How to / Nasıl yaparım:

 

Step

Details

Step 1: Install and Configure a Software Update Point

Central administration site

 

When you have a Configuration Manager 2012 hierarchy, install and configure the software update point on the central administration site before you install it on child primary sites and secondary sites. To enable software update in the hierarchy, you must have an active software update point on the central administration site.

Stand-alone primary site

 

When you have a stand-alone primary site, a primary site that is not connected to a central administration site, install and configure the software update point to enable software update deployment at the site. When you have a secondary site connected to the stand-alone primary site, you must install the software update point on the primary site first.

Child primary site

 

After you install a software update point on the central administration site, install and configure the software update point on child primary sites to enable software update deployment at the site. When you have a secondary site connected to the primary site, you must install the software update point on the primary site first.

Secondary site

 

After you install the software update point on a primary site, you can optionally install and configure the software update point on a connected secondary site. When you do not have a software update point installed at the secondary site, clients assigned to the secondary site will use the software update point at the parent primary site. When there is limited network bandwidth to the software update point at the parent primary site or when Windows Server Update Services (WSUS) is approaching the maximum number of client computers at the parent primary site, you should install a software update point at the secondary site.

Step 2: Synchronize Software Updates

Synchronize software updates on a connected software update point

 

Software updates synchronization is the process of retrieving software updates metadata from Microsoft Update and replicating the metadata to all sites enabled for software updates in the Configuration Manager 2012 hierarchy. The software update point on the central administration site, or on a stand-alone primary site, retrieves software updates metadata from Microsoft Update. Child primary sites, secondary sites, and remote Internet-based software update points retrieve the software updates metadata from the software update point identified as the upstream update source. Access to the upstream update source is required to successfully synchronize software updates.

Synchronize software updates on a disconnected software update point

 

Automatic software updates synchronization is not possible when the software update point for the central administration site or stand-alone primary site is disconnected from the Internet, or when an Internet-based software update point is disconnected from the active software update point for the site. To retrieve the latest software updates for a disconnected software update point, you must use the WSUSUtil tool to export the software updates metadata and license terms files from a software update source, and then import the metadata and files to the disconnected software update point.

Step 3: Configure the Settings Associated with Software Updates

There are several Configuration Manager 2012 client settings and group policy configurations that are associated with software updates. Review these settings and configurations to verify that they are appropriate for your environment.

 

Install and Configure a Software Update Point on the Central Administration Site

In a Configuration Manager 2012 hierarchy, you should always install and configure the software update point starting with the central administration site. The software update point at the central administration site is typically configured to synchronize with Microsoft Update, retrieving the software updates metadata based on the criteria that you specify in the software update point properties. Before you install the software update point site system role, you must verify that the server meets required dependencies.

 

Use the following procedure to add the software update point site system role to the central administration site.


 Note:

Do not use this procedure when you have decided to configure the software update point to use an NLB cluster. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster, below.

 

To install and configure the software update point for the central administration site

1.       In the Configuration Manager console, click Administration.

2.       In the Administration workspace, expand Site Operations and click Servers and Site System Roles.

3.       Add the software update point site system role to a new or existing site system server by using the associated step:

·         New site system server: On the Home tab, in the Create group, click Create Site System Server. The Create Server Wizard opens.

·         Existing site system server: Click the server in which you want to install the software update point site system role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the details pane. On the Home tab, in the Server group, click Add Site System Role. The Create Roles Wizard opens.

4.       On the General page, specify the general settings for the site system server. When you add the software update point to an existing site system server, verify the values that were previously configured.

5.       On the System Role Selection page, select Software update point from the list of available roles, and then click Next.

6.       On the Software Update Point page, specify whether the site server will use a proxy server when connecting to the software update point and whether to use credentials to connect to the proxy server, and then click Next.

7.       On the Active Settings page, select Use this server as the active software update point, specify the website and port configurations that are used by WSUS, and then click Next.

 Tip:

To determine the website and port configurations in WSUS, see How to Determine the Port Settings Used by WSUS, below.

 

8.       On the Synchronization Source page, select Synchronize from Microsoft Update to synchronize software updates from Microsoft Update. The central administration site must have Internet access or synchronization will fail. This setting is available only when configuring the software update point on the central administration site or stand-alone primary site.

 Important:

When the software update point on the central administration site is disconnected from the Internet, you must select Do not synchronize from Microsoft Update and manually synchronize software updates.

 

9.       Specify whether to create WSUS reporting events, and then click Next. Configuration Manager does not use these events so you will typically choose the default setting Do not create WSUS reporting events.

10.   On the Synchronization Schedule page, specify whether to synchronize software updates on a schedule. This setting is configured only on the software update point for the central administration site.

