Most of the time the top-level site in a hierarchy is configured to synchronize software updates metadata with Microsoft Update. Some company’s corporate security policies don’t allow access to the Internet from the top-level site. Now with System Center Configuration Manager 2012 SP1 it is possible to configure the synchronization source for the top-level site to use an existing WSUS server that is not in your Configuration Manager hierarchy. In the Software Update Point Component properties you now have the option to synchronize from an upstream data source location (URL)
http://technet.microsoft.com/en-us/library/gg712696.aspx#BKMK_WSUSSyncSource
The synchronization takes care of the patch catalog but what about the updates I need to create my patch bundles? If you configure the Upstream WSUS server as a patch repository you will have an alternative download location but still keep the Top level ConfigMgr 2012 SP1 Server not directly connected to the Internet. It is important to make sure that the upstream WSUS Server is configured with matching patch levels and synchronization option with the Software Update point to avoid headaches.
Populate the WSUSCONTENT folder with Express Installation files.
On the Upstream WSUS standalone server selecting the option to download the express installation files will allow some time for the update binary downloads to take place. It will populate the WSUSCONTENT folder with all the express installation files based on the products and classifications that you have selected. This option doesn’t require you to approve updates. For my test I only selected the categories that I required and the server downloaded 200 GB of express installation files. You'll notice when you set up a software update group and select updates to add to your bundle you are only prompted with the options to download from the Internet or a network location.
- Create a New Software Update group on the top level ConfigMgr server.
- Select browse and enter in the UNC path to the WSUSCONTENT folder on the upstream Standalone WSUS Server. It will grab all the updates you selected and move them to your deployment package source.
This option provides another layer of security and should allow an administrator to work on other tasks other than downloading security updates.