Solved

Primary child active SUP trying to download EULA files from central site over port 8530 in Native Mode

Posted on 2010-09-15
5
1,513 Views
Last Modified: 2013-11-21
Hi guys,

We have a primary child site in one forest with an active SUP installed.
It's meant to synchronise with the central site SUP in another forest.
We're running in Native Mode (each forest has it's own PKI) so we're expecting the primary child SUP to use port 8531,
but from the logs, it's trying to grab the files on port 8530 -- which is closed via our firewall!

       - - - - - - - - - - - - - - - -    
E.g.,: SoftwareDistribution.log on the primary child site:

2010-09-13 04:57:52.427 UTC Error WsusService.21 ContentSyncAgent.JobError Download error: http://central.fqdn:8530/Content/FD/37DE761B8616436D10208B6F9D9C18D64C8BFEFD.txt failed in download: (-2147012867) A connection with the server could not be established

      - - - - - - - - - - - - - - - - -

As a result, there are no EULA files in D:\WSUS\WsusContent on the primary child site.
All the folders are there (e.g., FD, FB, F6, F2, ... but there are absolutely no files inside any of them).
Therefore, when our clients sync up with the SUP, they fail because they can't download the EULA files
as per their local WindowsUpdate.log file.

Our primary child SUP has a Server Authentication certificate installed in IIS on port 8351.
We've already run "wsusutil.exe configuressl" and passed it the fqdn.
That appears correctly if you run "wsusutil.exe configuressl" again (i.e., https://primary-child.fqdn:8531).

In the ConfigMgr Console, the Software Update Point Component Properties already shows the correct non-HTTP port of 8530
(I guess this is not used) and HTTPS port of 8531 in the General tab.

The "Enable SSL for this WSUS server" is ticked and greyed out.
In the Sync Settings tab, "Synchronize from an upstream update server" is also ticked and greyed out.
We do not need nor specify a proxy server.
We've also tried a "wsus reset" command and the usual IIS resets/server restarts with no luck.

Any ideas?

 
0
Comment
Question by:AGoodwin42
  • 3
  • 2
5 Comments
 
LVL 6

Expert Comment

by:TarekIsmail
Comment Utility
the default port numbers are port 8530 for HTTP protocol and port 8531 for HTTPS protocol (SSL). These port settings will need to be specified when creating the active software update point for the site.

you must  Configure the WSUS Web Site to Use SSL, use the link below
http://technet.microsoft.com/en-us/library/bb633246.aspx

also it seems your primary child SUP server need to trust your primary SUP server  CA.

Good Luck!
Tarek Ismail
0
 

Author Comment

by:AGoodwin42
Comment Utility
Hi, thanks your feedback, unfortunately we have already covered these items off.

Port settings and SSL settings are correct, and as stated above we have already run the "wsusutil.exe configuressl" and passed it the FQDN with no errors. We need to know how to force the EULA downloads to use port 8531 instead of 8530. Ther regular WSUS downloads are working fine and using port 8531 but the EULA downloads are using port 8530 which is causing the problem.
0
 
LVL 6

Accepted Solution

by:
TarekIsmail earned 500 total points
Comment Utility
HI,

I have checked my WSUS and found the below , only the following directory are configured to use SSL
SimpleAuthWebService
DSSAuthWebService
ServerSyncWebService
ApiRemoting30
ClientWebService
 
but the EULA located and downloaded on content directory of WSUS web site which mean it will not go throuth SSL and will use the non secure port 8530.

You can use the Secure Sockets Layer (SSL) protocol to secure your WSUS deployment. WSUS uses SSL to allow client computers and downstream WSUS servers to authenticate the WSUS server.

 WSUS also uses SSL to encrypt the metadata (the information about the updates) passed between clients and downstream WSUS servers. Note that WSUS uses SSL only for metadata, not for content (the update files themselves). This is also the way Microsoft Update distributes updates.

sorry to say the EULA is a part from the update content not metadata.

Good Luck!
Tarek Ismail
0
 

Author Comment

by:AGoodwin42
Comment Utility
Hi Ismail

Thanks for that! Will use it to get security team to open this port on firewall.

Cheers

Anne
0
 

Author Closing Comment

by:AGoodwin42
Comment Utility
We have tried other sites for an answer and whilst this answer doesn't tell us how to get the EULA downloads to happen on port 8531, it does give us sufficient info to pass to the security team to open the port 8530 in the firewall (hopefully).
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now