Hi Tomasz,
Start with the settings outlined on HOWTO59024 if your SMP server is behind the DMZ and doesn't have internet access, for the Import Patch Data for Windows (PMImport MetaData) and the Download Software Updates processes need access to the internet to be able to build Software Update Packages and target for deployment/install.
However, if your SMP has internet access but is behind a proxy or other network security; ensure that SolutionSam.com is cleared for the Import Patch Data for Windows downloaded, and review the tool provided on TECH186657, for the DownloadURLMaskMaker.exe can be utilized to see what URL's are actually needed to be cleared in the network security for the Download Software Updates process to complete.
After that; the product will work just the same as it would in an internet facing environment, for the Clients will send Assessment Scan data to the SMP, the Patch Filter will update and target Applicable Software Updates, and the Software Update Policies can be created in the Patch Remediation Center and utilized to deploy the Software Update Packages. The updates will install on the schedule Software Update Cycle configured in the Default Software Update Plug-in Policy (which can be cloned to target as needed for different computer groups/filters if needed to separate for rebooting and notifications).
Let me know if you have any further questions and I will be happy to help.
Thanks,
Joshua