Do I need to install the SUP Role for an IBCM server in DMZ?

Bryan 21 Reputation points

My company is fairly small with approximately 700 Configuration Manager endpoints. We currently have one MECM primary server (currently on v2111) that includes the DP, MP, SUP with a few other roles. My company has approximately 100 laptops all working from home these days. The laptops have the ability to connect to our network via VPN, but we want to ensure we can deploy Microsoft updates and applications when the laptop is either on or off our internal network.

The goal is to setup a IBCM server in our DMZ. I have review Microsoft resources and 3rd party resources on how to do this. Some resources refer to setting up DP, MP and SUP roles (including WSUS) on the IBCM server while resource only reference the DP and MP roles. I think I only need to install the DP role and the MP role on the IBCM server. My thinking is I would still create the software update group on the primary server, download the software and create the deployment on the primary server and just push to the DP on the IBCM server.

Please confirm if my thinking as stated above is correct. If I do need a SUP role (including WSUS) on the IBCM server, would someone please clarify why.

Microsoft Configuration Manager
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jason Sandys 30,881 Reputation points Microsoft Employee

    If you want to deploy updates, then the clients need access to a SUP. If they are on the Internet, that means making a SUP accessible to them while they are also on the Internet.

    Is there a reason you aren't pushing the easy button here though and using a CMG?

    No comments