Procedure to add internet-facing Software Update Point

[wilbywilson]

I would like to add an SCCM Site Server into our DMZ, so that it can distribute updates to laptop clients out on the internet. I've been reading through documentation on how to set up the proper certificates for PKI and client auto-enrollment, but I haven't seen too much about adding/configuring the SUP role itself.

 

I assume that WSUS needs to be installed on the site server in the DMZ? Does it need any configuration at all? Or should I just cancel the WSUS config screen when it comes up? This is Windows 2012 R2 if it makes a difference.

 

Will the SUP inherit all of the required settings from the Primary? Anything special that needs to be done with the SUP?

 

Thanks

[Peter van der Woude]

• Indeed install WSUS and don't configure it.
• Configure WSUS for SSL (see: http://technet.microsoft.com/en-us/library/bb633246.aspx)
• Install SUP and most settings will be taken from the first SUP.

Just keep in mind that you need a certificate with at least the Internet FQDN.

[wilbywilson]

Thanks very much for the reply, Peter. I have a follow-up question. I've been doing more research about installing an internet-facing Distribution Point in a DMZ, but not many people are saying whether their DMZ site server is joined to the same domain as the SCCM Primary. In general, it seems like best practice is to never have a DMZ-based server on the same domain as the rest of the organization.

 

So, how would things work if the SCCM Site server in the DMZ was in a workgroup? What additional hoops would we need to jump through to get things communicating properly? I've never installed SCCM roles onto servers that were NOT in the domain, so I'm wondering what all of the implications are.

 

[Peter van der Woude]

The remote site system has to be domain joined, but I would indeed prefer a different domain. The biggest issue will probably be firewalls.