David Dixon's Notes from the Field

A Microsoft Field Engineer's notes on all things System Center.

SCCM\WSUS - Streaming from an Upstream Server.

SCCM\WSUS - Streaming from an Upstream Server.

  • Comments 4
  • Likes
 
I’ve seen this question asked numerous times in newsgroups, customer mail, and blogs.  Can a System Center Configuration Manager Software Update Point in one hierarchy sync from another as its “Upstream Server”.
 
Here’s the usual Scenario – A customer has two network environments: (1) A normal production environment, firewalled with basic Internet access. (2) A highly secure lock-down environment with no internet access.  This is a common scenario, particularly in highly secure military infrastructures or intelligence agencies.
 
Customer has a ConfigMgr 2007 SP1 hierarchy with integrated WSUS in both environments. Both ConfigMgr 2007 SP1 hierarchies have a Central Site at the top and multiple Primaries. He would like to sync the WSUS catalog in the production environment (1), and have the secure environment (2) collect the catalog from the production WSUS as a downstream server.
 
The only problem here?  This doesn't work.  In each environment there is a Central ConfigMgr site, with child primaries and secondaries. In the secure environment, the only option for the ConfigMgr WSUS sync would be from (a) Sync from Microsoft Update or (b) Manual catalog insertion. You cannot sync from an upstream server at the top of the WSUS hierarchy.
 
At the Top of the SCCM hierarchy it appears you have a choice to Synchronize from an Upstream Server.  The “Synchronize from an upstream update server” option should be grayed out at the top of the hierarchy. Only manually imported updates, or synchronize from Microsoft Update are the actual working options.  In future versions of SCCM this may be corrected.
Central Site SUP Options.
 wsus02
 
  At a child site the only option to sync is from an Upstream Server.
  wsus01
Comments
  • It took me some time to find somebody else who has similair issues like me. I see another problem.

    I can configure the central site to sync via export/import files but if use this option it's impossible to configure any classification or product.

    Any idea how to solve this issue?

    Thanks in advance.

    Joachim

  • Although our situation is a little bit different, our solution to the Synchronization problem between a internet enabled hierarchy and a non internet enabled hierarchy probably will work for this one to.

    In the documentation you’re told to leave the SCCM integrated WSUS configuration alone because SCCM will configure the WSUS server. And for sure it does that. But there is a schedule to this automated configuration and you can take advantage from the fact that is a schedule.

    Open in the non internet hierarchy both SCCM Configuration Manager Console and WSUS management console. Point the WSUS management console to your SCCM integrated WSUS server in the non internet hierarchy and go to the Options section and select Update Source and Proxy Server. As the primary WSUS server for your SCCM environment the settings is that it will synchronize with Microsoft Update (but this off course doesn’t work because there is no internet connection). Select the option “Synchronize from another Windows Server Update Services server” and for the server name fill in the SCCM integrated WSUS server which is in the Internet enabled hierarchy (don’t forget to open the firewall between the two hierarchies for http:80 and/or http:443 traffic between the 2 servers).

    After changing the WSUS configuration go to the SCCM Configuration Manager Console and go to “Site Database – Computer Management – Software Updates – Update Repository”. Right click and select “Run Synchronization”. Because the scheduled configuration run between SCCM en WSUS hasn’t taken place yet SCCM will trigger WSUS to synchronize and WSUS synchronizes to the server you just specified.

    You will have to perform these steps every time you will want to synchronize the SCCM servers for Software Updates in the non internet enabled hierarchy because of the schedule from SCCM but it still beats the work for a manual catalog insertion.

    Where now looking for a way to automate these steps with Visual Basic or PowerShell in order to schedule the synchronization.

  • Nice article.

    But what I want to know is what WSUS components are required on the several servers ?

    - WSUS server: full WSUS installation

    - SCCM Central Site: WSUS Console only ??

    - SCCM Primary chanild sites: full WSUS installation

    Am i right ?

  • Suppose we have an SCCM integrated with WSUS in our environment.  Another organization is giving us access to their WSUS server that is internet connected.  Is it possible to have our SCCM integrated WSUS Synchronize with the other WSUS server?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment