IBCM WSUS Instance: Limiting Connections

[HotdogSCCM]

Howdy.

 

We are in the process of standing up an IBCM, to service Internet clients. I have everything else squared away: Certs, ports, etc etc.

 

The one request we have from Security, however, is to limit 8531 traffic from the IBCM back to the Primary server; from their perspective, they're not a fan of an always-accessible encrypted tunnel between the IBCM and the Primary server itself, especially since it won't follow the "Server must initiate connections" rule; ie, it'll access it every time WSUS syncs (currently, once a day).

 

I have no big issue having them open and close it according to time; if they open it every day at 1PM and close it at 2PM, and I sync my Primary with Microsoft at 1:15PM, the IBCM will finish synching and the ports can be closed again; no muss, no fuss.

 

However, it also looks like WCM.log goes out and checks every hour, for WSUS health. Which makes sense, mind you:

 

Here you can see my Primary going out and validating the DMZ (internal) SUP is correct:

 

Attempting connection to WSUS server: <DMZServer>.net, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 7/28/2015 1:02:03 AM 2136 (0x0858)
Successfully connected to server: <DMZServer>.net, port: 8530, useSSL: False SMS_WSUS_CONFIGURATION_MANAGER 7/28/2015 1:02:03 AM 2136 (0x0858)
Verify Upstream Server settings on the WSUS Server <DMZServer>.net SMS_WSUS_CONFIGURATION_MANAGER 7/28/2015 1:02:03 AM 2136 (0x0858)
No changes - WSUS Server settings are correctly configured and Upstream Server is set to PRIMARYSERVER.netSMS_WSUS_CONFIGURATION_MANAGER 7/28/2015 1:02:03 AM 2136 (0x0858)

 

So, if we limit 8531 traffic to, say, 1 hour a day, I'm guessing my health of WSUS will show alert, correct?

 

Has anyone else done anything like this, per Security's/RMO's request? Obviously there's a plethora of other ports open as well, but the 8531 SSL tunnel they're cautious of, due to being unable to inspect the traffic between the endpoints.

 

Thanks!