The central administration site and all primary child sites in the Configuration Manager hierarchy must have an active software update point to support software update deployments to client devices. The software update point communicates with WSUS to configure settings and to synchronize software updates. You can configure the active software update point to accept communication from only devices on the intranet or accept communication from devices on the intranet and internet. When the active software update point is not configured to accept communication from devices on the internet, you have the option to create an internet-based software update point. You can add the software update site role to a secondary site or client computers at the secondary site can connect directly to the active software update point on the parent primary site.

The internet-based software update point accepts communication from devices on the internet. You can only create the internet-based software update point when the active software update point is not configured to accept communication from devices on the internet. This site role must be assigned to a site system that is remote from the site server, located in a perimeter network, and accessible to internet-based devices. The internet-based software update point synchronizes with the active software update point at the same site. When connectivity between the active software update point and internet-based software update point, you can manually synchronize software updates by using the export and import process.

Using NLB provides enhanced scalability and availability for server applications. When the number of expected clients at the site reaches capacity limitations for the active software update point, you can configure the active software update point as an NLB cluster using two or more WSUS servers. For more information about the supported capacity of the software update point, see Capacity Planning for Software Updates.

The software update point is optional on a secondary site. When you install a software update point on a secondary site, the WSUS database is configured as a replica instead of an autonomous WSUS instance that is used when installing the software update point on a primary site or central administration site.

Devices assigned to a secondary site are configured to use the active software update point at the parent site when a software update point is not configured at the secondary site. Typically, you will install an active software update point at a secondary site when there is limited network bandwidth between devices assigned to the secondary site and the active software update point at the parent site or when the software update point is approaching capacity. Internet-based software update points are not supported on secondary sites. After the active software update point is successfully installed and configured on the secondary site, the Group Policy is updated on client computers and they will start using the new software update point.