 Tip:

You should schedule software updates synchronization to run using a timeframe appropriate for your environment. One common scenario is to set the software updates synchronization schedule to run shortly after Microsoft’s regular security update release on the second Tuesday of each month, typically referred to as Patch Tuesday.

 


 Note:

When you choose not to enable software updates synchronization on a schedule, you can manually synchronize software updates from the All Software Updates or Software Update Groups node in the Software Library workspace.

 

11.   Specify whether to create an alert when synchronization fails, and then click Next. When selected, you can go to the Software Update Point Synchronization Status node in the Monitoring workspace to monitor the synchronization state for all software update points in your hierarchy.

12.   On the Supersedence Rules page, specify how to manage superseded software updates, and then click Next. This setting is configured only on the software update point for the central administration site.

 

 

13.   On the Classifications page, specify the software update classifications for which you want to synchronize software updates, and then click Next. This setting is configured only for the software update point at the central administration site.

 

 

14.   On the Products page, specify the products for which you want to synchronize software updates, and then click Next. This setting is configured only on the software update point for the central administration site.

 

15.   On the Languages page, specify the languages for which you want to synchronize software update files and summary details, and then click Next. The Software Update File setting is configured at each software update point in the Configuration Manager 2012 hierarchy. The Summary Details settings are configured only on the software update point for the central administration site.

 

16.   On the Summary page, confirm the settings for the software update point. You can go back to previous pages and make changes. Click Next to add the site system role, verify that the wizard successfully completed, and then click Close to exit the wizard.

17.   To monitor the installation progress for the software update point, open SUPSetup.log in <InstallationPath>\Logs. When the installation completes, Installation was successful is written to the log file.

 

After you complete the software update point installation on the site system server, consider the following additional settings available only from Software Update Point Component Properties:

·         Client connection settings: The client connection settings allow you to configure custom ports, whether the software update point accepts communications from clients on the Internet, and to enable SSL communications for the WSUS server. If during the initial software update point installation, you selected a standard set of ports, the software update point is configured to accept communications from only clients on the intranet, and SSL communications is not enabled.

·         Internet-based software update point: When the active software update point is configured not to accept communications from clients on the Internet, you can specify an Internet-based software update point that is accessible from clients on the Internet.

·         Network Load Balancing (NLB): You can configure the active software update point or Internet-based software update point to use an NLB cluster. When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point.

 Important:

When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster, below.

 

When one of the above configurations is necessary for your software update point, use the following procedure to complete the software update point configuration on the central administration site.

 

To complete software update point configuration on the central administration site

1.       In the Configuration Manager console, click Administration.

2.       In the Administration workspace, expand Site Operations, click Sites, and then select the central administration site.

3.       On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point. Software Update Point Component Properties opens.

4.       On the General tab, configure the following settings:

·         Active software update point for this site: Specifies whether the active software update point is configured, and if so, whether it is installed on the site server, a remote site system server, or configured to use NLB.


 Note:

This setting was configured when you installed the software update point on the site server or site system server. You can change the location for the active software update point by using this setting. When the active software update point is installed on a remote site system server, the Active software update point and Software Update Point Connection Account settings are displayed on this page.

 

 Important:

When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster, below.

 

·         Port number: Specifies the HTTP port number configured on the WSUS server.


 Note:

The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point.

 

For information about finding the port numbers used by WSUS, see How to Determine the Port Settings Used by WSUS, below.

 

·         SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server.

 Warning:

When the Enable SSL for this WSUS server setting is selected, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.

 

·         Active software update point: Specifies the name of the remote site system server that you selected as the active software update point.


 Note:

This setting is only displayed when you installed the active software point on a remote site system server. You can select a different remote site system server for the active software update point by using this setting. Only remote site system servers with the software update point site system role installed are available for you to select. You can have only one active software update point for a site, but multiple site system servers can have the software update point site system role installed and be available to select as the active software update point.

 

Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.

 Important:

The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

 

·         Allow intranet-only client connections: Specifies that this software update point accepts only connections from clients on the intranet. When you select this setting, the options on the Internet-based tab are enabled and provide you with the option to configure a different remote software update point that accepts connections from clients on the Internet.

·         Allow both intranet and internet client connections: Specifies that this software update point accepts connections from both clients on the intranet and Internet. When this setting is selected, the settings on the Internet-based tab are disabled.

·         Enable SSL communications for the WSUS Server: Specifies whether to use SSL communications on the WSUS server. When this setting is selected, the following actions apply:

·         The WSUS server will synchronize software updates metadata using SSL. The upstream update server must be configured for SSL or synchronization will fail.

·         For clients to connect to the WSUS server, both the clients and WSUS Web site must have a trusted root CA in common. Without a common certificate, clients will fail to scan for software update compliance..

 Important:

When the active software update point is configured for SSL, and it is configured to accept both client connections from the Internet and intranet, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

 

5.       On the Internet-based tab, configure the following settings:


 Note:

The settings on the Internet-based tab are configurable only when the active software update point is configured for intranet-only client connections, where the Allow intranet-only client connections setting is selected on the General tab.

