locked
W2016 WSUS Enterprise Firewall Client Zone Exceptions RRS feed

  • Question

  • Hello,

    For W2016 WSUS using port 8530, are there needed Enterprise firewall inbound to client zone exceptions needed that were not needed in previous WSUS versions using port 80.  I'm getting (0x8024401c) no connection error from clients. 

    I tested access to the server via a W10 client with URL http://my.server.com:8530/selfupdate/wuident.cab and I am not prompted to accept the download.  I can initiate the download prompt when calling that URL from the server's browser, and I see Wireshark TCP and TLS1.2 traffic between my test client and the Server but only SYN packets and no SYN/ACK.  Windows firewall is deactivated by a GPO and Symantec Firewall is used instead.  However, I've deactivated it while testing.  I've also uninstalled WSUS and reinstalled it through the server management console (it retained the computer groups and update info).

    I read someone else's stack exchange post that "The IANA/RFC specifies ephemeral ports TCP 49152 through 65535 open for WSUS to be able to connect back to clients from a W2016 Server, so open that port range from the WSUS server to the client subnet object".  Is this true?  If this is not the issue, I could use some good troubleshooting tips

    Thanks


    • Edited by ksdst1 Friday, April 19, 2019 12:36 PM
    Wednesday, April 17, 2019 6:51 PM

All replies

  • Update-it turns out that the tcp/8530 firewall port exception request was not completed on the Enterprise fire wall.  Once that was done things worked, so "ephemeral ports TCP 49152 through 65535 open for WSUS to be able to connect back to clients from a W2016 Server" is not needed.

    Tnx

    Friday, April 26, 2019 1:33 PM