none
WSUS 3.0 SP2 Proxy setting automatically switch off RRS feed

  • Question

  • Hi,

    Here is our environment, we have this Win 2003 server Std edition with WSUS 3.0 SP2 installed. It acts as an upstream server for our SCCM 2007 server. It set to "Synchronize from Microsoft Update", and in the Proxy Server setting, we enabled "use a proxy server when synchronizing". Put in all the proxy details, tested with a manual sync. All completed successfully. SCCM got the updates as well. So all were good.

    Checked the next day, the overnight Sync failed. With lots of Windows Server update Services event 10022 logged in the events log. I then checked the proxy setting and found it was switched off!!! Turned it back on again, did a manual sync, all good. very next day the same thing happen again!

    I dont think this is others in my team playing trick with me. Cant find any scheduled tasks to disable proxy as well...

    With WSUS, is it using HTTP Win service? Or use the settings in IE? I checked HTTP Win Service with ProxyCfg command and it returns says "Direct access (no proxy server)". I didnt setup proxy in IE either. Could this be the cause?

     

    Sunday, June 19, 2011 11:46 PM

Answers

  • ok, the issue is now resovled. It is not caused by GPO. Instead, it was due to missing Proxy settings in SCCM Software Update Point! After I added the proxy details into SCCM Software Update Point server configure, the proxy setting no longer disappears.

    So here is my conclusion: Because our WSUS server is set as upstream update server for SCCM 2007, it has to be configured through SCCM Configure Manager Console, instead of WSUS console. Any changes I made in the WSUS console will eventually be overwritten by settings in SCCM.

    Thanks for the help though. Good to know those useful GPO tools.

    Tuesday, June 28, 2011 3:47 AM

All replies

  • Hi,

     

    Thank you for your post.

     

    I think you problem might be caused by your GPO settings. Please run gpresult /r on your WSUS server to get all of the policies that are applied to your WSUS server, and then review every policy to check if there are any policy settings would change your configuration.

     

    You could also check your WSUS change.log whick located at Program Files\Update Services\Logfiles. You could check if some others change your settings back.

     

    Best Regards,

    James

    Monday, June 20, 2011 9:06 AM
    Moderator
  • Here is our environment, we have this Win 2003 server Std edition with WSUS 3.0 SP2 installed. It acts as an upstream server for our SCCM 2007 server.

    Do you mean that this system *IS* the Software Update Point for your ConfigMgr installation,

    or that your ConfigMgr Software Update Point is a Downstream Server of an in-house WSUS server?

    If the latter . . . that configuration in itself may be highly problematic. Software Update Point servers should only be downstream servers of other Software Update Point servers associated with parent ConfigMgr sites; otherwise, your primary SUP should be configured to synchronize directly from Microsoft. Failing to do that introduces a strong possibility that what is configured for the SUP configuration in ConfigMgr *cannot* be serviced by an autonomous upstream WSUS server.

    I then checked the proxy setting and found it was switched off!!! Turned it back on again, did a manual sync, all good. very next day the same thing happen again!

    This is a classic symptom of the Proxy Configuration being applied by GROUP POLICY and thus overriding your manual configurations.

    With WSUS, is it using HTTP Win service?

    Yes.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, June 20, 2011 4:37 PM
    Moderator
  • I found there is a GPO named WSUS_Server which has settings for Windows Update applied to the WU server. But inside the settings I cannot find option to enable or disable Proxy. The options configured are:

    • Configure Automatic Updates -enabled
    • Specify intranet Microsoft upate service location - enabled
    • Allow Automatic Updates immediate installation - idabled
    • No auto-restart with logged on users for scheduled automatic updates installation - enabled

    I have since exclude the WU server from this GPO. Will see if the setting flip back again.

    Wednesday, June 22, 2011 12:09 AM
  • I found there is a GPO named WSUS_Server which has settings for Windows Update applied to the WU server. But inside the settings I cannot find option to enable or disable Proxy.

    That's because those settings are not set in the *WSUS* Group Policy.

    Most likely you have a different GPO which may be setting these settings. This is the type of scenario for which Resultant Set of Policy (RSOP) is the correct tool to use.

    Excluding the WSUS server from that GPO will not accomplish anything, as the WUAgent settings will not change unless another GPO (or Local Policy) is explicitly applied to cause those values to change.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Wednesday, June 22, 2011 6:03 PM
    Moderator
  • Thanks for the response. Tried with RSOP. The only thing I can see relate to WSUS is under Computer COnfiguration -> Administrative templates -> Windows Update. The "Specify intranet Microsoft update service location" is enabled point to the server local address. I've since changed it to no configured. Didnt make any difference.

    I think the key question for me is which part of the GPO could cause the proxy change? In Windows Update? Or some other place? As Lawrence indicated this is a classic example of GPO issue, will you be able to tell where in a GPO will be the most common place can cause this proxy change?

    Thursday, June 23, 2011 11:36 PM
  • I think the key question for me is which part of the GPO could cause the proxy change?

    Exactly!

    In order to troubleshoot this problem you need to know:

    • Which proxy settings are being set, or are not being set.
    • Which policy object those settings are coming from.

    The first step is to stop focusing on things "related to WSUS". This is not a WSUS issue, although you found it as a result of trying to use WSUS. This is a Configuration Management issue using Group Policy. You need to go back to the RSOP results and look at ALL of the GPOs being applied, and inspect each one of them for any proxy configuration settings. (Note: This is why it is recommended to use one GPO per purpose -- ideally there's a "Proxy Configuration" GPO in that collection somewhere that will allow you to focus your efforts on that one GPO. More likely, as is often the case, the proxy configuration settings have been put in the Default Domain Policy.)

    Once you've found the GPO affecting the settings, then you can determine whether to edit the policy, exclude the computer(s) from the policy, or create an additional GPO to override those settings.

     


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, June 24, 2011 12:48 PM
    Moderator
  • ok, the issue is now resovled. It is not caused by GPO. Instead, it was due to missing Proxy settings in SCCM Software Update Point! After I added the proxy details into SCCM Software Update Point server configure, the proxy setting no longer disappears.

    So here is my conclusion: Because our WSUS server is set as upstream update server for SCCM 2007, it has to be configured through SCCM Configure Manager Console, instead of WSUS console. Any changes I made in the WSUS console will eventually be overwritten by settings in SCCM.

    Thanks for the help though. Good to know those useful GPO tools.

    Tuesday, June 28, 2011 3:47 AM
  • Because our WSUS server is set as upstream update server for SCCM 2007, it has to be configured through SCCM Configure Manager Console, instead of WSUS console. Any changes I made in the WSUS console will eventually be overwritten by settings in SCCM.

    Well.. yes... this is a true statement.

    Rule number one of a Software Update Point: Do Not Use the WSUS CONSOLE for ANYTHING!!!

    Had you answered my questions that I posted on June 20th, we likely could have resolved this question last week, as I would have readily told you not to configure the S.U.P. from the WSUS console, but your post suggested that we were discussing a standalone WSUS Server, so having no other information to the contrary, I wasn't able to be of much help.

     


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Tuesday, June 28, 2011 9:16 PM
    Moderator