Well this is In my lab for some testing I’m doing.
The goal is we have a site that needs to be firewalled off. There are literally multiple firewall levels in this one site. So Zone 3 can talk to Zone 2 but Zone 3 can’t talk to Zone 1. The SCCM server will have to be placed in Zone 2 so the clients in Zone 3 can talk to it. But the problem with this design is that since the SCCM w/SUP is in this firewalled site other clients from outside the site don’t care/know not to go to it so they will try to get to the SUP and not be able to connect. It’s the same thing for the clients in the firewall’ed site, SCCM will serve them a SUP in some other site they can’t get to it and won’t be able to connect. The only permeant solution I can think off is to get some reverse proxy setup that will allow clients in Zone3 be able to get to our SCCM infrastructure in Zone1. We’ll use reverse proxy to get to MP/SUP in zone 1 and keep the DP in Zone 2. In the meantime to make sure that the firewalled clients only get to the SCCM server in their site at Zone 2 is to install a primary for them to access. This is a horrible solution, but can’t think of any other way to ensure I can service this site and make sure no other clients from some other site try the access the firewalled site. The primary will be up for 3-4 months until we can get the reverse proxy solution. Not thrilled but need to service these clients ASAP. If anyone wants to prove they are much smarter than me, I’m open to suggestions.. ha. Thanks Rob From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Ratliff Sent: Thursday, October 8, 2015 3:32 PM To: [email protected] Subject: RE: [mssms] How many SUP's supported on SCCM 2012 R2 SP1 CU1 primary. So if that 1 SUP is firewalled off, is it serving clients at all? Remove the roll if not? Daniel Ratliff From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Robert Spinelli Sent: Thursday, October 08, 2015 3:28 PM To: [email protected] <mailto:[email protected]> Subject: RE: [mssms] How many SUP's supported on SCCM 2012 R2 SP1 CU1 primary. Yep, the problem with the error switching is that none of the errors below are presented, so it doesn’t switch. As far as its concerned it’s like you home and trying to connect but its offline. Being offline isn’t an error. I could modify as below but then lots of clients who are home on their laptops, etc. would try to switch, not great. http://blogs.technet.com/b/umairkhan/archive/2014/10/03/configmgr-2012-r2-multiple-sup-scenario-clients-not-failing-over-to-the-other-sup.aspx I really wish MS allowed you to assign SUP’s to boundary groups also. IBCM SUP’s is why you don’t see this. We aren’t doing PKI, so not an option for us. Thanks Rob From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Ratliff Sent: Thursday, October 8, 2015 3:11 PM To: [email protected] <mailto:[email protected]> Subject: RE: [mssms] How many SUP's supported on SCCM 2012 R2 SP1 CU1 primary. We have our IBCM SUPs in the DMZ and don’t have any issues because they only service internet clients. Also remember, if it fails to talk to a SUP, it will retry every 30 minutes, for a total of 4 times (2 hours). If the error code is an accepted one it will move to another SUP. http://blogs.technet.com/b/configmgrteam/archive/2013/03/27/software-update-points-in-cm2012sp1.aspx Daniel Ratliff From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Robert Spinelli Sent: Thursday, October 08, 2015 3:05 PM To: [email protected] <mailto:[email protected]> Subject: RE: [mssms] How many SUP's supported on SCCM 2012 R2 SP1 CU1 primary. Have you had any issues with clients not being able to connect to the SUP’s because of firewall issue? Long story short, since SUP’s aren’t really assigned to boundary groups like DP’s and now recently MP’s clients are trying to connect to a SUP that is firewalled off. If we have 4 SUP’s that are all part of the same forest, but 1 SUP is behind a firewall 1 in 4 chance clients will be served that SUP and not be able to connect. Anyone else seen this? Thanks Rob From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Ratliff Sent: Thursday, October 8, 2015 2:25 PM To: [email protected] <mailto:[email protected]> Subject: RE: [mssms] How many SUP's supported on SCCM 2012 R2 SP1 CU1 primary. We just had a case with Microsoft and moved all 6 SUPs at each primary to a shared DB and content. Works great. Daniel Ratliff From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jason Wallace Sent: Thursday, October 08, 2015 1:49 PM To: [email protected] <mailto:[email protected]> Subject: Re: [mssms] How many SUP's supported on SCCM 2012 R2 SP1 CU1 primary. You can have 4 SUPs sharing one WSUS database. The tested number of SUPs in a primary site is 8 On 8 Oct 2015, at 18:37, Robert Spinelli <[email protected] <mailto:[email protected]> > wrote: I can’t seem to find how many SUP’s are supported on SCCM 2012 R2 SP1 CU1? I could of sworn at one point there was something on the website that showed that a primary supported a maximum of 4 SUP’s. I don’t see that statement anymore. Is my Google-fu failing? Below is the section about SUP’s but no longer have a statement of how many it supports. https://technet.microsoft.com/en-us/library/gg682077.aspx <image001.png> Thanks Rob The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information. The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information. The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information.
