none
WSUS not working properly with SSL

    Question

  • Hi!

    I have configured an "Internet facing" WSUS With Windows Server 2012 and WSUS With SSL. The WSUS is set up With an external FQDN and corresponding SSL (internal CA signed) certificate.

    I have changed my WSUS GPO and Clients are able to Connect to the WSUS and get their updates (both on the LAN and over the Internet).

    My problem is that since I configured the WSUS for SSL, I can no longer Access it from the MMC on my WSUS server. I also get the error 12012 "The API Remoting Web Service is not working" error in the event log on the server.

    I am, however, able to Connect to the WSUS MMC from another server (2008R2) and I am able to manage the server from there, but I would like to be able to do it from the WSUS server itself also.

    Thanks,

    Robert

    Friday, October 5, 2012 8:25 AM

All replies

  • Remove the server from the console then connect again, but this time use the 443 port option from the drop-dwon box.


    Adrian Costea - MCP, MCTS, MCSA 2003, MCITP: Windows 7

    My Blog: www.vkernel.ro/blog

    Friday, October 5, 2012 12:03 PM
  • I have removed the server and tried to re-add it with it's Public name. I have also checked the SSL Box (using port 8531), but getting the error:

    Cannot Connect to 'UPDATE.DOMAIN.COM'. Please make sure the Post-Installation task is completed successfully in that server. If it was, please verify if the server is using another port og different Secure Sockets Layer (SSL) setting.


    • Edited by Syntetisk Friday, October 5, 2012 12:34 PM
    Friday, October 5, 2012 12:33 PM
  • I am having the exact same problem! I also can't figure out how to for sure change it back to port 80/443 (which I would very much prefer).
    Thursday, October 11, 2012 10:08 AM
  • Reinstall WSUS using default site witch is running on port 80.

    Adrian Costea - MCP, MCTS, MCSA 2003, MCITP: Windows 7

    My Blog: www.vkernel.ro/blog

    Thursday, October 11, 2012 10:39 AM
  • Hi,

    What is your current situation?My suggestion would be log onto this machine using the account which you start installation.After the installation and reboot,maybe you don't log onto the WSUS server to finish the post-Installation task?Are there any errors in the eventlog?

    If there are nothing else to provide,i suggest you try a reinstallation with the remaining DB,LOG files and update files to see whether you can connect locally.

    Regards,

    Clarence

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, October 12, 2012 5:08 AM
    Moderator
  • Hello,

    The error I get in the WSUS server Application log is: Event ID 12012, The API Remoting Web Service is not working.

    Monday, October 22, 2012 6:02 AM
  • I have removed the server and tried to re-add it with it's Public name. I have also checked the SSL Box (using port 8531), but getting the error:

    Cannot Connect to 'UPDATE.DOMAIN.COM'. Please make sure the Post-Installation task is completed successfully in that server. If it was, please verify if the server is using another port og different Secure Sockets Layer (SSL) setting.


    I am having the same problem. Have tried EVERYTHING. I can get SSL working with WSUS on 2008R2 no problem, so I know that to get it to work on server 2012 must require some level of tweaking. Also, once I enable SSL, even after rolling back changes, I cannot access the server anymore via the MMC (gives the error above)

    I did the following steps to try and get it working (without any luck of course):

    To configure SSL on the WSUS server by using IIS 7.0

    1. On the WSUS server, open Internet Information Services (IIS) Manager.

    2. Expand Sites, and then expand the Web site for the WSUS server. We recommend that you use the WSUS Administration custom Web site, but the default Web site  might have been chosen when WSUS was being installed.

    3. Perform the following steps on the APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService virtual directories that reside under the WSUS Web site.

      1. In Features View, double-click SSL Settings.
      2. On the SSL Settings page, select the Require SSL checkbox. Ensure that Client certificates is set to Ignore.
      3. In the Actions pane, click Apply.
    4. Close Internet Information Services (IIS) Manager.