 

·         Internet-based software update point: Specifies whether the Internet-based software update point is configured, and if so, whether it is installed on a remote site system server or configured to use NLB.


 Note:

When the active software update point only accepts communication from clients on the intranet and the Internet-based software update point is not configured, clients on the Internet will not scan for software updates compliance. When the active software update point is installed on a remote site system server, the Active server name and Software Update Point Connection Account settings are displayed on this page.

 

 Important:

When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster, below.

 

·         Port number: Specifies the HTTP port number configured on the WSUS server. The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point.

·         SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server. When the Enable SSL for this WSUS server setting is enabled, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.

·         Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.

 Important:

The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

 

·         Do not synchronize from the software update point located on the intranet: Specifies that the Internet-based software update point does not synchronize with the active software update point. Select this option if the Internet-based software update point is disconnected from the active software update point.

 Important:

Even though the Internet-based software update point accepts client connections from the Internet only, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

 

6.       Review the settings on the remaining tabs that you configured as part of the software update point installation. For more information about the settings, refer to steps 10-15 in the preceding procedure.

Install and Configure a Software Update Point on a Stand-Alone Primary Site

To install and configure the software update point for a stand-alone primary site

1.       In the Configuration Manager console, click Administration.

2.       In the Administration workspace, expand Site Operations and click Servers and Site System Roles.

3.       Add the software update point site system role to a new or existing site system server by using the associated step:

·         New site system server: on the Home tab, in the Create group, click Create Site System Server. The Create Server Wizard opens.

·         Existing site system server: click the server in which you want to install the software update point site role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the details pane. On the Home tab, in the Server group, click Add Site System Role. The Create Roles Wizard opens.

4.       On the General page, specify the general settings for the site system server. When you add the software update point to an existing site system server, verify the values that were previously configured.

5.       On the System Role Selection page, select Software update point from the list of available roles, and then click Next.

6.       On the Software Update Point page, specify whether the site server will use a proxy server when connecting to the software update point and whether to use credentials to connect to the proxy server, and then click Next.

7.       On the Active Settings page, select Use this server as the active software update point, specify the website and port configurations that are used by WSUS, and then click Next.

8.       On the Synchronization Source page, select Synchronize from Microsoft Update to synchronize software updates from Microsoft Update. The stand-alone primary site must have Internet access or synchronization will fail. This setting is available only when configuring the software update point on the central administration site or stand-alone primary site.

 Important:

When the software update point on the stand-alone primary site is disconnected from the Internet, you must select Do not synchronize from Microsoft Update and manually synchronize software updates.

 


 Note:

When there is a firewall between the active software update point and the Internet, the firewall might need to be configured to accept the HTTP and HTTPS ports used for the WSUS Web site. You can also choose to restrict access on the firewall to limited domains.

 

9.       Specify whether to create WSUS reporting events, and then click Next. Configuration Manager does not use these events so you will typically choose the default setting Do not create WSUS reporting events.

10.   On the Synchronization Schedule page, specify whether to synchronize software updates on a schedule. This setting is configured only on the software update point for the stand-alone primary site.

 Tip:

You should schedule software updates synchronization to run using a timeframe appropriate for your environment. One common scenario is to set the software updates synchronization schedule to run shortly after Microsoft’s regular security update release on the second Tuesday of each month, typically referred to as Patch Tuesday.

 


 Note:

When you choose not to enable software updates synchronization on a schedule, you can manually synchronize software updates from the All Software Updates or Software Update Groups node in the Software Library workspace.

 

11.   Specify whether to create an alert when synchronization fails, and then click Next. When selected, you can go to the Software Update Point Synchronization Status node in the Monitoring workspace to monitor the synchronization state for all software update points in your hierarchy.

12.   On the Supersedence Rules page, specify how to manage superseded software updates, and then click Next. This setting is configured only on the software update point for the stand-alone primary site.

 

13.   On the Classifications page, specify the software update classifications for which you want to synchronize software updates, and then click Next. Secondary sites will automatically use the software update classifications configured for the software update point for the stand-alone primary site.

 

14.   On the Products page, specify the products for which you want to synchronize software updates, and then click Next. Secondary sites will automatically use the products configured for the software update point for the stand-alone primary site. When selecting the products, be aware that the more products that are selected, the longer it takes to complete software updates synchronization.

 

15.   On the Languages page, specify the languages for which you want to synchronize software update files and summary details, and then click Next. The Software Update File setting is configured at each software update point in the Configuration Manager 2012 hierarchy. Secondary sites will automatically use the summary details configured for the software update point for the stand-alone primary site.

