 |
 |
Stefan, IPF runs their WSUS servers over SSL with InCommon certs, it does work and is worth doing. I believe the step that is missing from Microsoft's documentation is that you need to right click on the WSUS Administration site object in IIS manager, go to bindings, and then add your FQDN binding to https 8531 and/or 443 and assign your cert to the binding. Feel free to contact me if you would like assistance getting it set up. Dave Graff On Wed, 27 Apr 2016 14:20:49 -0400, Stefan Ozminski <[log in to unmask]> wrote: ><html> > <head> > <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> > </head> > <body bgcolor="#FFFFFF" text="#000000"> > I have had no response on this questing regarding WSUS with SSL.<br> > <br> > My guess is that everyone resorted to WSUS without SSL.<br> > <br> > I will share the script I use to configure the firewall on my WSUS > server. The rule for port 8530 is separate from 8531 in case I want > to expand the remoteip list for the SSL port 8531 at some future > time. I run this script after WSUS is installed so the wide open > WSUS rule is deleted.<br> > <br> > WSUSFirewall.cmd<br> > ----------------<br> > @echo off<br> > setlocal<br> > set scriptdir=%~dp0<br> > rem use %scriptdir% to reference folder from which this script is > run<br> > @whoami /groups | find "S-1-16-12288" >nul<br> > @if errorlevel 1 (cscript /nologo > %scriptdir%..\kbsutils\RunCmdElevated.vbs %0 %*) & exit /b<br> > netsh %1 %2 %3 %4 -f "%~dpn0.txt"<br> > endlocal<br> > <br> > WSUSFirewall.txt<br> > ------------------<br> > advfirewall firewall<br> > delete rule name="WSUS"<br> > delete rule name="WSUS8530"<br> > delete rule name="WSUS8531"<br> > add rule name="WSUS8530" dir=in action=allow protocol=tcp > localport=8530 > remoteip=LocalSubnet,35.8.0.0/13,35.20.0.0/17,35.22.0.0/17 > profile=domain<br> > add rule name="WSUS8531" dir=in action=allow protocol=tcp > localport=8531 > remoteip=LocalSubnet,35.8.0.0/13,35.20.0.0/17,35.22.0.0/17 > profile=domain<br> > <br> > -Stefan<br> > <br> > <div class="moz-cite-prefix">On 4/26/2016 2:26 PM, Stefan Ozminski > wrote:<br> > </div> > <blockquote cite="mid:[log in to unmask]" type="cite"> > <meta http-equiv="content-type" content="text/html; charset=utf-8"> > WSUS administrators,<br> > <br> > Has anyone had success setting up WSUS on Windows Server 2012 R2 > with an SSL configuration?<br> > <br> > I've tried it twice now, and although the https connection works, > the clients don't communicate with the server properly. To make > it worse, when I follow the instructions <a > moz-do-not-send="true" > href="https://technet.microsoft.com/en-us/library/bb633246.aspx">How > > to Configure the WSUS Web Site to Use SSL</a>, I lose the > ability to open the administration console on the WSUS host, and > when you test client access with the url <a > moz-do-not-send="true" class="moz-txt-link-freetext" > href="https://"><a class="moz-txt-link-freetext" href="https://">https://</a></a><wsushost>.kbs.msu.edu:8531/ClientWebService/Client.asmx?singleWsdl, > > the xml returned contains references to <a moz-do-not-send="true" > class="moz-txt-link-freetext" href="http:8530">http:8530</a> > instead of <a moz-do-not-send="true" > class="moz-txt-link-freetext" href="https:8531">https:8531</a>. > Since the instructions say to lock the virtual directory > ClientWebService to SSL, it isn't going to work. Before you ask, > the answer is yes, I remembered to use wsusutil.exe configuressl > hostfqdn, and I configured the clients with the <a > moz-do-not-send="true" class="moz-txt-link-freetext" > href="https://hostfqdn:8531"><a class="moz-txt-link-freetext" href="https://hostfqdn:8531">https://hostfqdn:8531</a></a> that was > output to the Command Prompt window by wsusutil.exe.<br> > <br> > The initial HTTPS connection works. I can open the administrator > console on a server that is not the WSUS host and connect remotely > to the console interface of the WSUS host.<br> > <br> > The WSUS version that loads on my server when the role is enabled > is WSUS 6.3.9600.<br> > <br> > I have seen instructions that say the SSL certificate should > contain a Subject Alternative Name (SAN) that matches the friendly > name of the host (i.e. not FQDN), but that isn't possible > now-a-days with InCommon certificates.<br> > <br> > -Stefan<br> > <br> > </blockquote> > <br> > </body> ></html>