locked
DMZ Hosts Management via Internal WSUS Server RRS feed

  • Question

  • Greetings, 

    I have an internal WSUS server that is working just fine in managing and deploying patches to internal servers. I"m looking to see how I can have DMZ servers that aren't part of the domain but in a workgroup enviornment to also be managed by the internal WSUS server. I tried to import the registry keys from an internal server that is managed by the internal WSUS server to the DMZ servers and I've opened up SSL on port 8531 but it's not communicating with the internal server. I can telnet to the internal WSUS server via that port just fine.

    I"m getting error code 80072F8F - I've check the date and time and it's correct with the WSUS server. What should I be looking for as well?


    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
    "DoNotConnectToWindowsUpdateInternetLocations"=dword:00000001
    "ElevateNonAdmins"=dword:00000000
    "AcceptTrustedPublisherCerts"=dword:00000000
    "WUServer"="https://ATW-CYR-RT:8531"
    "WUStatusServer"="https://ATW-CYR-RT:8531"
    "TargetGroupEnabled"=dword:00000001
    "TargetGroup"="Hou-CriticalApps-Servers"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
    "NoAUShutdownOption"=dword:00000001
    "AlwaysAutoRebootAtScheduledTime"=dword:00000001
    "AlwaysAutoRebootAtScheduledTimeMinutes"=dword:0000001e
    "DetectionFrequencyEnabled"=dword:00000001
    "DetectionFrequency"=dword:0000000c
    "EnableFeaturedSoftware"=dword:00000000
    "AutoInstallMinorUpdates"=dword:00000001
    "IncludeRecommendedUpdates"=dword:00000001
    "NoAutoRebootWithLoggedOnUsers"=dword:00000001
    "RebootRelaunchTimeoutEnabled"=dword:00000001
    "RebootRelaunchTimeout"=dword:0000000a
    "RebootWarningTimeoutEnabled"=dword:00000001
    "RebootWarningTimeout"=dword:00000005
    "RescheduleWaitTimeEnabled"=dword:00000001
    "RescheduleWaitTime"=dword:0000001e
    "UseWUServer"=dword:00000001
    "NoAutoUpdate"=dword:00000000
    "AUOptions"=dword:00000004
    "AutomaticMaintenanceEnabled"=dword:00000001
    "ScheduledInstallDay"=dword:00000006
    "ScheduledInstallTime"=dword:00000003


    • Edited by VanLy Monday, July 6, 2015 9:29 PM
    Monday, July 6, 2015 9:28 PM

Answers

  • without SSL I can confidently say no, nothing else is required but port 8530 as I am doing that today with a bunch of Workgroup machines reporting back to my WSUS server in an AD domain.

    with SSL...I don't know if importing the cert is enough, maybe you need to add the DMZ server to web.config - if you initially secured WSUS using the official documentation:

    https://technet.microsoft.com/en-us/library/dd939849%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    another question about DNS, can it resolve the WSUS server using the FQDN?  I assume your certificate is expecting FQDN

    you may need to add the domain suffix to your DMZ server's network name


    • Edited by armin19 Tuesday, July 7, 2015 5:18 PM
    • Proposed as answer by Steven_Lee0510 Friday, August 7, 2015 3:11 AM
    • Marked as answer by Steven_Lee0510 Sunday, August 9, 2015 4:08 PM
    Tuesday, July 7, 2015 5:17 PM

All replies

  • Hi,

    Does the host trust the certificate of WSUS server? Please try to install the root certificate into Trusted Root Certification Authorites of the host.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, July 7, 2015 7:33 AM
  • Yes,

    I imported the enterprise cert to the hosts into the trusted root CA store. Still no luck afterwards. I've searched that error and it points to a date and time issue supposedly with the cert, but since it's trusted I don't see why it's an issue now at all. I can sync to an ntp source just fine also, so I'm at a lost at this point.

    Tuesday, July 7, 2015 1:53 PM
  • you're sure the DNS name of the WSUS server resolves correctly on the DMZ servers?

    if these DMZ servers have gone unpatched for some time, you may need to manually update the windows update agent on them and try again.

    do the DMZ servers appear in the WSUS console or you're not getting that far?

    Tuesday, July 7, 2015 2:38 PM
  • Yes,

    I've added the WSUS server to the DMZ server's host file entry and I can ping the WSUS server via ip or host name just fine. I have one server that is in the DMZ and it can communicate with the internal WSUS server no problem with same port configuration, etc. The only difference is that this particular server is domain joined, is there some sort of AD communication that needs to happen for this to work?

    Tuesday, July 7, 2015 4:51 PM
  • without SSL I can confidently say no, nothing else is required but port 8530 as I am doing that today with a bunch of Workgroup machines reporting back to my WSUS server in an AD domain.

    with SSL...I don't know if importing the cert is enough, maybe you need to add the DMZ server to web.config - if you initially secured WSUS using the official documentation:

    https://technet.microsoft.com/en-us/library/dd939849%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    another question about DNS, can it resolve the WSUS server using the FQDN?  I assume your certificate is expecting FQDN

    you may need to add the domain suffix to your DMZ server's network name


    • Edited by armin19 Tuesday, July 7, 2015 5:18 PM
    • Proposed as answer by Steven_Lee0510 Friday, August 7, 2015 3:11 AM
    • Marked as answer by Steven_Lee0510 Sunday, August 9, 2015 4:08 PM
    Tuesday, July 7, 2015 5:17 PM