Sunday, January 20, 2013 4:41 PM
We have WSUS running on Windows Server 2k8R2 as part of SCE2010. Recently synchronisations with update.microsoft.com have been failing (i.e., WSUS isn't downloading new updates - this is nothing to do with clients updating themselves from WSUS).
A little investigation showed that we couldn't reach update.microsoft.com in IE until we enabled TLS versions greater than 1.0 (it worked fine in other browsers). A packet capture shows that WSUS tries https://update.microsoft.com via TLS 1.0 - after seeing this TLS version in the SSL client hello, the server sends a TCP RST and closes the connection.
It would seem that, from these observations, https://update.microsoft.com requires TLS versions > 1.0, and WSUS isn't meeting this requirement.
Is this correct? How can I force WSUS to use TLS 1.1 or 1.2?
Sunday, January 20, 2013 10:17 PM
The error reported by WSUS ties up nicely with the observations from the packet capture:
WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at Microsoft.UpdateServices.ServerSync.ServerSyncCompressionProxy.GetWebResponse(WebRequest webRequest)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object parameters)
at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
How can I force the TLS version used by WSUS to be > 1.0?
Tuesday, January 22, 2013 1:28 AMModerator
How can I force WSUS to use TLS 1.1 or 1.2?
I am not aware of any such changes, and given that WSUS v3 SP2 is still supported on Windows Server 2003 (which does not have access to the newer versions of TLS), making that change would immediately break every WSUS server installed on Windows Server 2003. So, I suspect this is not a TLS issue, but may be manifesting as a failing SSL connection in the process:
- Have you applied all of the recent patches to the WSUS server? to Windows Server 2008 R2? to SCE2010?
- If you install a fresh WSUS3SP2 on Win2008R2, with all of the OS and WSUS patches, can you reproduce the issue?
- Have you investigated all of the intervening devices between the WSUS server and the Internet. Are you sure the TCP RST is coming from update.microsoft.com, and not from something in between?
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.
- Marked As Answer by Clarence ZhangModerator Thursday, January 31, 2013 2:49 AM