locked
Update files always downloaded via HTTP RRS feed

  • Question

  • Hi,

    We have enabled SSL on our WSUS server and all clients are now reporting back successfully via the default SSL port 8531. Some clients go though a site firewall so we have enabled 8531 only. These clients are detecting updates but failing to download them, the site firewall is logging lots of denied attempts on port 8530. Is this as expected? In which case I will allow port 8530 as well but I was expecting all traffic to be via SSL 8531.

    Many thanks, Andrew

    Wednesday, January 14, 2015 12:58 PM

Answers

  • This is an expected behavior: WSUS uses SSL for metadata only, not for update files. Update content is secured by signing update files and including file hash in metadata (which is transferred over HTTPS)


    Gleb.

    • Marked as answer by Andrew Raison Thursday, January 15, 2015 11:55 AM
    Wednesday, January 14, 2015 2:28 PM
  • In which case I will allow port 8530 as well but I was expecting all traffic to be via SSL 8531.

    If you were expecting all traffic to be via SSL, then you've probably also misconfigured the WSUS server itself. While opening the port will certainly be required, removing SSL requirements from the appropriate v-dirs will also be required.

    The correct configuration for using SSL with WSUS is documented in the WSUS Deployment Guide:

    Secure WSUS with the Secure Sockets Layer Protocol


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by Steven_Lee0510 Thursday, January 29, 2015 3:26 PM
    Wednesday, January 14, 2015 8:34 PM

All replies

  • This is an expected behavior: WSUS uses SSL for metadata only, not for update files. Update content is secured by signing update files and including file hash in metadata (which is transferred over HTTPS)


    Gleb.

    • Marked as answer by Andrew Raison Thursday, January 15, 2015 11:55 AM
    Wednesday, January 14, 2015 2:28 PM
  • In which case I will allow port 8530 as well but I was expecting all traffic to be via SSL 8531.

    If you were expecting all traffic to be via SSL, then you've probably also misconfigured the WSUS server itself. While opening the port will certainly be required, removing SSL requirements from the appropriate v-dirs will also be required.

    The correct configuration for using SSL with WSUS is documented in the WSUS Deployment Guide:

    Secure WSUS with the Secure Sockets Layer Protocol


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by Steven_Lee0510 Thursday, January 29, 2015 3:26 PM
    Wednesday, January 14, 2015 8:34 PM
  • Thank you both for your responses.

    I had only enforced SSL on the correct v-dirs. as per the documentation and will now allow the port 8530 though our firewalls as well.

    Thursday, January 15, 2015 11:59 AM