The Windows Server Update Services (WSUS) 3 Deployment Guide documents a process by which update metadata and update content can be transferred from one server to another isolated server. Since Configuration Manager 2007 relies upon WSUS for the software update plumbing, a similar process can be used to transfer updates to an isolated network for ConfigMgr.
First, some definitions:
The following is a brief overview of the entire process:
Now let's look at the details of this process.
I've provided a script, InstallWsus.cmd, that handles the prerequisites (IIS, .NET 2, Report Viewer 2005) for Windows Server 2003 x86 platform, and then, given the name of the SQL server and instance, silently installs WSUS. Using this script ensures that WSUS is installed the same on the two servers (Internet-connected and isolated networks). It does assume SQL is installed already (local or remote).
When configuring the Internet-connected server, the following settings are important:
I hope it's obvious but I'll mention that DEV-WSUS-01 needs enough disk space to store the update content for the selected products, classifications and languages. This can quickly grow to hundreds of gigabytes depending upon the how many options are selected.
It's also important to note that this WSUS server is not intended to support any clients, its sole purpose in life is to suck down content for transfer to the isolated network. I don't recommend the automatic approval setting on a WSUS server supporting production systems, it's used here to automate the download of update content. Also keep in mind the timing of the synchronizations, as it will start downloading content right away, which will affect your Internet bandwidth.
The following is a rough summary of the process that can be used each month (or on whatever desired interval) to synchronize the update metadata, download the update content and export both for transfer.
I also recommend a quick spot check by noting the Size (in bytes) and number of Files in the entire WsusContent directory. This can be used as a quick check that the content is the same between WSUS servers.
The isolated WSUS server should be installed using the same InstallWsus.cmd script (or similar) for consistency. The rough summary of the process on the isolated WSUS server is as follows:
The WSUS server should be configured in ConfigMgr as the active Software Update Point (SUP) role. ConfigMgr takes control of the WSUS service; configuration via the Update Services console is unnecessary. The following settings on the SUP need to be configured:
The following is the rough process to use the updates in ConfigMgr:
I included a PDF diagram that depicts the data flows for both the update metadata and the update content as a way to visual the above process.
The attached archive includes all of the scripts and diagrams referenced in this post.
I'm always looking for ways to streamline and improve this so please let me know if you have any suggestions, comments or additions.
nice article. thanks. I also followed your article but the isolated sccm throws an error "invalid certificate signature" when trying to download the update list from isolated wsus's wsuscontent share. Any idea what went wrong?
Hi. In a situation like this do you recommend EVER using the WSUS Cleanup Wizard to clean expired updates and the like on the disconnected side? My own testing has caused all of the updates to be deleted from the WSUSContent folder as they are not "approved".
Of course they aren't meant to be as they are merely there to be downloadable from SCCM.