 

16.   On the Summary page, confirm the settings for the software update point. You can go back to previous pages and make changes. Click Next to add the site system role, verify that the wizard successfully completed, and then click Close to exit the wizard.

17.   To monitor the installation progress for the software update point, open SUPSetup.log in <InstallationPath>\Logs. When the installation completes, Installation was successful is written to the log file.

 

After you complete the software update point installation on the site system server, consider the following additional settings available only from Software Update Point Component Properties:

·         Client connection settings: The client connection settings allow you to configure custom ports, whether the software update point accepts communications from clients on the Internet, and to enable SSL communications for the WSUS server. During the initial software update point installation, you selected a standard set of ports, the software update point is configured to accept communications from only clients on the intranet, and SSL communications is not enabled.

·         Internet-based software update point: When the active software update point is configured not to accept communications from clients on the Internet, you can specify an Internet-based software update point that is accessible from clients on the Internet.

·         Network Load Balancing (NLB): You can configure the active software update point or Internet-based software update point to use an NLB cluster. When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point.

 

When one of the above configurations is necessary for your software update point, use the following procedure to complete the software update point configuration on the central administration site.

 

To complete software update point configuration on the stand-alone primary site

1.       In the Configuration Manager console, click Administration.

2.       In the Administration workspace, expand Site Operations, click Sites, and then select the central administration site.

3.       On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point. The Software Update Point Component Properties opens.

4.       On the General tab, configure the following settings:

Active software update point for this site: Specifies whether the active software update point is configured, and if so, whether it is installed on the site server, a remote site system server, or configured to use NLB.


 Note:

This setting was configured when you installed the software update point on the site server or site system server. You can change the location for the active software update point by using this setting. When the active software update point is installed on a remote site system server, the Active software update point and Software Update Point Connection Account settings are displayed on this page.

 

 Important:

When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point

 

·         Port number: Specifies the HTTP port number configured on the WSUS server.


 Note:

The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point.

 

·         SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server.

 Warning:

When the Enable SSL for this WSUS server setting is selected, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.

 

·         Active software update point: Specifies the name of the remote site system server that you selected as the active software update point.


 Note:

This setting is only displayed when you installed the active software point on a remote site system server. You can select a different remote site system server for the active software update point by using this setting. Only remote site system servers with the software update point site system role installed are available for you to select. You can have only one active software update point for a site, but multiple site system servers can have the software update point site system role installed and be available to select as the active software update point.

 

·         Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.

 Important:

The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

 

·         Allow intranet-only client connections: Specifies that this software update point accepts only connections from clients on the intranet. When you select this setting, the options on the Internet-based tab are enabled and provide you with the option to configure a different remote software update point that accepts connections from clients on the Internet.

·         Allow both intranet and internet client connections: Specifies that this software update point accepts connections from both clients on the intranet and Internet. When this setting is selected, the settings on the Internet-based tab are disabled.

·         Enable SSL communications for the WSUS Server: Specifies whether to use SSL communications on the WSUS server. When this setting is selected, the following actions apply:

·         The WSUS server will synchronize software updates metadata using SSL. The upstream update server must be configured for SSL or synchronization will fail.

·         For clients to connect to the WSUS server, both the clients and WSUS Web site must have a trusted root CA in common. Without a common certificate, clients will fail to scan for software update compliance.

 Important:

When the active software update point is configured for SSL, and it is configured to accept both client connections from the Internet and intranet, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

 

5.       On the Internet-based tab, configure the following settings:


 Note:

The settings on the Internet-based tab are configurable only when the active software update point is configured for intranet-only client connections, where the Allow intranet-only client connections setting is selected on the General tab.

 

·         Internet-based software update point: Specifies whether the Internet-based software update point is configured, and if so, whether it is installed on a remote site system server or configured to use NLB.


 Note:

When the active software update point only accepts communication from clients on the intranet and the Internet-based software update point is not configured, clients on the Internet will not scan for software updates compliance. When the active software update point is installed on a remote site system server, the Active server name and Software Update Point Connection Account settings are displayed on this page.

 

 Important:

When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point.

 

·         Port number: Specifies the HTTP port number configured on the WSUS server. The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point.

·         SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server. When the Enable SSL for this WSUS server setting is enabled, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.

·         Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.

 Important:

The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

 

·         Do not synchronize from the software update point located on the intranet: Specifies that the Internet-based software update point does not synchronize with the active software update point. Select this option if the Internet-based software update point is disconnected from the active software update point.

 Important:

Even though the Internet-based software update point accepts client connections from the Internet only, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

 

6.       Review the settings on the remaining tabs that you configured as part of the software update point installation. For more information about the settings, refer to steps 10-15 in the preceding procedure.

Install and Configure a Software Update Point on a Child Primary Site

To install and configure the software update point for a child primary site

1.       In the Configuration Manager console, click Administration.

2.       In the Administration workspace, expand Site Operations and click Servers and Site System Roles.

3.       Add the software update point site system role to a new or existing site system server by using the associated step:

·         New site system server: on the Home tab, in the Create group, click Create Site System Server. The Create Server Wizard opens.

