none
SUP problem wiht IBCM?

    Question

  • Hi,

    I'm having some problems with IBCM and software updates/WSUS/FEP. SCCM servers (2007 SP2 R3) are setup to service both intranet and internet clients (with ISA 2006 SSL Bridging).

    "SCCM Server 1" is running MP/DP and "SCCM server 2" is running WSUS/SUP.

    In addition FEP 2010 is installed and clients are downloading definition updates from the WSUS server running on "SCCM Server 2".

    FEP signature update is working for intranet clients but not for clients connected through the ISA server.

     

    There are a lot of DMZ Workgroup servers that are setup as "internet allways" in SCCM and have installed the FEP agent but I can't get them to download the signature updates.

     

    When I look at the the logfiles on a machine with this problem the cause seems to be that the WUA agent tries to contact the WSUS server with it's intranet name ("http://intranet.wsus.local") and HTTP, not the internet name ("https://internet.wsus.com"). When I look in the registry of the machine the WSUS server is set correctly, pointing to the Web listner on the ISA ("https://internet.wsus.com")

     

    I have tried to manually create a BITS job to download files from the WSUS server on the machine by using Bitsadmin.exe and the correct https internet address. This is working ok, so I know it's not a connection issue.

     

    Here is what the WindowsUpdate.log file looks like on a client

     

    2011-12-12        14:50:17:340         968        13f0        DnldMgr        ***********  DnldMgr: New download job [UpdateId = {0583ECCE-B7A4-4D2A-81CE-8E26A8269935}.100]  ***********

    2011-12-12        14:50:19:668         968        13f0        DnldMgr          * BITS job initialized, JobId = {86A25CED-55A1-42D5-9161-84F1206B96DC}

    2011-12-12        14:50:19:683         968        13f0        DnldMgr          * Downloading from http://<intranet.wsus.local>/Content/9C/CE52B8F9D47E57DBCCE8AE762E01AA4453A6A79C.exe to C:\WINDOWS\SoftwareDistribution\Download\ccd05aebe8f9a5879e0a07374874d2b7\ce52b8f9d47e57dbcce8ae762e01aa4453a6a79c (full file).

    2011-12-12        14:50:19:683         968        13f0        DnldMgr        ***********  DnldMgr: New download job [UpdateId = {12ECB5B4-3823-4A0F-AC1F-35D657C1F916}.100]  ***********

    2011-12-12        14:50:19:699         968        13f0        DnldMgr          * BITS job initialized, JobId = {C99DB405-E4DA-488D-B513-02FA3E38901B}

    2011-12-12        14:50:19:715         968        13f0        DnldMgr          * Downloading from http://<intranet.wsus.local>/Content/90/E758C40EB64A6364055A884E7463631A26EFCB90.exe to C:\WINDOWS\SoftwareDistribution\Download\ad50c28490aff73eb148fa350d46da02\e758c40eb64a6364055a884e7463631a26efcb90 (full file).

    2011-12-12        14:50:19:715         968        13f0        DnldMgr        ***********  DnldMgr: New download job [UpdateId = {542085BC-BAAC-4679-8868-25D8A9E91BB6}.100]  ***********

    2011-12-12        14:50:19:730         968        13f0        DnldMgr          * BITS job initialized, JobId = {F8351A34-37E6-45DB-A816-00D0BCD20915}

    2011-12-12        14:50:19:730         968        13f0        DnldMgr          * Downloading from http://<intranet.wsus.local>/Content/CF/D97892BE3DA38C9F8AE1E343A1D07BEEAA2D3FCF.exe to C:\WINDOWS\SoftwareDistribution\Download\76d063149668846905f30d5b57ee1ada\d97892be3da38c9f8ae1e343a1d07beeaa2d3fcf (full file).

    2011-12-12        14:50:19:730         968        13f0        DnldMgr        ***********  DnldMgr: New download job [UpdateId = {839323EB-31A6-4E0B-ABB0-ABCAD258C666}.100]  ***********

    2011-12-12        14:50:19:746         968        13f0        DnldMgr          * BITS job initialized, JobId = {F46C4C6C-4C59-458A-ADE5-2CCB904E7BE4}

    2011-12-12        14:50:19:762         968        13f0        DnldMgr          * Downloading from http://<intranet.wsus.local>/Content/45/9E2D5F929B8F3055F29901FA2374DDA059E4EA45.exe to C:\WINDOWS\SoftwareDistribution\Download\ef8a73acce462a89f7375e1f4cf12515\9e2d5f929b8f3055f29901fa2374dda059e4ea45 (full file).

