I have 3 main sites, each have a WAN connection which is good but not great, and internet connections.
I have just built a WSUS 3.0 SP2 on windows 2008 R2 boxes in each region.
I want to configure one as the primary and the other 2 as downstream boxes, saving WAN/internet bandwidth.
There doesn't seem to be a way to configure these to 'report' into the main box, and download the approved patches without using the WAN link. Is there some obvious setting I am missing, enabling these as replica does everything I need apart from the download source.
I'm not quite understanding how you're expecting a remote WSUS server to communicate with the primary except via the WAN link?
As far as configuring a WSUS server as a downstream server, that's covered in the WSUS Deployment Guide, and is presented in the setup wizard. (Option 1: Get updates from Microsoft; Option 2: Get updates from another WSUS server). See Configure and Manage Replica Servers for more information.