·         Existing site system server: click the server in which you want to install the software update point site role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the details pane. On the Home tab, in the Server group, click Add Site System Role. The Create Roles Wizard opens.

4.       On the General page, specify the general settings for the site system server. When you add the software update point to an existing site system server, verify the values that were previously configured.

5.       On the System Role Selection page, select Software update point from the list of available roles, and then click Next.

6.       On the Software Update Point page, specify whether the site server will use a proxy server when connecting to the software update point and whether to use credentials to connect to the proxy server, and then click Next.

7.       On the Active Settings page, select Use this server as the active software update point, specify the website and port configurations that are used by WSUS, and then click Next.

8.       On the Synchronization Source page, Synchronize from an upstream update server is automatically selected to synchronize software updates from the software update point at the central administration site. The child primary site must have access to the software update point on the central administration site or synchronization will fail. The Synchronize from Microsoft Update and Do not synchronize from Microsoft Update settings are available only when configuring the software update point on the central administration site or stand-alone primary site.

9.       Specify whether to create WSUS reporting events, and then click Next. Configuration Manager does not use these events so you will typically choose the default setting Do not create WSUS reporting events.

10.   On the Languages page, specify the languages for which you want to synchronize software update files, and then click Next. The Software Update File setting is configured at each software update point in the Configuration Manager 2012 hierarchy. Child primary sites will automatically use the summary details (metadata about the software updates) configured for the software update point at the central administration site.

 

11.   On the Summary page, confirm the settings for the software update point. You can go back to previous pages and make changes. Click Next to add the site system role, verify that the wizard successfully completed, and then click Close to exit the wizard.

12.   To monitor the installation progress for the software update point, open SUPSetup.log in <InstallationPath>\Logs. When the installation completes, Installation was successful is written to the log file.

 

After you complete the software update point installation on the site system server, consider the following additional settings available only from Software Update Point Component Properties:

·         Client connection settings: The client connection settings allow you to configure custom ports, whether the software update point accepts communications from clients on the Internet, and to enable SSL communications for the WSUS server. During the initial software update point installation, you selected a standard set of ports, the software update point is configured to accept communications from only clients on the intranet, and SSL communications is not enabled.

·         Internet-based software update point: When the active software update point is configured not to accept communications from clients on the Internet, you can specify an Internet-based software update point that is accessible from clients on the Internet.

·         Network Load Balancing (NLB): You can configure the active software update point or Internet-based software update point to use an NLB cluster. When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point.

 

To complete software update point configuration on the child primary site

1.       In the Configuration Manager console, click Administration.

2.       In the Administration workspace, expand Site Operations, click Sites, and then select the child primary site.

3.       On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point. The Software Update Point Component Properties opens.

4.       On the General tab, configure the following settings:

·         Active software update point for this site: Specifies whether the active software update point is configured, and if so, whether it is installed on the site server, a remote site system server, or configured to use NLB.


 Note:

This setting was configured when you installed the software update point on the site server or site system server. You can change the location for the active software update point by using this setting. When the active software update point is installed on a remote site system server, the Active software update point for the site and Software Update Point Connection Account settings are displayed on this page.

 

 Important:

When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point

 

·         Port number: Specifies the HTTP port number configured on the WSUS server.


 Note:

The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point.

 

·         SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server.

 Warning:

When the Enable SSL for this WSUS server setting is selected, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.

 

·         Active software update point: Specifies the name of the remote site system server that you selected as the active software update point.


 Note:

This setting is only displayed when you installed the active software point on a remote site system server. You can select a different remote site system server for the active software update point by using this setting. Only remote site system servers with the software update point site system role installed are available for you to select. You can have only one active software update point for a site, but multiple site system servers can have the software update point site system role installed and be available to select as the active software update point.

 

Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.

 Important:

The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

 

·         Allow intranet-only client connections: Specifies that this software update point accepts only connections from clients on the intranet. When you select this setting, the options on the Internet-based tab are enabled and provide you with the option to configure a different remote software update point that accepts connections from clients on the Internet.

·         Allow both intranet and internet client connections: Specifies that this software update point accepts connections from both clients on the intranet and Internet. When this setting is selected, the settings on the Internet-based tab are disabled.

·         Enable SSL communications for the WSUS Server: Specifies whether to use SSL communications on the WSUS server. When this setting is selected, the following actions apply:

·         The WSUS server will synchronize software updates metadata using SSL. The upstream update server must be configured for SSL or synchronization will fail.

·         For clients to connect to the WSUS server, both the clients and WSUS Web site must have a trusted root CA in common. Without a common certificate, clients will fail to scan for software update compliance.

