How to configure a Software Update Point to use SSL for communicating with WSUS

This blog post will be about configuring a Software Update Point (SUP) to use SSL for communicating with Windows Server Update Services (WSUS). I know there are many guides out on the web detailing the standard installation of WSUS and a SUP, but not many of them are explaining (or even touching) the HTTPS/SSL configuration. Also, I’ve been getting some questions about this subject lately, so I thought it would be time to dedicate a blog post to this.

Very high-level, this post will go through the configuration of WSUS to require SSL communication and the configuration of a SUP to use SSL communication. So, actually the title doesn’t cover the complete blog post.

Prerequisites

Before we go through the configuration steps of WSUS and a SUP, I want to point out the following important prerequisites that are not part of this post:

  • Server authentication certificate – This how-to assumes that the server authentication certificate, that is required to configure the HTTPS binding of the WSUS Administration website, is available. For a step-by-step procedure for creating such a certificate, see: http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_webserver2008_cm2012
    • Note: The server authentication certificate for an Internet-facing software update point requires that the Internet FQDN and intranet FQDN are both specified in the server authentication certificate. I will show the reason why in a following blog post.
  • WSUS – This how-to assumes that a standard WSUS installation is performed. For a step-by-step guide for installing WSUS, see: http://technet.microsoft.com/en-us/library/hh852338.aspx
  • SUP – This how-to assumes that a standard SUP installation is performed.

Step 1: Add certificate to WSUS Administration website

Now let’s start with the first step, which is adding the server authentication certificate to the WSUS Administration website. This can be the same certificate that has been used on the Default website. To add this certificate to the WSUS Administration website, by using Internet Information Services (IIS) 7.0 or higher, perform the following steps:

  • WSUS_SiteBindingsOn the site system server, open IIS Manager.
  • Navigate to Sites, right-click the WSUS Administration website, and click Edit Bindings.
  • In the Site Binding dialog box, select the https binding, and click Edit.
  • In the Edit Site Binding dialog box, select the server authentication certificate in the SSL certificate box, and click OK.
  • Click Close to exit the Site Bindings dialog box.

Step 2: Require SSL on WSUS Administration website

Let’s continue with the second step, which is configuring five virtual directories, of the WSUS Administration website, to require SSL. After the virtual directories have been configured, the health monitoring feature of WSUS must also be configured to use SSL. To configure these virtual directories to require SSL, by using IIS 7.0 or higher, perform the following steps:

  • WSUS_VirtualDirectoriesOn the site system server, open IIS Manager.
  • Navigate to Sites, and expand the WSUS Administration website.
  • Select the virtual directories APIRemoting30:
    • In Features View, double-click SSL Settings.
    • On the SSL Settings page, select Require SSL and click Apply in the Actions pane.
  • Repeat the previous step for the following virtual directories:
    • ClientWebService;
    • DSSAuthWebService;
    • ServerSyncWebService;
    • SimpleAuthWebService;
  • Close IIS Manager.

The last part of this steps is to also configure the health monitoring feature of WSUS to use SSL. This can be done by using the WSUSUtil tool. To configure the health monitoring feature of WSUS to use SSL run the following command from the location <WSUS Installation Folder>\Tools:

WSUSUtil.exe configuressl <Intranet FQDN of the site system server>.

Step 3: Use SSL on Software Update Point

The third and last step is to configure a SUP to use SSL for communicating with WSUS. Without doing this the SUP won’t be able to communicate to WSUS, as it will keep on trying to communicate on port 8530. To configure the SUP to use SSL, perform the following steps:

  • WSUS_SUPConfigurationOpen the Configuration Manager console;
  • Navigate to Administration > Site Configuration > Servers and Site System Roles and select the site system server;
  • In the Site System Roles pane, double-click Software update point;
  • In the Software update point Properties select Require SSL communication to the WSUS server and click OK.

Results

There are a couple of methods to check if the configuration was successful. The two methods that I like the most are the log files and the registry. I won’t show the registry here, but two important values to look at are PortNumber, which should be set to 8531, and UsingSSL, which should be set to 1. These values are located in the key HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup. What I do want to show are the results in the following two log files:

  • The first log files is the WSUSCtrl.log. This log file should show a successful connection to the local WSUS server and it should show no unhealthy WSUS Server components.WSUS_WSUSCtrlLog
  • The second one is the WCM.log. This log file should show a successful connection to the WSUS server on port 8531.WSUS_WCMLog

Further reading

For more information about PKI certificate requirements for ConfigMgr, see: http://technet.microsoft.com/en-us/library/gg699362.aspx

For more information about configuring software updates in ConfigMgr, see: http://technet.microsoft.com/en-us/library/gg712312.aspx

5 thoughts on “How to configure a Software Update Point to use SSL for communicating with WSUS

  1. What would the configuressl command be if you’ve have a SUP role running on a Site System other than your CAS and PS ? Shall I point to PS ?

    We’ve got an upstream WSUS and CAS talks to it and PS talks to CAS for Sync and I’ve another Site System that has got a SUP Role (wasn’t sure what configureSSL command should be? however I just pointed the configuressl to PS and I see the sync perfectly happening as per the wcm.log however now the SOE guys came back saying the TS is failing with 0x80244018 error code and can’t patch the machines during the build ? I am yet to evaluate the logs.. but any early thoughts ?

  2. If the server is internet facing, should I use the intranet or the internet FQDN for the WSUSUtil in the WSUSUtil command line

Leave a Comment