    5. Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet FQDN of the software update point site system>.


    • Edited by hewyii Wednesday, October 24, 2012 1:25 AM
    Wednesday, October 24, 2012 12:18 AM
  • I have removed the server and tried to re-add it with it's Public name. I have also checked the SSL Box (using port 8531), but getting the error:

    Cannot Connect to 'UPDATE.DOMAIN.COM'. Please make sure the Post-Installation task is completed successfully in that server. If it was, please verify if the server is using another port og different Secure Sockets Layer (SSL) setting.


    If you can connect w/o SSL using port 8530, then think you need to add ssl binding in IIS on port 8531

    c:\windows\system32\inetsrv\appcmd set site "Default Web Site" /+bindings.[protocol='https',bindingInformation='*:8531:']

    Monday, November 12, 2012 8:46 AM
  • I am not able to connect  w/o SSL, as I have already done the bindings you are asking about, and also required SSL on some of the directories in IIS (as per the deployment guide).


    • Edited by Syntetisk Monday, November 12, 2012 8:49 AM
    Monday, November 12, 2012 8:49 AM
  • Remove WSUS then reinstall using these guides:

    Install WSUS 3.0 on Windows Server 2008 R2

    http://www.vkernel.ro/blog/install-wsus-3-0-on-windows-server-2008-r2

    Configure WSUS to use SSL

    http://www.vkernel.ro/blog/configure-wsus-to-use-ssl


    Adrian Costea - MCP, MCTS, MCSA 2003, MCITP: Windows 7

    My Blog: www.vkernel.ro/blog

    Monday, November 12, 2012 8:58 AM
  • My problem is that since I configured the WSUS for SSL, I can no longer Access it from the MMC on my WSUS server. 

    Did you install the SSL certificate on the WSUS server (as a client)?

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Monday, November 12, 2012 10:54 PM
    Moderator
  • Reinstall WSUS using default site witch is running on port 80.

    Something I recently learned.. which I'm still in shock over...

    The default installation port for WSUS on Windows Server 2012 is 8530. :-//


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Monday, November 12, 2012 10:57 PM
    Moderator
  • I did the following steps to try and get it working (without any luck of course):

    This is only part of what needs to be done. I'm not sure where this copy-and-paste came from, but the complete procedure can be found in the current WSUS Deployment Guide (July 2011) in the section Secure the WSUS 3.0 SP2 Deployment, which contains this (edited for relevancy) follow-up section:

    Configure SSL on client computers

    When you configure SSL on client computers, you should consider the following issues:

    • You must include a URL for a secure port on the WSUS server. Because you cannot require SSL on the server, the only way to make sure that client computers can use a security channel is by using a URL that specifies HTTPS. If you use any port other than 443 for SSL, you must include that port in the URL also. For example, https://<ssl-servername>specifies a WSUS server that uses port 443 for HTTPS. https://<ssl-servername>:8531 specifies a WSUS server that uses a custom SSL port of 8531. </ssl-servername></ssl-servername>
    • The certificate on a client computer must be imported into the Local Computer Trusted Root CA store or Automatic Update Service Trusted Root CA store. If the certificate is imported to the Local User's Trusted Root CA store only, Automatic Updates will fail server authentication.
    • <ssl-servername><ssl-servername>The client computers must trust the certificate that you bind to the WSUS server. Depending on the type of certificate that is used, you might have to set up a service to enable the client computers to trust the certificate that is bound to the WSUS server. For more information about certificates, see Additional SSL resources.</ssl-servername></ssl-servername>

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Monday, November 12, 2012 11:05 PM
    Moderator
  • Remove WSUS then reinstall using these guides:

    Install WSUS 3.0 on Windows Server 2008 R2

    http://www.vkernel.ro/blog/install-wsus-3-0-on-windows-server-2008-r2

    Configure WSUS to use SSL

    http://www.vkernel.ro/blog/configure-wsus-to-use-ssl

    It really is preferred, that when posting in Microsoft forums, that you use links to the Microsoft official documentation.

    http://technet.microsoft.com/en-us/library/dd939849(v=ws.10).aspx

     


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Monday, November 12, 2012 11:07 PM
    Moderator
  • OK..

