The SUS parent server downloads critical updates and security updates on a daily basis from the public Microsoft Windows Update servers using a preconfigured synchronization schedule. The SUS parent server requires that the outbound TCP port 80 be open through the firewall.
The SUS test server is configured to download the updates from the SUS parent server. This also occurs on a scheduled daily basis with the synchronization time set to one hour after the SUS parent server synchronizes with the public Microsoft Windows Update servers. (One hour is the closest possible time to the SUS parent server synchronization schedule.) This is to ensure that the packages are present on the SUS test server as soon as possible and are ready for approval and testing.
The SUS test team should approve the new updates on the SUS test server. After they have been approved, the updates become immediately available to all SUS test clients. The SUS test clients will poll the SUS test server every 22 hours, minus up to 20 percent for randomization. This is to avoid having all SUS clients poll the server at the same time. After testing is deemed successful for a specific update, the SUS administrator should approve that update on the SUS parent server.
After the update is approved on the SUS parent server, SUS clients reporting in to that server begin downloading it, by default, within 22 hours. Installation starts according to the specified schedule, or when it is performed by the local administrator. Client computers reporting in to SUS child servers will start downloading the update up to 22 hours from the point at which the approval reaches the child server.
The SUS child servers are configured to automatically synchronize with the parent server on a daily basis. Child servers synchronize and download all contents as well as the approved items from the SUS parent server. After synchronization occurs, all approved updates on the SUS parent server are mirrored on the SUS child servers and are immediately available to the production SUS clients configured to poll critical and security updates from such SUS child servers. In the topology design shown in Figure 2.3, administrators need only approve an update on the SUS parent server for it to be made available to all production SUS clients. It is always possible to initiate a manual synchronization on all SUS servers.
Microsoft occasionally updates the detection criteria (metadata) for a software update, which will cause a software update to appear with an “updated” status. There might also be occasions when a software update has been reissued and this will also cause an “updated” status to appear in the interface. There are few occurrences of software updates being re-released, however, and when one is, information about that appears in the software update bulletin. If the original version of the update has already been approved in the SUS GUI, the SUS administrator can configure the SUS server either for auto-approval or for manual approval of the re-released version of the update.
To ensure that revised updates are not automatically released into production without testing, the administrator should select the option Do not automatically approve new versions of approved updates. I will manually approve these updates later on the SUS server.
Pa zbog tih ozbiljnih i treba instalirati redovno update-ove - pogotovu one critical.
