Hi Jared,
DO does not work for isolated network, this is the only applicable DownloadMode for such environments:
Simple (99) Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching.
https://learn.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization-reference#download-mode
Does Delivery Optimization work with WSUS?: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
https://learn.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization#frequently-asked-questions
For point 1:
Instead of DO, we can use BITS+BranchCache:
https://learn.microsoft.com/en-us/windows/deployment/update/waas-branchcache
For point 2:
Which ports does Delivery Optimization use?: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound traffic through your firewall yourself. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
The DO clients contact the cloud service from which they obtain a list of peers, then try to contact those peers on port 7680.
For point 3:
Besides the inherent security of DO, WU also implements this mechanism to ensure the update files are not compromised:
WSUS uses SSL for metadata only, not for update files. This is the same way that Microsoft Update distributes updates. Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. In addition, a hash is computed and sent together with the metadata for each update. When an update is downloaded, WSUS checks the digital signature and hash. If the update has been changed, it is not installed.
https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#25-secure-wsus-with-the-secure-sockets-layer-protocol
HTH,
Andrei