Having a problem with the WSUS part of SCCM 2012 not working on agents in our DMZ. Internal agents working fine. DMZ agents have PKI certificates from internal PKI, and are appearing in the console as active inventory.
Because many parts of the SCCM roles must be configured for HTTP or HTTPS and not both at the same time: 1 - these agents are on a boundary that assign them to a MP that is configured for SSL. Agent control panel shows correct MP. 2 - these agents are also in a collection with different client settings to assign them an 8531 appcat. SDCSCMP23 is the HTTP WSUS/Appcat/MP for internal agents SDCSCMP25 is the SSL WSUS/Appcat/MP with PKI certs for DMZ agents
The problem is that SCCM is configuring DMZ agents to use the HTTP parts of the Infrastructure for WSUS, and not the HTTPS parts. Per MS Doc, Client Settings are supposed to auto assign an HTTPS appcat before an HTTP one, but this was not happening, so I made my own client settings to assign the HTTPS appcat. Simply modifying the firewall config to permit 443, 8531 to this other server is NOT an option, because those servers are listening on 80, 8530 (for internal HTTP agents) not 443, 8531. We have a requirement to use only 443, 8531 for the DMZ agents. Have verified that 443, 8531 are open through the firewall to SDCSCMP25 from the agents. This is SCCM 2012 SP1. We are NOT assigning WSUS servers through GPO. How do I get SCCM to assign the correct WSUS servers to these agents?
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
Wrong WSUS WUA server assigned to DMZ agents
in Configuration Manager 2012
Posted
Having a problem with the WSUS part of SCCM 2012 not working on agents in our DMZ. Internal agents working fine. DMZ agents have PKI certificates from internal PKI, and are appearing in the console as active inventory.
Because many parts of the SCCM roles must be configured for HTTP or HTTPS and not both at the same time:
1 - these agents are on a boundary that assign them to a MP that is configured for SSL. Agent control panel shows correct MP.
2 - these agents are also in a collection with different client settings to assign them an 8531 appcat.
SDCSCMP23 is the HTTP WSUS/Appcat/MP for internal agents
SDCSCMP25 is the SSL WSUS/Appcat/MP with PKI certs for DMZ agents
The problem is that SCCM is configuring DMZ agents to use the HTTP parts of the Infrastructure for WSUS, and not the HTTPS parts. Per MS Doc, Client Settings are supposed to auto assign an HTTPS appcat before an HTTP one, but this was not happening, so I made my own client settings to assign the HTTPS appcat.
Simply modifying the firewall config to permit 443, 8531 to this other server is NOT an option, because those servers are listening on 80, 8530 (for internal HTTP agents) not 443, 8531. We have a requirement to use only 443, 8531 for the DMZ agents. Have verified that 443, 8531 are open through the firewall to SDCSCMP25 from the agents. This is SCCM 2012 SP1. We are NOT assigning WSUS servers through GPO.
How do I get SCCM to assign the correct WSUS servers to these agents?
Thanks