I'm not quite understanding how you're expecting a remote WSUS server to communicate with the primary except via the WAN link?
As far as configuring a WSUS server as a downstream server, that's covered in the WSUS Deployment Guide, and is presented in the setup wizard. (Option 1: Get updates from Microsoft; Option 2: Get updates from another WSUS server). See Configure and Manage Replica Servers for more information.