SCCM with WSUS in DMZ serving Internet Facing clients Overview: This Blog will document at a high level my experience of implementing a 'Software Update Point' on a site server in our DMZ to serve SCCM clients (including Workgroup servers) on the Internet. It will explain the implementation process as well as expected behaviour by diving into the log files on both the site server and client. Please ask questions in the comments field; and I will update the main narrative in response. Architectural design overview One Primary site server on Internal network One Site system Server within DMZ Ports opened on firewall to allow servers to communicate. Configured with the following System roles: Management point Distribution point Software update point Work group servers within the DMZ/Internet facing clients only The Site system Server within DMZ had the WSUS role installed through 'Server Manager' console. Within IIS a webserver certificate was