|
After multiple tries with multiple variations, including an OS reinstall
and an image restore from a known good point, I got WSUS with SSL to
work on Server 2012, but only on port 443. I was never able to get
clients to communicate properly on port 8531.
The default configuration of WSUS on Server 2012 is with http port 8530,
which I was able to get to work as well as port 80. After a server
rebuild (OS re-install), I downloaded all updates, configured WSUS, and
then changed to port 80 mode with the following command:
"c:\Program Files\Update Services\Tools\WsusUtil.exe" usecustomwebsite false
I saved an image of the server at that point because WSUS configuration
seems to be rather fragile. Then I created a binding in IIS for port
443 on the website with a certificate (from InCommon) selected in the
dropdown list of installed certificates and made the other SSL settings
necessary as documented on the web. Then I configured SSL for WSUS with
the following command:
"c:\Program Files\Update Services\Tools\WsusUtil.exe" configuressl
server.level3.msu.edu
where server.level3.msu.edu was a subject name from the installed
certificate.
The netsh commands I used to configure the firewall for WSUS were the
following:
advfirewall firewall
delete rule name="HTTP"
add rule name="HTTP" action=allow protocol=TCP dir=in localport=80
remoteip=LocalSubnet,192.168.113.0/24,35.8.0.0/13,35.20.0.0/17,35.22.0.0/17
advfirewall firewall
delete rule name="SSL"
add rule name="SSL" action=allow protocol=TCP dir=in localport=443
remoteip=LocalSubnet,192.168.113.0/24,35.8.0.0/13,35.20.0.0/17,35.22.0.0/17
Then, in Group Policy, I updated a policy object with the item "Specify
intranet Microsoft update service location" to specify the new server
address https://server.level3.msu.edu:443 (under Computer
Configuration/Administrative Templates/Windows Components/Windows Update)
-Stefan
On 5/2/2016 10:39 AM, David Graff wrote:
> Stefan,
>
> IPF runs their WSUS servers over SSL with InCommon certs, it does work and
> is worth doing. I believe the step that is missing from Microsoft's
> documentation is that you need to right click on the WSUS Administration
> site object in IIS manager, go to bindings, and then add your FQDN binding
> to https 8531 and/or 443 and assign your cert to the binding.
>
> Feel free to contact me if you would like assistance getting it set up.
>
> Dave Graff
>
> On Wed, 27 Apr 2016 14:20:49 -0400, Stefan Ozminski <[log in to unmask]> wrote:
>
>> <html>
>> <head>
>> <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
>> </head>
>> <body bgcolor="#FFFFFF" text="#000000">
>> I have had no response on this questing regarding WSUS with SSL.<br>
>> <br>
>> My guess is that everyone resorted to WSUS without SSL.<br>
>> <br>
>> I will share the script I use to configure the firewall on my WSUS
>> server. The rule for port 8530 is separate from 8531 in case I want
>> to expand the remoteip list for the SSL port 8531 at some future
>> time. I run this script after WSUS is installed so the wide open
>> WSUS rule is deleted.<br>
>> <br>
>> WSUSFirewall.cmd<br>
>> ----------------<br>
>> @echo off<br>
>> setlocal<br>
>> set scriptdir=%~dp0<br>
>> rem use %scriptdir% to reference folder from which this script is
>> run<br>
>> @whoami /groups | find "S-1-16-12288" >nul<br>
>> @if errorlevel 1 (cscript /nologo
>> %scriptdir%..\kbsutils\RunCmdElevated.vbs %0 %*) & exit /b<br>
>> netsh %1 %2 %3 %4 -f "%~dpn0.txt"<br>
>> endlocal<br>
>> <br>
>> WSUSFirewall.txt<br>
>> ------------------<br>
>> advfirewall firewall<br>
>> delete rule name="WSUS"<br>
>> delete rule name="WSUS8530"<br>
>> delete rule name="WSUS8531"<br>
>> add rule name="WSUS8530" dir=in action=allow protocol=tcp
>> localport=8530
>> remoteip=LocalSubnet,35.8.0.0/13,35.20.0.0/17,35.22.0.0/17
>> profile=domain<br>
>> add rule name="WSUS8531" dir=in action=allow protocol=tcp
>> localport=8531
>> remoteip=LocalSubnet,35.8.0.0/13,35.20.0.0/17,35.22.0.0/17
>> profile=domain<br>
>> <br>
>> -Stefan<br>
>> <br>
>> <div class="moz-cite-prefix">On 4/26/2016 2:26 PM, Stefan Ozminski
>> wrote:<br>
>> </div>
>> <blockquote cite="mid:[log in to unmask]" type="cite">
>> <meta http-equiv="content-type" content="text/html; charset=utf-8">
>> WSUS administrators,<br>
>> <br>
>> Has anyone had success setting up WSUS on Windows Server 2012 R2
>> with an SSL configuration?<br>
>> <br>
>> I've tried it twice now, and although the https connection works,
>> the clients don't communicate with the server properly. To make
>> it worse, when I follow the instructions <a
>> moz-do-not-send="true"
>> href="https://technet.microsoft.com/en-us/library/bb633246.aspx">How
>>
>> to Configure the WSUS Web Site to Use SSL</a>, I lose the
>> ability to open the administration console on the WSUS host, and
>> when you test client access with the url <a
>> moz-do-not-send="true" class="moz-txt-link-freetext"
>> href="https://"><a class="moz-txt-link-freetext"
> href="https://">https://</a></a><wsushost>.kbs.msu.edu:8531/ClientWebService/Client.asmx?singleWsdl,
>> the xml returned contains references to <a moz-do-not-send="true"
>> class="moz-txt-link-freetext" href="http:8530">http:8530</a>
>> instead of <a moz-do-not-send="true"
>> class="moz-txt-link-freetext" href="https:8531">https:8531</a>.Â
>> Since the instructions say to lock the virtual directory
>> ClientWebService to SSL, it isn't going to work. Before you ask,
>> the answer is yes, I remembered to use wsusutil.exe configuressl
>> hostfqdn, and I configured the clients with the <a
>> moz-do-not-send="true" class="moz-txt-link-freetext"
>> href="https://hostfqdn:8531"><a class="moz-txt-link-freetext"
> href="https://hostfqdn:8531">https://hostfqdn:8531</a></a> that was
>> output to the Command Prompt window by wsusutil.exe.<br>
>> <br>
>> The initial HTTPS connection works. I can open the administrator
>> console on a server that is not the WSUS host and connect remotely
>> to the console interface of the WSUS host.<br>
>> <br>
>> The WSUS version that loads on my server when the role is enabled
>> is WSUS 6.3.9600.<br>
>> <br>
>> I have seen instructions that say the SSL certificate should
>> contain a Subject Alternative Name (SAN) that matches the friendly
>> name of the host (i.e. not FQDN), but that isn't possible
>> now-a-days with InCommon certificates.<br>
>> <br>
>> -Stefan<br>
>> <br>
>> </blockquote>
>> <br>
>> </body>
>> </html>
>
|
