thanke Posted January 16, 2012 Report post Posted January 16, 2012 Hello togehter, i need some help about the topic i have started. We use SCCM 2007 for the internal patchmanagement and all works fine. Now we need to patch our servers which are located in the DMZ but i didnt know what i nned to do this. We didnt want to open any ports on the firewall only which are minimized needed! What is the best solution for our needs? The servers in the DMZ are in the moment not in the local domain but this should not be an problem, what information i need is what we need in teh DMZ. An primary site and secondary site etc. whihc ports have to be opened? I have reading many articles in the internet but not really sure what to do. Thanks a lot for help Regards Thorsten Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted January 16, 2012 Report post Posted January 16, 2012 The ports you need can be found here: http://technet.microsoft.com/en-us/library/bb632618.aspx You need at least traffic to the MP, DP and SUP. Also make sure to add a boundary for the ip range/subnet of the DMZ servers. Quote Share this post Link to post Share on other sites More sharing options...
thanke Posted January 17, 2012 Report post Posted January 17, 2012 Hi Peter, thanks for the link, this is also what i found but which SCCM function need to be installed on the server in the dmz? is this then an secondary site or primary? Regards Thorsten Quote Share this post Link to post Share on other sites More sharing options...
martin.kirkley Posted January 31, 2012 Report post Posted January 31, 2012 Hi Thorsten, this probably doesn't help but: that is up to you. Using the diagram on the link you can get the firewall ports open from all DMZ Clients to your Software Update Point, etc. Or, if you want to cut down on the amount of clients you have talking through your firewall, then you can put in a Secondary Site and then have ports open between the Secondary Site server and your Primary Site, then have the Secondary Site configured as a Downstream WSUS server and have the Software Update Point role installed. I would still suggest that you open the firewall between the Primary Site and all clients (outlined in Section 17 on the link) because clients will by-pass the Secondary Site and want to talk to the Management Point directly when you try to run deployment jobs. If you only want to use the WSUS capabilities of SCCM, then ports open outlined in section 3 & 6. Hope that helps! Martin *** EDIT *** Apologies, you wouldn't need to have it as a downstream server, just a DP would do the you would advertise Software Update Deployment Packages and add the DMZ DP to the list of Distribution Points on the Deployment Package. Quote Share this post Link to post Share on other sites More sharing options...
