If you have a server in the DMZ that requires Windows Updates but does not have Internet connectivity, it's actually quite easy to configure it to receive automatic updates from a WSUS server on your network.
1. Firewall config: Open tcp/80 (or tcp/443 if you have configured SSL) on the firewall between your DMZ server and your WSUS server.
2. On your DMZ server open gpedit.msc. Go into Computer Configuration - Administrative Templates - Windows Components - Windows Update.
Configure Windows Update using gpedit.msc
3. Enable "Configure automatic updates" and configure the schedule of your choice.
4. Enable "Intranet Microsoft Update Service Location". Specify your WSUS server in both fields using the http://server format.
5. Enable "Client side targetting" and enter the name of your Target Group into the box.
That's it - the updates will now flow in.
