Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1652
  • Last Modified:

Primary child active SUP trying to download EULA files from central site over port 8530 in Native Mode

Hi guys,

We have a primary child site in one forest with an active SUP installed.
It's meant to synchronise with the central site SUP in another forest.
We're running in Native Mode (each forest has it's own PKI) so we're expecting the primary child SUP to use port 8531,
but from the logs, it's trying to grab the files on port 8530 -- which is closed via our firewall!

       - - - - - - - - - - - - - - - -    
E.g.,: SoftwareDistribution.log on the primary child site:

2010-09-13 04:57:52.427 UTC Error WsusService.21 ContentSyncAgent.JobError Download error: http://central.fqdn:8530/Content/FD/37DE761B8616436D10208B6F9D9C18D64C8BFEFD.txt failed in download: (-2147012867) A connection with the server could not be established

      - - - - - - - - - - - - - - - - -

As a result, there are no EULA files in D:\WSUS\WsusContent on the primary child site.
All the folders are there (e.g., FD, FB, F6, F2, ... but there are absolutely no files inside any of them).
Therefore, when our clients sync up with the SUP, they fail because they can't download the EULA files
as per their local WindowsUpdate.log file.

Our primary child SUP has a Server Authentication certificate installed in IIS on port 8351.
We've already run "wsusutil.exe configuressl" and passed it the fqdn.
That appears correctly if you run "wsusutil.exe configuressl" again (i.e., https://primary-child.fqdn:8531).

In the ConfigMgr Console, the Software Update Point Component Properties already shows the correct non-HTTP port of 8530
(I guess this is not used) and HTTPS port of 8531 in the General tab.

The "Enable SSL for this WSUS server" is ticked and greyed out.
In the Sync Settings tab, "Synchronize from an upstream update server" is also ticked and greyed out.
We do not need nor specify a proxy server.
We've also tried a "wsus reset" command and the usual IIS resets/server restarts with no luck.

Any ideas?

 
0
AGoodwin42
Asked:
AGoodwin42
  • 3
  • 2
1 Solution
 
TarekIsmailCommented:
the default port numbers are port 8530 for HTTP protocol and port 8531 for HTTPS protocol (SSL). These port settings will need to be specified when creating the active software update point for the site.

you must  Configure the WSUS Web Site to Use SSL, use the link below
http://technet.microsoft.com/en-us/library/bb633246.aspx

also it seems your primary child SUP server need to trust your primary SUP server  CA.

Good Luck!
Tarek Ismail
0
 
AGoodwin42Author Commented:
Hi, thanks your feedback, unfortunately we have already covered these items off.

Port settings and SSL settings are correct, and as stated above we have already run the "wsusutil.exe configuressl" and passed it the FQDN with no errors. We need to know how to force the EULA downloads to use port 8531 instead of 8530. Ther regular WSUS downloads are working fine and using port 8531 but the EULA downloads are using port 8530 which is causing the problem.
0
 
TarekIsmailCommented:
HI,

I have checked my WSUS and found the below , only the following directory are configured to use SSL
SimpleAuthWebService
DSSAuthWebService
ServerSyncWebService
ApiRemoting30
ClientWebService
 
but the EULA located and downloaded on content directory of WSUS web site which mean it will not go throuth SSL and will use the non secure port 8530.

You can use the Secure Sockets Layer (SSL) protocol to secure your WSUS deployment. WSUS uses SSL to allow client computers and downstream WSUS servers to authenticate the WSUS server.

 WSUS also uses SSL to encrypt the metadata (the information about the updates) passed between clients and downstream WSUS servers. Note that WSUS uses SSL only for metadata, not for content (the update files themselves). This is also the way Microsoft Update distributes updates.

sorry to say the EULA is a part from the update content not metadata.

Good Luck!
Tarek Ismail
0
 
AGoodwin42Author Commented:
Hi Ismail

Thanks for that! Will use it to get security team to open this port on firewall.

Cheers

Anne
0
 
AGoodwin42Author Commented:
We have tried other sites for an answer and whilst this answer doesn't tell us how to get the EULA downloads to happen on port 8531, it does give us sufficient info to pass to the security team to open the port 8530 in the firewall (hopefully).
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now