SCCMWSUS - Streaming from an Upstream Server.

I’ve seen this question asked numerous times in newsgroups, customer mail, and blogs.  Can a System Center Configuration Manager Software Update Point in one hierarchy sync from another as its “Upstream Server”.

Here’s the usual Scenario – A customer has two network environments: (1) A normal production environment, firewalled with basic Internet access. (2) A highly secure lock-down environment with no internet access.  This is a common scenario, particularly in highly secure military infrastructures or intelligence agencies.

Customer has a ConfigMgr 2007 SP1 hierarchy with integrated WSUS in both environments. Both ConfigMgr 2007 SP1 hierarchies have a Central Site at the top and multiple Primaries. He would like to sync the WSUS catalog in the production environment (1), and have the secure environment (2) collect the catalog from the production WSUS as a downstream server.

The only problem here?  This doesn't work.  In each environment there is a Central ConfigMgr site, with child primaries and secondaries. In the secure environment, the only option for the ConfigMgr WSUS sync would be from (a) Sync from Microsoft Update or (b) Manual catalog insertion. You cannot sync from an upstream server at the top of the WSUS hierarchy.

At the Top of the SCCM hierarchy it appears you have a choice to Synchronize from an Upstream Server.  The “Synchronize from an upstream update server” option should be grayed out at the top of the hierarchy. Only manually imported updates, or synchronize from Microsoft Update are the actual working options.  In future versions of SCCM this may be corrected.

Central Site SUP Options.

  At a child site the only option to sync is from an Upstream Server.