    To recap this issue a bit..

    I am able to Connect to the WSUS from Clients (both internally and externally over the Internet) AND I am able to Connect to the WSUS console from another server, but NOT from the WSUS server itself.

    So my problem is why/how can't I Connect to WSUS console on the server?

    Tuesday, November 13, 2012 7:00 AM
  • I am able to Connect to the WSUS from Clients (both internally and externally over the Internet) AND I am able to Connect to the WSUS console from another server, but NOT from the WSUS server itself.

    So my problem is why/how can't I Connect to WSUS console on the server?

    As asked... but not appearing to be answered.... have you performed the Configure SSL on client computers procedure on the WSUS server so that the WSUS server can be a 'client' of itself. 

    This procedure is not required just for the WUAgent to be able to talk to an SSL-enabled WSUS server,  but also to allow the MMC to be able to talk to the SSL-enabled server. Inasmuch as you can connect from everywhere else, this seems to be the most logical cause.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Tuesday, November 13, 2012 11:10 PM
    Moderator
  • Yes, I have.

    WSUS settings are controlled through Group Policy, and the WSUS server itself also has this policy applied to it. In regards to certificates, I have used an internal (Microsoft) CA, which is used in conjunction with an Automatic certificate request GPO, so that all Clients have the root CA certificate installed on them, so certificate trust should not be an issue. I can confirm that the SSL (webserver) certificate issued to and used by the WSUS IIS has the internal root CA as root. The internal root CA is also installed in Trusted Root Certification Authorities on both the Computer account, and the User account on the WSUS server.


    • Edited by Syntetisk Wednesday, November 14, 2012 7:12 AM
    Wednesday, November 14, 2012 7:10 AM
  • Yes, I have.

    WSUS settings are controlled through Group Policy, and the WSUS server itself also has this policy applied to it. In regards to certificates, I have used an internal (Microsoft) CA, which is used in conjunction with an Automatic certificate request GPO, so that all Clients have the root CA certificate installed on them, so certificate trust should not be an issue. I can confirm that the SSL (webserver) certificate issued to and used by the WSUS IIS has the internal root CA as root. The internal root CA is also installed in Trusted Root Certification Authorities on both the Computer account, and the User account on the WSUS server.


    Please forgive my pedantic nature.. but in scenarios like this, I quite often find the fact assumed is the fact bitten by.

    • You've used an Enterprise CA to create and distribute a root certificate.
    • You created an SSL certificate derived from that root certificate.
    • The root CA is installed in the Trusted Root CA store of the Computer account. (As noted in the cited documentation, the root cert in the User store is meaningless.)

    But I don't see anywhere that you have confirmed that the  *SSL* certificate has been installed in the Computer store of the WSUS server -- in the same manner that it has (apparently) been installed on all of the other systems in your network (as evidenced by their ability to establish an SSL connection to WSUS).

    Question: Can the Windows Update Agent of the WSUS server successfully detect/report to the WSUS server?


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Thursday, November 15, 2012 11:37 PM
    Moderator
  • Yes, the SSL certificate used by the WSUS IIS (update.organization.com) is installed in the Computer account personal store of the WSUS server.

    No, the WSUS server itself is not registered in the WSUS as a Client.

    Friday, November 16, 2012 7:26 AM
  • No, the WSUS server itself is not registered in the WSUS as a Client.

    Then, as a diagnostic measure, if not as an operational requirement -- I would start by getting the WSUS server's WUAgent to properly register with the WSUS server.

    If the WSUS server is configured (via policy) as a WSUS client, and it's not registered, then I can almost guarantee you that these two conditions:

    • WUAgent does not register with SSL-enabled WSUS server.
    • Local MMC cannot establish a connection to SSL-enabled WSUS server.

    are caused by exactly the same thing.