    2011-12-12        14:50:19:762         968        13f0        Agent        *********

    2011-12-12        14:50:19:762         968        13f0        Agent        **  END  **  Agent: Downloading updates [CallerId = AutomaticUpdates]

    2011-12-12        14:50:19:762         968        13f0        Agent        *************

    2011-12-12        14:50:32:184         968        5c0        AU        Launched new AU client for directive 'Download Progress', session id = 0x1

    2011-12-12        14:50:32:199        4592        f38        Misc        ===========  Logging initialized (build: 7.4.7600.226, tz: +0100)  ===========

    2011-12-12        14:50:32:199        4592        f38        Misc          = Process: C:\WINDOWS\system32\wuauclt.exe

    2011-12-12        14:50:32:199        4592        f38        AUClnt        Launched Client UI process

    2011-12-12        14:50:32:215        4592        f38        Misc        ===========  Logging initialized (build: 7.4.7600.226, tz: +0100)  ===========

    2011-12-12        14:50:32:215        4592        f38        Misc          = Process: C:\WINDOWS\system32\wuauclt.exe

    2011-12-12        14:50:32:215        4592        f38        Misc          = Module: C:\WINDOWS\system32\wucltui.dll

    2011-12-12        14:50:32:215        4592        f38        CltUI        AU client got new directive = 'Download Progress', serviceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, return = 0x00000000

    2011-12-12        14:50:32:215        4592        f38        CltUI        AU client creating default WU/WSUS UI plugin

    2011-12-12        14:50:44:934         968        7d0        DnldMgr        Error 0x80072efd occurred while downloading update; notifying dependent calls.

    2011-12-12        14:51:06:934         968        95c        DnldMgr        Error 0x80072efd occurred while downloading update; notifying dependent calls.

    2011-12-12        14:51:28:918         968        14b0        DnldMgr        Error 0x80072efd occurred while downloading update; notifying dependent calls.

    2011-12-12        14:51:50:871         968        7d0        DnldMgr        Error 0x80072efd occurred while downloading update; notifying dependent calls.

    2011-12-12        14:51:50:871         968        e98        AU        AU checked download status and it changed: Downloading is paused

    2011-12-12        14:51:50:871        4592        f38        CltUI        AU client got new directive = 'Shutdown', serviceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, return = 0x00000000

    2011-12-12        14:51:50:980         968        5c0        AU        AU received handle event

     

     

    Does anyone have a clue why the WUA agent will try to connect to the HTTP intranet address and not the HTTPS internet address?

    And where does it even get the name of the intranet address from?

     

    The WindowsUpdate logfile also reports the same problem when update scan cycle is triggered on the SCCM agent.

    2011-12-12        14:30:32:870         968        1700        Misc        WARNING: WinHttp: SendRequestUsingProxy failed for <http://<intranet.wsus.local>/Content/87/94ABE7D9A36E38E87EEB49D81699059DF1879A87.txt>. error 0x80072efd

     

    (Guess is that this is EULA text file)

    Apart from this the SCCM agent seems to be working ok.

     

    I know I can setup FEP agents to download definition updates useing the SCCM distribution point, but I would still like to figure out if it's possible to do this using WSUS.

     

     Any help suggestions would be appreciated.

    Best Regards,

    GeirO

     

    • Moved by Carol BaileyMicrosoft employee Friday, January 27, 2012 6:46 AM Although native mode, specific to software updates/FEP (From:Configuration Manager Internet Clients and Native Mode)
    Tuesday, December 13, 2011 8:56 PM

All replies

  • Check to make sure the folder in question exists please.  Sometimes for the internet based content servers the content files are not move and you must move it yourself.  Also many times I ignore the http/https notice because in native mode many times it will say http but it really is running over https.

    Make sure you can telnet to the 443 or 8532 port or whatever you are using for both http and https.  If you get a blank screen then there is a connection and not a firewall issue.