 Important:

When the active software update point is configured for SSL, and it is configured to accept both client connections from the Internet and intranet, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

 

5.       On the Internet-based tab, configure the following settings:


 Note:

The settings on the Internet-based tab are configurable only when the active software update point is configured for intranet-only client connections, where the Allow intranet-only client connections setting is selected on the General tab.

 

·         Internet-based software update point: Specifies whether the Internet-based software update point is configured, and if so, whether it is installed on a remote site system server or configured to use NLB.


 Note:

When the active software update point only accepts communication from clients on the intranet and the Internet-based software update point is not configured, clients on the Internet will not scan for software updates compliance. When the active software update point is installed on a remote site system server, the Active server name and Software Update Point Connection Account settings are displayed on this page.

 

 Important:

When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point.

 

·         Port number: Specifies the HTTP port number configured on the WSUS server. The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point.

·         SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server. When the Enable SSL for this WSUS server setting is enabled, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.

·         Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.

 Important:

The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

 

·         Do not synchronize from the software update point located on the intranet: Specifies that the Internet-based software update point does not synchronize with the active software update point. Select this option if the Internet-based software update point is disconnected from the active software update point.

 Important:

Even though the Internet-based software update point accepts client connections from the Internet only, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

 

6.       Review the settings on the remaining tabs that you configured as part of the software update point installation. For more information about the settings, refer to steps 8-10 in the preceding procedure.

Install and Configure a Software Update Point on a Secondary Site

To install and configure the software update point for a secondary site

1.       In the Configuration Manager console, click Administration.

2.       In the Administration workspace, expand Site Operations and click Servers and Site System Roles.

3.       Add the software update point site system role to a new or existing site system server by using the associated step:

·         New site system server: on the Home tab, in the Create group, click Create Site System Server. The Create Server Wizard opens.

·         Existing site system server: click the server in which you want to install the software update point site role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the details pane. On the Home tab, in the Server group, click Add Site System Role. The Create Roles Wizard opens.

4.       On the General page, specify the general settings for the site system server. When you add the software update point to an existing site system server, verify the values that were previously configured.

5.       On the System Role Selection page, select Software update point from the list of available roles, and then click Next.

6.       On the Software Update Point page, specify whether the site server will use a proxy server when connecting to the software update point and whether to use credentials to connect to the proxy server, and then click Next.

7.       On the Active Settings page, select Use this server as the active software update point, specify the website and port configurations that are used by WSUS, and then click Next.

8.       On the Synchronization Source page, Synchronize from an upstream update server is automatically selected to synchronize software updates from the software update point at the parent primary site. The Synchronize from Microsoft Update and Do not synchronize from Microsoft Update settings are available only when configuring the software update point on the central administration site or stand-alone primary site.

9.       Specify whether to create WSUS reporting events, and then click Next. Configuration Manager does not use these events so you will typically choose the default setting Do not create WSUS reporting events.

10.   On the Languages page, specify the languages for which you want to synchronize software update files, and then click Next. The Software Update File setting is configured at each software update point in the Configuration Manager 2012 hierarchy. Secondary sites will automatically use the summary details (metadata about the software updates) configured for the software update point at the central administration site.


 Note:

The languages configured for the Software Update File setting provide the default set of languages that will be available when downloading software updates at the site. You should configure the software update file language settings with the languages that are most often used in your environment. For example, if client computers in the site use mostly English and Japanese languages for the operating system or applications, and there are very few other languages used at the site, select English and Japanese in the Software Update File column and clear the other languages. Later, when you download or deploy software updates, the languages will automatically be selected by default on the Language Selection page of the wizard and can be modified as necessary.

 

11.   On the Summary page, confirm the settings for the software update point. You can go back to previous pages and make changes. Click Next to add the site system role, verify that the wizard successfully completed, and then click Close to exit the wizard.

12.   To monitor the installation progress for the software update point, open SUPSetup.log in <InstallationPath>\Logs. When the installation completes, Installation was successful is written to the log file.

 

After you complete the software update point installation on the site system server, consider the following additional settings available only from Software Update Point Component Properties:

·         Client connection settings: The client connection settings allow you to configure custom ports, whether the software update point accepts communications from clients on the Internet, and to enable SSL communications for the WSUS server. During the initial software update point installation, you selected a standard set of ports, the software update point is configured to accept communications from only clients on the intranet, and SSL communications is not enabled.

·         Internet-based software update point: When the active software update point is configured not to accept communications from clients on the Internet, you can specify an Internet-based software update point that is accessible from clients on the Internet.

·         Network Load Balancing (NLB): You can configure the active software update point or Internet-based software update point to use an NLB cluster. When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point.

 

When one of the above configurations is necessary for your software update point, use the following procedure to complete the software update point configuration on the child primary site.

