locked
WSUS Clients - 0x80244019 RRS feed

  • Question

  • Hi,

    We have a brand new WSUS Server on 2016 Standard. We use SSL so added the cert, changed the port to https default (443) and set the host header (we use update.domain.com as our URL in the GPO (we have split-DNS) so external clients still communicate), followed the guidance of which virtual directories required SSL and did the wsusutil command. This went ok and clients are communicating with WSUS. However when a client did an update it would get to 0% and fail with 0x80244019:

    WU_E_PT_HTTP_STATUS_NOT_FOUND
    HTTP 404 - the server cannot find the requested Uniform Resource Identifier (URI).

    The only way that seemed to fixed this was by putting the default website at a custom port for http, set the WSUS website to 80 and add the same host header. Now they get past 0% and onto 'preparing to install updates'. We have no other web services running on the WSUS server.

    I don't know if this is by design because of our exact implementation of SSL and URL, but hopefully someone can confirm what's what.

    Thanks

    Friday, October 19, 2018 9:06 AM

Answers

  • WSUS uses 2 ports, much like FTP with 20/21 for the data and command port. HTTPS is the 'command' port and HTTP is like the data port where the actual updates get pulled from.

    BTW, when you modified the ports - did you do it in IIS or did you run wsusutil?

    if you modified the ports in IIS directly, modify them back to 8530/8531 and then:

    From an Admin Command Prompt on the WSUS Server

    "C:\Program Files\Update Services\Tools\wsusutil.exe" usecustomwebsite off

    This will properly do the necessary changes to switch WSUS to using port 80/443.


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by Lanky Doodle Tuesday, October 23, 2018 2:44 PM
    Saturday, October 20, 2018 4:11 AM

All replies

  • WSUS uses 2 ports, much like FTP with 20/21 for the data and command port. HTTPS is the 'command' port and HTTP is like the data port where the actual updates get pulled from.

    BTW, when you modified the ports - did you do it in IIS or did you run wsusutil?

    if you modified the ports in IIS directly, modify them back to 8530/8531 and then:

    From an Admin Command Prompt on the WSUS Server

    "C:\Program Files\Update Services\Tools\wsusutil.exe" usecustomwebsite off

    This will properly do the necessary changes to switch WSUS to using port 80/443.


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by Lanky Doodle Tuesday, October 23, 2018 2:44 PM
    Saturday, October 20, 2018 4:11 AM
  • I did them in IIS. I did the wsusutil configuresll update.domain.com:443 command though.

    I've just done that command now though. Slight correction: [on|off] are not valid parameters. Needs to be [true|false]

    Can I delete the WSUS website now?

    Monday, October 22, 2018 9:36 AM
  • I'm not sure what WSUS Website you're referring to. Screenshots? Everything should have been taken care of with the wsusutil command (sorry about the on/off instead of true/false- I did that from memory)

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Monday, October 22, 2018 4:47 PM
  • Hello,
     
    By default, when installing WSUS, it would set a WSUS Administration in IIS, and use port 8530 for http. So if SSL is enabled, WSUS would use 8531 for https.
     
    So i am confused why you use port 443 for https. Please double check your setting for SSL. Maybe some screenshots would be helpful as Adam mentioned.
     
    Best Regards,
    Ray

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 23, 2018 2:30 AM
  • AJTek: You know the default for WSUS is not the Default Web Site, it's WSUS Administration. Now I have done the usecustomwebsite false command it moves everything out of that and puts it all in Default Web Site. But it leaves WSUS Administration website, although empty. So may as well delete it.

    Ray: 443 is obviously the standard port for https. It saves me having to configure https://update.domain.com:8531 everywhere (especially for inbound requests for external clients on the firewall). I can just use https://update.domain.com now.

    I don't have and never will have other websites on this server so I have no reason to use the custom ports or even custom website. I don't know why this is the default - it should be selectable during install.



    Tuesday, October 23, 2018 2:42 PM