Last time I installed an SCCM 2012 r2 environment for a client, they have a special application that is running in a separate domain and have no internet access at all. I had only a few firewall openings that were needed to running this application.
I already had WSUS installed against an upstream server for indexing. Because the internet access to all servers were cutoff I needed to find a way to download all Critical and Security updates for all windows servers and clients in that environment. Normally you use WSUS only for indexing, SCCM 2012 r2 will download the requested updates directly from Microsoft Update Services. You could also download manual all required updates from the Microsoft Update catalogues and import them into the SCCM 2012 r2 environment. This will be a lot of work every month to do so..
My WSUS server have access to the upstream server and the upstream server already downloaded all required updates.
I created a rule within WSUS to auto approve all security and critical updates and download these automatically to specific directory. In SCCM you could import required updates from a file share so the next thing I created an ADR, in that ADR i told SCCM 2012 r2 to not download the updates but import them from a file share. I pointed to the file share where I downloaded the updates from WSUS.
SCCM accept these updates and distributed them to my clients.