 

To complete software update point configuration on the secondary site

1.       In the Configuration Manager console, click Administration.

2.       In the Administration workspace, expand Site Operations, click Sites, and then select the secondary site.

3.       On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point. The Software Update Point Component Properties opens.

4.       On the General tab, configure the following settings:

·         Active software update point for this site: Specifies whether the active software update point is configured, and if so, whether it is installed on the site server, a remote site system server, or configured to use NLB.


 Note:

This setting was configured when you installed the software update point on the site server or site system server. You can change the location for the active software update point by using this setting. When the active software update point is installed on a remote site system server, the Active software update point for the site and Software Update Point Connection Account settings are displayed on this page.

 

 Important:

When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point.

 

·         Port number: Specifies the HTTP port number configured on the WSUS server.


 Note:

The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point.

 

·         SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server.

 Warning:

When the Enable SSL for this WSUS server setting is selected, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.

 

·         Active software update point: Specifies the name of the remote site system server that you selected as the active software update point.


 Note:

This setting is only displayed when you installed the active software point on a remote site system server. You can select a different remote site system server for the active software update point by using this setting. Only remote site system servers with the software update point site system role installed are available for you to select. You can have only one active software update point for a site, but multiple site system servers can have the software update point site system role installed and be available to select as the active software update point.

 

·         Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.

 Important:

The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

 

·         Allow intranet-only client connections: Specifies that this software update point accepts only connections from clients on the intranet. When you select this setting, the options on the Internet-based tab are enabled and provide you with the option to configure a different remote software update point that accepts connections from clients on the Internet.

·         Allow both intranet and internet client connections: Specifies that this software update point accepts connections from both clients on the intranet and Internet. When this setting is selected, the settings on the Internet-based tab are disabled.

·         Enable SSL communications for the WSUS Server: Specifies whether to use SSL communications on the WSUS server. When this setting is selected, the following actions apply:

·         The WSUS server will synchronize software updates metadata using SSL. The upstream update server must be configured for SSL or synchronization will fail.

·         For clients to connect to the WSUS server, both the clients and WSUS Web site must have a trusted root CA in common. Without a common certificate, clients will fail to scan for software update compliance.

 Important:

When the active software update point is configured for SSL, and it is configured to accept both client connections from the Internet and intranet, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

 

5.       On the Internet-based tab, configure the following settings:


 Note:

The settings on the Internet-based tab are configurable only when the active software update point is configured for intranet-only client connections, where the Allow intranet-only client connections setting is selected on the General tab.

 

·         Internet-based software update point: Specifies whether the Internet-based software update point is configured, and if so, whether it is installed on a remote site system server or configured to use NLB.


 Note:

When the active software update point only accepts communication from clients on the intranet and the Internet-based software update point is not configured, clients on the Internet will not scan for software updates compliance. When the active software update point is installed on a remote site system server, the Active server name and Software Update Point Connection Account settings are displayed on this page.

 

 Important:

When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point

 

·         Port number: Specifies the HTTP port number configured on the WSUS server. The site server uses this port when communicating with the WSUS server. This setting was configured when you installed the software update point.

·         SSL port number: Specifies the SSL (HTTPS) port number configured on the WSUS server. When the Enable SSL for this WSUS server setting is enabled, software updates uses this port when synchronizing software updates with the WSUS server. This setting was configured when you installed the software update point.

·         Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or an active software update point configured as an NLB cluster. When this account is not specified, the computer account for the site server is used when connecting to the software update point.

 Important:

The account used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

 

·         Do not synchronize from the software update point located on the intranet: Specifies that the Internet-based software update point does not synchronize with the active software update point. Select this option if the Internet-based software update point is disconnected from the active software update point.

 Important:

Even though the Internet-based software update point accepts client connections from the Internet only, the Web server certificate must contain both the Internet FQDN and the intranet FQDN.

 

6.       Review the settings on the remaining tabs that you configured as part of the software update point installation. For more information about the settings, refer to steps 8-10 in the preceding procedure.

Synchronize Software Updates

Software Update Point

Upstream Update Source

Central administration site

Microsoft Update (Internet)

Stand-alone primary site

Microsoft Update (Internet)

Child primary site

Central administration site

Secondary site

Parent primary site

Remote Internet-based software update point

Active software update point for the site

 

 

Synchronize Software Updates from a Connected Software Update Point

To schedule software updates synchronization

1.       In the Configuration Manager console, click Administration.

2.       In the Administration workspace, expand Site Operations, and then click Sites.

3.       In the results pane, click the central administration site or stand-alone primary site.

4.       On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point.

5.       In the Software Update Point Component Properties dialog box, select Enable synchronization on a schedule, and then specify the synchronization schedule.

 

 

To manually initiate software updates synchronization

1.       In the Configuration Manager console connected to the central administration site or stand-alone primary site, click Software Library.

2.       In the Software Library workspace, expand Software Updates, and click All Software Updates or Software Update Groups.

