Skip to main content

SCCM with WSUS in DMZ serving Internet Facing clients

By

SCCM with WSUS in DMZ serving Internet Facing clients

Overview:

This Blog will document at a high level my experience of implementing a 'Software Update Point' on a site server in our DMZ to serve SCCM clients (including Workgroup servers) on the Internet.
It will explain the implementation process as well as expected behaviour by diving into the log files on both the site server and client.

Please ask questions in the comments field; and I will update the main narrative in response.

Architectural design overview

  • One Primary site server on Internal network
  • One Site system Server within DMZ
    • Ports opened on firewall to allow servers to communicate.
    • Configured with the following System roles:
      • Management point
      • Distribution point
      • Software update point
  • Work group servers within the DMZ/Internet facing clients only

The Site system Server within DMZ had the WSUS role installed through 'Server Manager' console. Within IIS a webserver certificate was added to the binding port 8531

On the Primary site server the Software Update Point role was added the Site system Server within DMZ. The connection type set to 'Internet only client connections'.
Even though we set the webserver certificate within the binding we do not need to click 'Require SSL communications...' as the workgroup systems require PKI certificates and all communication is set to the SSL.


Within the Monitoring Workspace> System Status>Site Status the new SUP role will be displayed. Right click and Show all Messages. Review messages and ensure the role installed and started.

Within the Software Library Workspace> Software updates> All Software Updates right click and select 'Synchronize Software Updates'.
Go back the Monitoring Workspace> 'Software Update Point Synchronization Status' ensure there is the new SUP server and that it is a down stream server from the Primary site. The initial sync will take upwards of 30 minutes and progress can be reviewed wsyncmgr.log on the Primary server.


The SCCM environment is now aware of the additional SUP server and as it is Internet facing and configured to respond to Internet-only clients it will become the preferred choice for theWorkgroup servers within the DMZ/Internet facing clients.
When these clients 'Software Updates Scan Cycle' occurs they will assess the SCCM environment and the locationservces.log will update the WSUS path with the new SUP server. 


This WSUS path is updated within LocalPolicy and the WindowsUpdate registry value is updated.


Now that the role is installed and client is pointing at the correct SUP server. It will check in for policy and review available Software update packages. Internet clients will always download the content from the Internet first and if this fail then attempt to download from a DP.


Content is downloaded and installed as a normal deployment as seen within Software Center.







Labels:

Comments

  1. UnknownMay 13, 2017 at 10:00 AM

    This comment has been removed by a blog administrator.

    ReplyDelete
  2. Steve ROctober 14, 2017 at 9:23 AM

    This comment has been removed by a blog administrator.

    ReplyDelete
  3. UnknownJanuary 18, 2018 at 10:34 PM

    Thanks for your valuable information, but my clients not able to find Internet MP showing intranet only.pls help me to resolve

    ReplyDelete
    Replies
    1. syswow64January 19, 2018 at 6:39 AM

      I'll need a bit more background, can you provide some logs locationservices.log IIS etc
      Have you registered an external URL for the DMZ SUP ?
      Have you issued Clients Certificates?
      Have you issued a web server certificate for the DMZ SUP ?

      DM via Twitter- @syswow64blog

      Delete
  4. Fazil SeoOctober 26, 2019 at 10:37 AM

    Wonderful article. Fascinating to read. I love to read such an excellent article. Thanks! It has made my task more and extra easy. Keep rocking. https://192-168-i-i.com/

    ReplyDelete

Post a Comment

Popular posts from this blog

SCCM Unknown computer not able to see Task Sequences after installing Current Branch 1702

By
Soon after installing SCCM CB 1702 we were unable to see Task Sequences deployed to the unknown collection. This issue was identified as a random system taking the GUID of the 'x64 Unknown Computer (x64 Unknown Computer)' record. As a result it was now a known GUID; as we were only deploying Task Sequences to the Unknown collection none were made available. 'x64 Unknown Computer (x64 Unknown Computer)' record 'x86 Unknown Computer (x86 Unknown Computer)' record To get the GUID of your unknown systems open SQL management studio and run the following command: --Sql Command to list the name and GUID for UnknownSystems record data select ItemKey, Name0,SMS_Unique_Identifier0 from UnknownSystem_DISC Using the returned GUID (SMS_Unique_Identifier0) we can find the hostname that has been assigned the 'x64 Unknown Computer (x64 Unknown Computer)' GUID by running the query below. --x64 Unknown Computers select Name0,SMS_Unique_Identifier0,Decommissioned0 from Sys...
167 comments
Read more

KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

By
This article outlines the protection against the publicly disclosed Secure Boot security feature bypass involving the BlackLotus UEFI bootkit (CVE-2023-24932). It includes steps to enable the necessary mitigations and provides guidance on creating bootable media. I will provide: - An overview of the CVE issue. - Pre-requisite actions within ADK. - Detection and remediation scripts for CVE-2023-24932. - Instructions for creating a WinPE Boot.wim file to support systems that have undergone remediation. - A breakdown of the files changed and how to boot WinPE to support systems before remediation. 1. Secure Boot Security Feature Bypass Vulnerability CVE-2023-24932 see MSRC CVE-2023-24932 is a security vulnerability involving the BlackLotus UEFI bootkit, which allows attackers to bypass Secure Boot protections. This vulnerability enables the execution of malicious code at the UEFI level, potentially leading to persistent and evasive threats. Mitigations for this issue include updates to th...
Post a Comment
Read more

Java 7 update 21 (1.7.0_21) Enterprise Repackaged Security Medium Deployment with SCCM

By
------------------------------------------------------------------------------------------------- Java 7 update 45 Enterprise deployment complete walk through http://www.syswow64.co.uk/2013/10/java-7-update-45-enterprise-deployment.html -------------------------------------------------------------------------------------------------- The issue on many blogs and articles is around creating the 'deployment.config' and 'deployment.properties' files for an enterprise deployment.  In my case i wanted to set the security level to 'Medium', but everytime I open the Java control panel it was set to the default HIGH setting. Solution 1 Create the following directory path 'C:\Windows\sun\java\deployment' 2 Create a file called 'deployment.config' in this directory and open with Notepad. Copy the two line below #################### deployment.system.config = file\:\\C\:\\WINDOWS\\Sun\\Java\\Deployment\\deployment.properties deployment.system...
15 comments
Read more