but failed on all DSS with the error message "unable to contact the host on port 139.....etc".
I think the problem come from the stringent firewall rules on both site.
I would agree. One or more ports required to communicate with the server to distribute the certificate is blocked.
So if i take example of the integration wsus DSS, i will install the automation role server on it , did it help to install certificate on it or no?
Possibly. The process still needs to communicate via those ports; but, if as I've read later in your post the ports are only blocked site-to-site, and not system-to-system, then a LOCAL Automation Role Server (with the correctly defined IP Subnet-based Automation Server Routing Rule) should avoid the site-to-site restrictions.
Should i use a gpo to deploy the certificate ?
That is our recommended procedure. The advantage to GPO is that everybody gets it at the same time, and new systems also get the cert as soon as they join the domain.
Once the automation role server will be installed on the WSUS integration DSS, i think the next step is to deploy the certificate on all integration server/workstation then deploy the solarwinds wmi/agent.
Deploying the certificate is a required step to facilitate installation of third-party updates.
Deploying the WMI Providers is an optional step, which facilitates remote execution of configuration management tasks, such as Update Management or using the Computer Explorer.
The order of deployment of the two objects is irrelevant as there is no relationship between the two.
Please note there is a significant difference between the WMI Providers and the Agent. Clients equipped with only WMI Providers will still need to be able to accept inbound connections on port 135 and via WMI.
Clients equipped with the Agent will initiate outbound connections to the assigned Automation Role server using port 4092.
So if the wmi port are open in the local integration site(to recap port are not open between site to site, only open from machine to machine on the same site), should i only deploy solarwinds wmi provider?
Yes. If the firewall restrictions are only site to site, and WMI ports are open at the host level, then you only need the WMI Providers and a local Automation Role server with the appropriate Automation Server Routing Rule.