    If the WSUS server is not configured as a WSUS client, the reason why is yet another conversation to be had, but configuring it as a client, and having it successfully register, detect, and report, will eliminate the client-side of the SSL certificate as a consideration and then we can move on to other more obscure possibilities.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Monday, November 19, 2012 3:40 PM
    Moderator
  • I have the same issue on Windows 2012 as soon as you setup SSL the MMC fails when on the server.  Connecting remotely works fine.

    David Jenkins

    Wednesday, December 4, 2013 3:26 PM
  • Has anyone found a solution for this issue?

    I am experiencing the excact same thing on a newly installed server 2012R2 server.

    Friday, December 20, 2013 9:08 AM
  • Biggest thing is make sure you don't already have something using port 80 and 443 or just go with the other port assignment.

    David Jenkins

    Friday, December 20, 2013 11:32 AM
  • Has anyone found a solution for this issue?

    I am experiencing the excact same thing on a newly installed server 2012R2 server.

    Then, like above, I would say that the WSUS Server has not been properly configured as a *SSL CLIENT*.

    Did you install the SSL certificate (and root certs) in the proper cert store of the WSUS server?


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, December 20, 2013 6:26 PM
    Moderator
  • Biggest thing is make sure you don't already have something using port 80 and 443 or just go with the other port assignment.

    WSUS v6.2 (on Server 2012 R2) doesn't use ports 80 and 443, so this would not likely be relevant. (Unless the configuration had been reverted using WSUSUTIL.)

    SSL on WSUS v6.2 would be accessed via port 8531.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, December 20, 2013 6:27 PM
    Moderator
  • I have changed it to use 80 and 443 instead of 8530 and 8531 using wsusutil.

    I imported the certificate and root certs before i installed the WSUS.

    Then I used this guide to setup SSL: 

    http://jackstromberg.com/2013/11/enabling-ssl-on-windows-server-update-services-wsus/

    And then I can't connect to the server in the console. 

    Monday, December 23, 2013 10:29 AM
  • I have changed it to use 80 and 443 instead of 8530 and 8531 using wsusutil.

    Did you confirm that it was working on port 80 without SSL after running 'usecustomwebsite'?

    Perhaps this is not an SSL issue but a simple site migration / console connection issue?

    And then I can't connect to the server in the console.

    Assuming the site was working on port 80 prior to enabling SSL, the logical conclusion here is that something you did (or did not do) while implementing the SSL configuration is the cause. Either way, I'd say the best approach here is to completely rollback the SSL implementation, confirm that the environment works without SSL, and then re-implement the SSL configuration.

    And, once more, to my original points.. nothing in the procedure cited discusses configuring the WSUS Server as an SSL CLIENT so you also need to perform those steps.

    From the WSUS Deployment Guide - Configure WSUS:

    Configure SSL on client computers

    When you configure SSL on client computers, you should consider the following issues:

    • You must include a URL for a secure port on the WSUS server. Because you cannot require SSL on the server, the only way to make sure that client computers can use a security channel is by using a URL that specifies HTTPS. If you use any port other than 443 for SSL, you must include that port in the URL also.
    • The certificate on a client computer must be imported into the Local Computer Trusted Root CA store or Automatic Update Service Trusted Root CA store. If the certificate is imported to the Local User's Trusted Root CA store only, Automatic Updates will fail server authentication.
    • The client computers must trust the certificate that you bind to the WSUS server. Depending on the type of certificate that is used, you might have to set up a service to enable the client computers to trust the certificate that is bound to the WSUS server.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Tuesday, December 24, 2013 7:28 PM
    Moderator
  • Yes, I checked that in worked on port 80 without SSL. And it worked just fine.

    And when I rollback to not using SSL then it works again. 

    I have also tried rolling back to using port 8530 and then enabling SSL on port 8531 - same issue.

