BM 3.5 SP3, everything works ok, web caching, filters etc...

This is what I am trying to do..

Microsoft SUS server for automatic updates, it is in the DMZ zone. I have
created a filter exception for port 80 from Private to DMZ. This is fine.
Clients will talk to the SUS server and then download the patches.

The issue is now MS delivers the Service packs through SUS, which is fine,
but I can't have 500 machines connect to the SUS server to download the
service pack, BUT I know u can tell the SUS server to tell the client to get
the updates from Microsoft's web site, which I want to do, the problem is I
cannot tell the client to use any other port other than 80.

So.. long and short of it... How do I accomplish this.. i.e... leave port 80
closed for web browsers so they have to use port 8080 and the proxy and ACL
lists and caching, but allow the automatic client to use port 80 and go the
MS to get the updates.

I have tried to create a generic TCP proxy from out private network
10.10.10.x to an IP address on the public interface and disabled enforce ACL
entries, but this did not seem to work

Any suggestions ?