3.       On the Home tab, in the Create group, click Synchronize Software Updates. Click Yes in the dialog box to confirm that you want to initiate the synchronization process.

Synchronize Software Updates from a Disconnected Software Update Point

When the software update point for the central administration site or stand-alone primary site is disconnected from the Internet, or when an Internet-based software update point is disconnected from the active software update point for the site, you must use the export and import functions of the WSUSUtil tool to synchronize software updates metadata. You will export software updates metadata from the WSUS database on a specified export server, copy locally stored license terms files to the disconnected software update point, and then import the software updates metadata to the WSUS database on the disconnected software update point. Use the following table to help you identify the export server in which to export the software updates metadata.

Software Update Point

Upstream Update Source for Connected Software Update Points

Export Server for a Disconnected Software Update Point

Central administration site

Microsoft Update (Internet)

Choose a WSUS server that has synchronized with Microsoft Update using the software update classifications, products, and languages that you need in your Configuration Manager 2012 environment.

Stand-alone primary site

Microsoft Update (Internet)

Choose a WSUS server that has synchronized with Microsoft Update using the software update classifications, products, and languages that you need in your Configuration Manager 2012 environment.

Remote Internet-based software update point

Active software update point for the site

You should choose the software update point for the central administration site or the active software update point for the same site as the export server, if possible.

 

However, you can choose any other software update point in the Configuration Manager 2012 hierarchy as long as it contains the most recent software updates.

 

Before you start the export process, you should verify that software updates synchronization has completed on the selected export server to ensure that the most recent software updates metadata is synchronized. To verify that software updates synchronization has completed successfully, use the following procedure.

To verify that software updates synchronization has completed successfully on the export server

1.       Open the WSUS Administration console and connect to the WSUS database on the export server.

2.       In the WSUS Administration console, click Synchronizations. A list of the software updates synchronization attempts are displayed in the results pane.

3.       In the results pane, find the latest software updates synchronization attempt and verify that it completed successfully.

 Important:

The WSUSUtil tool must be run locally on the export server to export the software updates metadata and on the disconnected software update point server to import the software updates metadata. In addition, the user running the WSUSUtil tool must be a member of the local Administrators group on each server.

 

 

Export Process for Software Updates

The export process for software updates consists of two main steps; one to copy locally stored license terms files to the disconnected software update point and one to export software updates metadata from the WSUS database on the export server.

Use the following procedure to copy the local license terms metadata to the disconnected software update point.

 

To copy local files from the export server to the disconnected software update point server

1.       On the export server, navigate to the folder where software updates and the license terms for software updates are stored. By default, WSUS stores the files at <WSUSInstallationDrive>\WSUS\WSUSContent\, where WSUSInstallationDrive is the drive on which WSUS is installed.

2.       Copy all files and folders from this location to the WSUSContent folder on the disconnected software update point server.

Use the following procedure to export the software updates metadata from the WSUS database on the export server.

To export software updates metadata from the WSUS database on the export server

1.       At the command prompt on the export server, navigate to the folder that contains WSUSutil.exe. By default, the tool is located at %ProgramFiles%\Update Services\Tools. For example, if the tool is located in the default location, type cd %ProgramFiles%\Update Services\Tools.

2.       Type the following to export the software updates metadata to a package file:

wsusutil.exe export packagename logfile

For example:  wsusutil.exe export export.cab export.log

The format can be summarized as follows: WSUSutil.exe is followed by the export option, the name of export .cab file created during the export operation, and the name of a log file. WSUSutil.exe exports the metadata from the export server and creates a log file of the operation.


 Note:

The package (.cab file) and log file name must be unique in the current folder.

3.       Move the export package to the folder that contains WSUSutil.exe on the import WSUS server.


 Note:

Moving the package to this folder provides an easy import experience. You can move the package to any location accessible to the import server, and then specify the location when running WSUSutil.exe.

 

Import Software Updates Metadata

Use the following procedure to import software updates metadata from the export server to the disconnected software update point.

 Important:

Never import exported data from a source that you do not trust. Importing content from a source you do not trust might compromise the security of your WSUS server.

 

To import metadata to the database of the import server

1.       At the command prompt on the import WSUS server, navigate to the folder that contains WSUSutil.exe. By default, the tool is located at %ProgramFiles%\Update Services\Tools.

2.       Type the following:

wsusutil.exe import packagename logfile

For example:   wsusutil.exe import export.cab import.log

The format can be summarized as follows: WSUSutil.exe is followed by the import command, the name of package file (.cab) created during the export operation (and path to the package file if it is in a different folder), and the name of a log file. WSUSutil.exe imports the metadata from the export server and creates a log file of the operation

Source: http://blogs.msdn.com/b/scstr/

Source: http://www.mycloud-tr.com/

İsmail Şen