, April 15, 2014 2:42 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches For clarification, I need to have WSUS installed/configured on the internet facing MP? What is this mandatory? Brian From: ja...@sandys.us To: mssms@lists.myitforum.com Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches Date: Tue, 15 Apr 2014 19:36:52 +0000 This is default behavior in 2012. They still need access to the Internet facing MP and WSUS instance, but actual binaries for the updates will come from Microsoft. J From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, April 15, 2014 2:21 PM To: mssms@lists.myitforum.com Subject: [mssms] IBCM clients go to Microsoft Update for patches Hey everyone, Is it possible to configure IBCM clients to go to the Internet for security updates when not on the intranet? Is there a GPO that needs to be configured to enable this to switch back/forth (e.g. on the intranet go to local SUP, on internet go to Microsoft Update)? Thanks, Brian DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of this email address. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.