    So it is an SSL issue.

    First I used our wildcard SSL from RapidSSL, but I have read something about WSUS not being to happy about wildcard certificates. So I have also tried creating a certificate from our internal CA - same issue.

    I am not sure what I need to do on the WSUS server with the link you mention. Yes - I have installed the certificate in order to choose it in the IIS bindings. And also the intermediate certificate from the CA.

    Am I misunderstanding what you mean?

    Friday, December 27, 2013 8:41 AM
  • First I used our wildcard SSL from RapidSSL, but I have read something about WSUS not being to happy about wildcard certificates.

    Correct. The SSL certificate must be issued in the canonical name of the WSUS server. In the case where you have an Internet-published server for clients, that may require you to [a] implement multiple certificates or, [b] configure multiple identities on a single SSL certificate.
    Yes - I have installed the certificate in order to choose it in the IIS bindings. And also the intermediate certificate from the CA.
    And the ROOT certificate?

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Tuesday, December 31, 2013 12:59 AM
    Moderator
  • Just ran into this issue standing up WSUS on a 2012 R2 server today.  Fixed it by using the BackConnectionHostNames registry entry, as described in KB 896861 (http://support.microsoft.com/kb/896861):

    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and then click the following registry key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
    3. Right-click MSV1_0, point to New, and then click Multi-String Value.
    4. Type BackConnectionHostNames, and then press ENTER.
    5. Right-click BackConnectionHostNames, and then click Modify.
    6. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
    7. Quit Registry Editor, and then restart the IISAdmin service.


    • Edited by ChrisRode Thursday, May 1, 2014 7:39 PM
    • Proposed as answer by JoshG76 Thursday, July 10, 2014 11:40 AM
    Thursday, May 1, 2014 7:38 PM
  • I've just encountered this and after banging my head against the desk for a few hours realised there's a step missing from the documentation.

    In addition to the steps outlined you need to go in to IIS manager and to your WSUS site. Choose edit bindings and go to the HTTPS protocol (8531 if you're using the WSUS defaults, 443 if you're using the Default Web Site, doesn't matter). On here you need to choose which server certificate to associate with this port binding. Without choosing the server certificate SSL will simply not work, which is probably why you're able to connect to and administer the server over HTTP but not HTTPS.

    It's one of those ones that someone who uses IIS all the time will do by second nature, but sysadmins who just use it for WSUS won't have considered.

    Monday, September 29, 2014 1:59 PM
  • Just ran into this issue standing up WSUS on a 2012 R2 server today.  Fixed it by using the BackConnectionHostNames registry entry, as described in KB 896861 (http://support.microsoft.com/kb/896861):

    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and then click the following registry key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
    3. Right-click MSV1_0, point to New, and then click Multi-String Value.
    4. Type BackConnectionHostNames, and then press ENTER.
    5. Right-click BackConnectionHostNames, and then click Modify.
    6. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
    7. Quit Registry Editor, and then restart the IISAdmin service.


    This was exactly my problem.

    WSUS couldnt be managed using a "public" hostname. Kept saying "Please make sure the post installation task is completed"

    Thanks.

    Monday, March 2, 2015 3:53 AM
  • I just want to provide a clear answer to this thread based on my observation. 


    In a nutshell:


    On Windows Server 2012/2012 R2, the WSUS SSL configuration command WSUSUtil.exe configuressl must be set to the WSUS host server's local host name (FQDN), and the WSUS admin console when executed locally, must also connect to the local host name, in order to work properly. This may require the IIS to be configured with both public domain name and local host name SSL bindings.


    Detailed Explanation:


    A company contoso.com wishes to secure their WSUS server with SSL running on Windows Server 2012/2012 R2 and also make sure that people from outside of the company network (with laptops etc) can still connect to the SSL WSUS server for updates over the internet.

