Setting up a transparent OSX Software update server

There has been many instructions on how to setup a software update server (SUS) on the mac using OSX Server. However, in closed environments, changing multiple clients using “defaults write” to point the SUS to the internal machine might not be feasible.

Recently, i came across a document by way of a colleague, on how to set up a transparent SUS making use of the same address as apple on the network and how to “reflect” the relevant paths to a server in the local network.

The advantage? much faster software updates speed and no changes to the clients.

The disadvantage? you would need a physically separate SUS server to run on, preferably in the DMZ. The reason for this is mainly due to the fact that the SUS server needs to have DNS to the external network and NOT use the internal DNS at all.

The said, in a larger environment, the enhancements in speed fully justifies the small increase in hardware cost setting this up.

The attached document on how to do this below.

Setting up a transparent SUS

Additional notes

For what its worth, if you DO NOT have an OSX Server running apache, you could use any other apache server with the domain pointed to it. Depending on the configuration of that server, you may or may not have the ability to change the directory configuration easily through and interface (like in the OSX server). However, if you at least have AllowOverrides All enabled in your directory, you could use a .htaccess file to setup the redirects using the Redirect directive. In which case, the content of the .htaccess file would have the following.

Redirect /content/catalogs/index-1.sucatalog
Redirect /content/catalogs/others/index-leopard.merged-1.sucatalog
Redirect /content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog

Contents as follows…

This is a way to transparently set up a server to cache software updates on your local network. This doesn’t require any modifications (defaults write…) on clients — it just works. And I didn’t find any other similar solution on the internet; not even here! It does require Mac OS X Server, however. Here’s how we did it:

  1. Build a Mac OS X Server and call it yoursus. We used a headless Mac mini to do the job.
  2. You must use external DNS servers on this server (so it won’t check itself for updates).
  3. Add a record for your server on your internal DNS, so resolves to your SUS’s IP.
  4. Start Software Update Server (SUS). It may take some time to cache all updates — our /usr/share/swupd/html/ folder now has almost 9GB of files in it!
  5. Start Web Service, and add following redirect (Server Admin » Web » Sites » default » Edit » Aliases » URL Aliases and Redirects » Add » Redirect):
    • Pattern: /content/catalogs/index-1.sucatalog
    • Path:
    • Pattern: /content/catalogs/others/index-leopard.merged-1.sucatalog
    • Path:
    • Pattern: /content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog
    • Path:
  6. Add a zone in your internal DNS, called, and point the whole subdomain to the IP of your SUS.
  7. Flush your DNS cache on the clients: lookupd -flushcache

Now test your setup. Using Safari, following this link to Apple’s catalog on your SUS should show Apple’s real catalog (ApplePostURL should start with, while the same on other computers in your network should resolve and be forwarded to your SUS, (ApplePostURL will start with this time).

Now just run Software Update on the clients, and enjoy the speed of downloads!

The only downside of this setup is the mini complaining in system.log that it has no reverse DNS entry for itself. To be honest, I didn’t have much time to think how to set it up without extra hardware; I just happened to have a spare mini for this purpose. Maybe there’s a way to have the DNS and SUS running on one server, perhaps via two IP addresses and tweaking of config files. I also didn’t test it much with Panther clients; it possibly needs different redirects for that. Comments welcomed. Happy updating!