I have had no response on this questing regarding WSUS with SSL.
My guess is that everyone resorted to WSUS without SSL.
I will share the script I use to configure the firewall on my WSUS
server. The rule for port 8530 is separate from 8531 in case I want
to expand the remoteip list for the SSL port 8531 at some future
time. I run this script after WSUS is installed so the wide open
WSUS rule is deleted.
WSUSFirewall.cmd
----------------
@echo off
setlocal
set scriptdir=%~dp0
rem use %scriptdir% to reference folder from which this script is
run
@whoami /groups | find "S-1-16-12288" >nul
@if errorlevel 1 (cscript /nologo
%scriptdir%..\kbsutils\RunCmdElevated.vbs %0 %*) & exit /b
netsh %1 %2 %3 %4 -f "%~dpn0.txt"
endlocal
WSUSFirewall.txt
------------------
advfirewall firewall
delete rule name="WSUS"
delete rule name="WSUS8530"
delete rule name="WSUS8531"
add rule name="WSUS8530" dir=in action=allow protocol=tcp
localport=8530
remoteip=LocalSubnet,35.8.0.0/13,35.20.0.0/17,35.22.0.0/17
profile=domain
add rule name="WSUS8531" dir=in action=allow protocol=tcp
localport=8531
remoteip=LocalSubnet,35.8.0.0/13,35.20.0.0/17,35.22.0.0/17
profile=domain
-Stefan
On 4/26/2016 2:26 PM, Stefan Ozminski
wrote:
[log in to unmask]" type="cite">
WSUS administrators,
Has anyone had success setting up WSUS on Windows Server 2012 R2
with an SSL configuration?
I've tried it twice now, and although the https connection works,
the clients don't communicate with the server properly. To make
it worse, when I follow the instructions How
to Configure the WSUS Web Site to Use SSL, I lose the
ability to open the administration console on the WSUS host, and
when you test client access with the url https://<wsushost>.kbs.msu.edu:8531/ClientWebService/Client.asmx?singleWsdl,
the xml returned contains references to http:8530
instead of https:8531.
Since the instructions say to lock the virtual directory
ClientWebService to SSL, it isn't going to work. Before you ask,
the answer is yes, I remembered to use wsusutil.exe configuressl
hostfqdn, and I configured the clients with the https://hostfqdn:8531 that was
output to the Command Prompt window by wsusutil.exe.
The initial HTTPS connection works. I can open the administrator
console on a server that is not the WSUS host and connect remotely
to the console interface of the WSUS host.
The WSUS version that loads on my server when the role is enabled
is WSUS 6.3.9600.
I have seen instructions that say the SSL certificate should
contain a Subject Alternative Name (SAN) that matches the friendly
name of the host (i.e. not FQDN), but that isn't possible
now-a-days with InCommon certificates.
-Stefan