locked
Internet Based Software Update Point and WSUS on Port 443 RRS feed

  • Question

  • Scenario.

    Intranet based Primary site with SUP/WSU installed with default ports 8530/8531. Works great for intranet clients.Configured with http/https.

    Clients on network get policy fine and the WSUS metadata catalogue, if the client then goes into "Internet" mode by being on a home user internet connection after a catalogue update it will obtain the updates quite happily from the Internet Based DP as it has the new catalogue from the Intranet WSUS/SUP, this is OK for clients that do connect to VPN, however we have a lot of clients that do not connect to VPN due to security restrictions/end user habits.I can also deploy software to the "Internet" clients no problem using the IBCM as described below.

    We also IBCM server with DP/MP roles installed in DMZ using standard ports and these roles are working.

    There is a Firewall between Intranet and DMZ IBCM server as you would expect.

    Is it possible to install another Windows 2012r2 server in the DMZ and only install the SUP/WSUS role using port 80/443, with WSUS sharing the upstream WSUS server for the catalogue or should I use the default database and synchronise between the Intranet/Internet servers, as 443 is the only port we can use on the IBCM server, is this possible??

    I have read that 8531 still needs to be open for WSUS to sync correctly, with its upstream WSUS server is this true??

    Can I install an SUP/WSUS role on 443 and communicate/sync with my intranet which is using 8530/8531??

    Any help greatly appreciated, I have asked a similar question which didn't quite answer this fully,

    thanks in advance


    many thanks

    Wednesday, August 19, 2015 9:12 AM

Answers

  • i would start by looking at the log files. Related to the installation look at SUPSetup.log an related to the configuration look at WCM.log.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Proposed as answer by Joyce L Wednesday, September 9, 2015 3:07 AM
    • Marked as answer by Joyce L Thursday, September 10, 2015 3:16 AM
    Saturday, September 5, 2015 6:58 AM

All replies

  • I don't think I completely follow your story. Clients connected via VPN don't use your Internet-facing site servers, but your intranet site servers. That being said, about your question, WSUS can also be installed on port 443, but the best practice is to use the default of 8531. Installing it on port 443, might cause it to interfere with other applications running on that port. Also, the software update point will synchronize with the software update point that was installed the first in your site.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Wednesday, August 19, 2015 10:25 AM
  • Hi Peter,

    Aplogies for any confusion, 

    This solution is for "internet" based clients contacting an WSUS/SUP in the DMZ that is using 80/443 which is the only role installed, these clients do not use VPN to connect to the internal network very often and we are not using direct access or any other method for the clients to obtain group policies (the other SCCM roles will be on 2012r2 servers)when the main site is configured with 8530/8531, so clients can go from Intranet to Internet quite often

    regards


    many thanks

    Wednesday, August 19, 2015 3:38 PM
  • Well, you can still install WSUS on port 443 and configure the software update point to use port 443 for connecting to that WSUS. Just keep in mind, like I mentioned before, that the best practice is to use port 8531. Especially when that server already uses port 443 for other applications (like ConfigMgr).

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Proposed as answer by Joyce L Friday, September 4, 2015 5:52 AM
    • Unproposed as answer by Joyce L Wednesday, September 9, 2015 3:07 AM
    Wednesday, August 19, 2015 5:38 PM
  • Thanks for the advice, simple reason for 43 is that it the firewall  threat management software only allows 443 through, and the server will only have 1 role installed, so 443 should not interfere,

    many thanks

    Simon


    many thanks

    Thursday, August 20, 2015 7:30 AM
  • Thanks Peter,

    I still cant get the WSUS/SUP installed on separate server with SSL running, I can get it installed without SSL and using port 443 so I need to do some more investigation on why it is failing.

    Are there any specific guides on installing SUP/WSUS on an separate server using SSL /Port 443 as I am finding it difficult to work, although I think it is perms and cert issue, need to read some logs but if anyone has some info that would be great.

    Currently the WSUS console cannot connect to the database....


    many thanks

    Friday, September 4, 2015 1:00 PM
  • i would start by looking at the log files. Related to the installation look at SUPSetup.log an related to the configuration look at WCM.log.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Proposed as answer by Joyce L Wednesday, September 9, 2015 3:07 AM
    • Marked as answer by Joyce L Thursday, September 10, 2015 3:16 AM
    Saturday, September 5, 2015 6:58 AM