    Also there are many posts on ISA servers and native mode, passing the certificate through it and making sure ISA isn't blocking something.


    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
    Monday, January 02, 2012 12:26 AM
  • Make sure you can telnet to the 443 or 8532 port or whatever you are using for both http and https.  If you get a blank screen then there is a connection and not a firewall issue.

     

    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
    it should be 8531 not the 8532...
    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Click on "vote as Helpful" if you feel this post helpful to you. This can be beneficial to other community members reading the thread.
    Monday, January 02, 2012 8:08 AM
  • WSUSutil.exe is a tool that you can use to manage your WSUS server from the command line. WSUSutil.exe is located in the%drive%\Program Files\Update Services\Tools folder on your WSUS server. 

    run below command 

    wsusutil.exe checkhealth

    and see the envents logs for any errors... you should see only information logs.. if you see any errors you have some problem still and you need to configure correctly...

    follow this to configure correctly http://technet.microsoft.com/en-us/library/bb633246.aspx



    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Click on "vote as Helpful" if you feel this post helpful to you. This can be beneficial to other community members reading the thread.
    Monday, January 02, 2012 8:12 AM
  • Thank you for answering, but as I wrote in the original post I dont think it's a connection issue:

    "I have tried to manually create a BITS job to download files from the WSUS server on the machine by using Bitsadmin.exe and the correct https internet address. This is working ok, so I know it's not a connection issue."

     

    The WSUS server server also apears to be healthy.

     

    I guess the question is if the setup of WSUS download of definition updates useing SSL bridging is even supported/possible...

    I found another post regarding FCS which seems to be the a related issue:

    http://social.technet.microsoft.com/Forums/sr-Latn-CS/configmgrsum/thread/10b46228-50e2-4a7a-9185-b1c09c9116ec

     

     

     

    Monday, January 02, 2012 10:13 AM
  •  

        Does anyone have a clue why the WUA agent will try to connect to the HTTP intranet address and not the HTTPS internet address?

     

    The agent is some times not so fast to recognize, that it has moved location (restart smsagent to force it quickly). If the agent never is on the intranet, then you could install it with the allways internet option

     

     

        And where does it even get the name of the intranet address from?

    It gets the adresse from MP_GetWSUSServerLocations. And that again reflects your configuration/setup in site setting (how is your SQL setup?).

    Wednesday, January 18, 2012 10:53 PM
  • Thanks for replying.

    I have now configured FEP Definition Updates useing SCCM and this is working ok for the DMZ servers.

    But to comment on your reply:

    "The agent is some times not so fast to recognize, that it has moved location (restart smsagent to force it quickly). If the agent never is on the intranet, then you could install it with the allways internet option"

    - As mentioned in the original post the SCCM agent on the servers are installed as "allways internet".

     

    "It gets the adresse from MP_GetWSUSServerLocations. And that again reflects your configuration/setup in site setting (how is your SQL setup?)"

    - My understanding is that the SCCM agent sets a local policy pointing the WUA agent to the WSUS server/SUP. When I check the registry of a "problem"-server I can se that this is pointing to the correct "Internet" address on the ISA ("https://internet.wsus.com"). So I was just wondering how the WUA/FEP agent would even know about the internal WSUS server address, as this is not to be found anywhere in registry.

     

     

     

    Thursday, January 26, 2012 11:39 AM
  •  "- My understanding is that the SCCM agent sets a local policy pointing the WUA agent to the WSUS server/SUP. When I check the registry of a "problem"-server I can se that this is pointing to the correct "Internet" address on the ISA ("https://internet.wsus.com"). So I was just wondering how the WUA/FEP agent would even know about the internal WSUS server address, as this is not to be found anywhere in registry."

    You are right. If you confirm it is not in the installparameter, and there are no GPO's or preconfigured local policies, the parameters should only come from MP via policies.

    Purhaps you need to install policy spy, to be sure (I'm sure you can find some help in this forum. I've not worked much with that tool)

    Thursday, January 26, 2012 11:53 AM
  • I'm going to move this thread into the Software Updates forums, where they might have more experience with this setup.

    Friday, January 27, 2012 6:45 AM