Hey Guys,
The last topic I created about grab superseeded updates from WSUS, is what this is stil about cause I can't accept this installing updates manually as a answer. So I went ahead an did even more research on this.
To keep it simple I went ahead and adjusted the Local Group Policy / Computer Conf / Admin Templates / Windows Comp / Windows Update / Specify an intranet Microsoft update server (http://172.16.3.3:8530)
Allowed a Rule through TMG to allow by directional traffic of TCP 8530 between the server lan (172.16.8.x <-> 172.16.3.3)
When I click check for updates its good I can see the established connection using netstat on port 8530.
As soon as I click download updates, it tries to grab from internet based Servers... i can see the SYN_SENT right away and I can see the blocked http traffic on the TMG.
So I went ahead and set the GPO setting and removed the port allocation behind it (http://172.16.3.3) Doing a netstat after clicking check for updates showed connection attempt to 172.16.3.3 via http, So I added the protocol to the allow rule between the servers, and sure enough it changed to established, and I see the allow through the TMG. However this now gives an error when i click on check for updates...
There has to be a way for me to get this dang server to get updates from our WSUS server on the other side of the TMG firewall.. but how?! what am I doing wrong?!
*NOTE* with the port specified in the local GPO of 8530, I can access http://wsus/selfupdate/wuident.cab perfectly fine. I ran wuauclt /detectnow and no errors reported in the WindowsUpdate.log file
*NOTE* The Wsus server is setup to cache all update to a local dir, attempted to see the files in there but all contained random string .cab files, wish they would just contain just the KBnumber and the msu files for easier verification of updates available in the cache.