Contributed By: Cliff Hobbs [MVP SMS]
The SUS solution consists of two main components:

• The SUS Server – Whenever a SUS server downloads content either from the the Microsoft Windows Update servers or from another server running SUS, no server-to-server authentication is carried out. Any content that is downloaded by SUS is digitally signed by Microsoft. If for any reason any content downloaded either isn’t signed by Microsoft or has an invalid signature (suggesting it has been modified somewhere along the line), then the SUS server doesn’t trust it. This is imperative, especially due to the nature of the content (remember that SUS SP1 only supports Windows critical updates and security rollouts), to ensure the integrity and security of the environment. SUS also allows the administrator to choose whether they administer SUS over a standard HTTP connection or uses an SSL enabled HTTPS connection.
   
• The Automatic Updates Client – The SUS client can also either download content from the public Windows Update site, or for organisations requiring a greater degree of control over what gets loaded on their machines a SUS server. Again like the SUS server, before any content is installed SUS checks to ensure the content is signed by Microsoft and the signature is valid. If the signature is invalid then the content isn’t installed. In addition to checking the signature, the Automatic Updates client also checks the CRC on each update to ensure it’s integrity.