    To achieve this goal, the company setup the public domain name wsus.contoso.com that points to the public IP of their WSUS server, and issued or purchased a trusted certificate for wsus.contoso.com. All firewalls/NAT/port forwarding if applicable are setup. The WSUS IIS site has been configured with the correct binding and certificate for wsus.contoso.com, and selected applications have been configured with "Require SSL" per Microsoft's documentation. Each client computer has been pointed to https://wsus.contoso.com:8531 via group policy for Windows update, and configured to trust wsus.contaso.com's certificate (either an automatically trusted public CA issued certificate or a manually self-signed certificate).

    However, the company's WSUS server itself has its own host name, oreo.ad.contoso.com, which is apparently different from wsus.contoso.com. Nonetheless, the company used the command 

    WSUSUtil.exe configuressl wsus.contoso.com 

    to setup the WSUS SSL because naturally wsus.contoso.com is what they intended to use. However, errors occur when the WSUS Admin Console is launched from the local WSUS server to connect to wsus.contoso.com at port 8531 for management. Windows Event Log also shows several "... services not running" errors when WSUS service starts.


    Solution:

    Use the command

    WSUSUtil.exe configuressl oreo.ad.contoso.com

    instead to configure the server. In IIS WSUS site, add a binding for oreo.ad.contoso.com at port 8531, listen on ALL IP's or at least the local IPv6 IP (this is because by default the local FQDN resolves to IPv6 in Windows)  with an appropriate certificate trusted by the server. Please note that the certificate does *not* necessarily have to list oreo.ad.contoso.com as the main "issued to" name. It can be listed as a Subject Alternative Name (SAN) (verified using Godaddy's SAN SSL). I have not personally tried a wildcard SSL so not sure if that also works. This means if the same certificate used for wsus.contoso.com also covers oreo.ad.contoso.com via SAN, then the same certificate can be used. Otherwise, a separate certificate for oreo.ad.contoso.com needs to be issued or purchased, and must be correctly installed/trusted on the server for use with IIS.

    If configured correctly, the IIS site should have three bindings: the default non-SSL http binding (do not remove this as it is required for WSUS to function correctly), a SSL binding for wsus.contoso.com on port 8531, and a SSL binding for oreo.ad.contoso.com on port 8531 (all IP). The local WSUS Admin Console should launch correctly (if no server is listed, add server oreo.ad.contoso.com, check use SSL and port 8531).

    So overall, the http://wsus.contoso.com:8531 address will be used for Windows clients seeking to obtain updates from the server, and the oreo.ad.contoso.com entry is used exclusively for the WSUS server itself and its local admin console.

    Hope this will help someone who got stuck in a similar situation.



    • Edited by startover909 Wednesday, May 27, 2015 6:58 PM
    • Proposed as answer by gavinb Thursday, March 17, 2016 10:22 AM
    Wednesday, May 27, 2015 6:56 PM
  • startover99's post is the exact issue i have just run into with a client. The use of an SSL cert with a internet FQDN causes the WSUS admin console to error out.

    I can confirm having the dual bindings in IIS for the WSUS https site has enabled me to connect to the wsus admin console using server.domain.local (need a self signed cert with server.domain.local as subject name bound to https port 8531 with hostname specified)

    and

    i can also still use the SSL cert wsus.domain.net.au bound to https port 8531 (no hostname specified) for the servers\clients to connect to the WSUS server & get updates.

    Many thanks startover99!!!

    Thursday, March 17, 2016 10:22 AM
  • Hello,

    i know it's pretty old topic but i found soulution to this. Maybe one find it in future ;)

    If you are using Internal CA, it's pretty simple to add FQDN to SAN certificate (ie. wsus.domain.com & wsus-server.domain.local). After that it works like a charm remotely and localy.

    Only with external i didn't found solution, but won't spend much time on it.

    PS: Windows 2012r2 with Windows 10 support in freshly installed WSUS

    Cheers

    Jan

    Tuesday, January 31, 2017 7:06 PM