We stopped deploying Patch 4 after issues with 2008 servers. Untill that is resolved by McAfee we are not going furtherwith the deployment. We have some test machines though and will watch the traffic for a couple of days. Is there any pattern in the polings?
What it looks like to me is that it is either checking all the repositories for an update or it is starting with the fallback repository for an update. We have our systems set to check for updates once an hour and it looks like they all hit the update.nai.com site twice an hour. We haven’t done any actual traffic analysis yet so we don't know if they are downloading from them but they are connecting to them. We have around 2400 systems and if you do the math it comes out to about 2 connections to the site per hour per system. We haven’t seen any bandwidth issues with it yet so we guess that it is just an update check. So it looks like they are actually updating from our repositories but still checking with update.nai.com. One other thing that could be happening is that during the part where the systems determine the closest repository they are actually attempting to use update.nai.com as a regular repository so they are attempting to ping it for latency.