 |
 |
After multiple tries with multiple variations, including an OS reinstall and an image restore from a known good point, I got WSUS with SSL to work on Server 2012, but only on port 443. I was never able to get clients to communicate properly on port 8531. The default configuration of WSUS on Server 2012 is with http port 8530, which I was able to get to work as well as port 80. After a server rebuild (OS re-install), I downloaded all updates, configured WSUS, and then changed to port 80 mode with the following command: "c:\Program Files\Update Services\Tools\WsusUtil.exe" usecustomwebsite false I saved an image of the server at that point because WSUS configuration seems to be rather fragile. Then I created a binding in IIS for port 443 on the website with a certificate (from InCommon) selected in the dropdown list of installed certificates and made the other SSL settings necessary as documented on the web. Then I configured SSL for WSUS with the following command: "c:\Program Files\Update Services\Tools\WsusUtil.exe" configuressl server.level3.msu.edu where server.level3.msu.edu was a subject name from the installed certificate. The netsh commands I used to configure the firewall for WSUS were the following: advfirewall firewall delete rule name="HTTP" add rule name="HTTP" action=allow protocol=TCP dir=in localport=80 remoteip=LocalSubnet,192.168.113.0/24,35.8.0.0/13,35.20.0.0/17,35.22.0.0/17 advfirewall firewall delete rule name="SSL" add rule name="SSL" action=allow protocol=TCP dir=in localport=443 remoteip=LocalSubnet,192.168.113.0/24,35.8.0.0/13,35.20.0.0/17,35.22.0.0/17 Then, in Group Policy, I updated a policy object with the item "Specify intranet Microsoft update service location" to specify the new server address https://server.level3.msu.edu:443 (under Computer Configuration/Administrative Templates/Windows Components/Windows Update) -Stefan On 5/2/2016 10:39 AM, David Graff wrote: > Stefan, > > IPF runs their WSUS servers over SSL with InCommon certs, it does work and > is worth doing. I believe the step that is missing from Microsoft's > documentation is that you need to right click on the WSUS Administration > site object in IIS manager, go to bindings, and then add your FQDN binding > to https 8531 and/or 443 and assign your cert to the binding. > > Feel free to contact me if you would like assistance getting it set up. > > Dave Graff > > On Wed, 27 Apr 2016 14:20:49 -0400, Stefan Ozminski <[log in to unmask]> wrote: > >> <html> >> <head> >> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> >> </head> >> <body bgcolor="#FFFFFF" text="#000000"> >> I have had no response on this questing regarding WSUS with SSL.<br> >> <br> >> My guess is that everyone resorted to WSUS without SSL.<br> >> <br> >> I will share the script I use to configure the firewall on my WSUS >> server. The rule for port 8530 is separate from 8531 in case I want >> to expand the remoteip list for the SSL port 8531 at some future >> time. I run this script after WSUS is installed so the wide open >> WSUS rule is deleted.<br> >> <br> >> WSUSFirewall.cmd<br> >> ----------------<br> >> @echo off<br> >> setlocal<br> >> set scriptdir=%~dp0<br> >> rem use %scriptdir% to reference folder from which this script is >> run<br> >> @whoami /groups | find "S-1-16-12288" >nul<br> >> @if errorlevel 1 (cscript /nologo >> %scriptdir%..\kbsutils\RunCmdElevated.vbs %0 %*) & exit /b<br> >> netsh %1 %2 %3 %4 -f "%~dpn0.txt"<br> >> endlocal<br> >> <br> >> WSUSFirewall.txt<br> >> ------------------<br> >> advfirewall firewall<br> >> delete rule name="WSUS"<br> >> delete rule name="WSUS8530"<br> >> delete rule name="WSUS8531"<br> >> add rule name="WSUS8530" dir=in action=allow protocol=tcp >> localport=8530 >> remoteip=LocalSubnet,35.8.0.0/13,35.20.0.0/17,35.22.0.0/17 >> profile=domain<br> >> add rule name="WSUS8531" dir=in action=allow protocol=tcp >> localport=8531 >> remoteip=LocalSubnet,35.8.0.0/13,35.20.0.0/17,35.22.0.0/17 >> profile=domain<br> >> <br> >> -Stefan<br> >> <br> >> <div class="moz-cite-prefix">On 4/26/2016 2:26 PM, Stefan Ozminski >> wrote:<br> >> </div> >> <blockquote cite="mid:[log in to unmask]" type="cite"> >> <meta http-equiv="content-type" content="text/html; charset=utf-8"> >> WSUS administrators,<br> >> <br> >> Has anyone had success setting up WSUS on Windows Server 2012 R2 >> with an SSL configuration?<br> >> <br> >> I've tried it twice now, and although the https connection works, >> the clients don't communicate with the server properly. To make >> it worse, when I follow the instructions <a >> moz-do-not-send="true" >> href="https://technet.microsoft.com/en-us/library/bb633246.aspx">How >> >> to Configure the WSUS Web Site to Use SSL</a>, I lose the >> ability to open the administration console on the WSUS host, and >> when you test client access with the url <a >> moz-do-not-send="true" class="moz-txt-link-freetext" >> href="https://"><a class="moz-txt-link-freetext" > href="https://">https://</a></a><wsushost>.kbs.msu.edu:8531/ClientWebService/Client.asmx?singleWsdl, >> the xml returned contains references to <a moz-do-not-send="true" >> class="moz-txt-link-freetext" href="http:8530">http:8530</a> >> instead of <a moz-do-not-send="true" >> class="moz-txt-link-freetext" href="https:8531">https:8531</a>. >> Since the instructions say to lock the virtual directory >> ClientWebService to SSL, it isn't going to work. Before you ask, >> the answer is yes, I remembered to use wsusutil.exe configuressl >> hostfqdn, and I configured the clients with the <a >> moz-do-not-send="true" class="moz-txt-link-freetext" >> href="https://hostfqdn:8531"><a class="moz-txt-link-freetext" > href="https://hostfqdn:8531">https://hostfqdn:8531</a></a> that was >> output to the Command Prompt window by wsusutil.exe.<br> >> <br> >> The initial HTTPS connection works. I can open the administrator >> console on a server that is not the WSUS host and connect remotely >> to the console interface of the WSUS host.<br> >> <br> >> The WSUS version that loads on my server when the role is enabled >> is WSUS 6.3.9600.<br> >> <br> >> I have seen instructions that say the SSL certificate should >> contain a Subject Alternative Name (SAN) that matches the friendly >> name of the host (i.e. not FQDN), but that isn't possible >> now-a-days with InCommon certificates.<br> >> <br> >> -Stefan<br> >> <br> >> </blockquote> >> <br> >> </body> >> </html> >