Primary child active SUP trying to download EULA files from central site over port 8530 in Native Mode
Hi guys,
We have a primary child site in one forest with an active SUP installed.
It's meant to synchronise with the central site SUP in another forest.
We're running in Native Mode (each forest has it's own PKI) so we're expecting the primary child SUP to use port 8531,
but from the logs, it's trying to grab the files on port 8530 -- which is closed via our firewall!
- - - - - - - - - - - - - - - -
E.g.,: SoftwareDistribution.log on the primary child site:
2010-09-13 04:57:52.427 UTC Error WsusService.21 ContentSyncAgent.JobError Download error: http://central.fqdn:8530/Content/FD/37DE761B8616436D10208B6F9D9C18D64C8BFEFD.txt failed in download: (-2147012867) A connection with the server could not be established
- - - - - - - - - - - - - - - - -
As a result, there are no EULA files in D:\WSUS\WsusContent on the primary child site.
All the folders are there (e.g., FD, FB, F6, F2, ... but there are absolutely no files inside any of them).
Therefore, when our clients sync up with the SUP, they fail because they can't download the EULA files
as per their local WindowsUpdate.log file.
Our primary child SUP has a Server Authentication certificate installed in IIS on port 8351.
We've already run "wsusutil.exe configuressl" and passed it the fqdn.
That appears correctly if you run "wsusutil.exe configuressl" again (i.e., https://primary-child.fqdn:8531).
In the ConfigMgr Console, the Software Update Point Component Properties already shows the correct non-HTTP port of 8530
(I guess this is not used) and HTTPS port of 8531 in the General tab.
The "Enable SSL for this WSUS server" is ticked and greyed out.
In the Sync Settings tab, "Synchronize from an upstream update server" is also ticked and greyed out.
We do not need nor specify a proxy server.
We've also tried a "wsus reset" command and the usual IIS resets/server restarts with no luck.
Any ideas?
We have a primary child site in one forest with an active SUP installed.
It's meant to synchronise with the central site SUP in another forest.
We're running in Native Mode (each forest has it's own PKI) so we're expecting the primary child SUP to use port 8531,
but from the logs, it's trying to grab the files on port 8530 -- which is closed via our firewall!
- - - - - - - - - - - - - - - -
E.g.,: SoftwareDistribution.log on the primary child site:
2010-09-13 04:57:52.427 UTC Error WsusService.21 ContentSyncAgent.JobError Download error: http://central.fqdn:8530/Content/FD/37DE761B8616436D10208B6F9D9C18D64C8BFEFD.txt failed in download: (-2147012867) A connection with the server could not be established
- - - - - - - - - - - - - - - - -
As a result, there are no EULA files in D:\WSUS\WsusContent on the primary child site.
All the folders are there (e.g., FD, FB, F6, F2, ... but there are absolutely no files inside any of them).
Therefore, when our clients sync up with the SUP, they fail because they can't download the EULA files
as per their local WindowsUpdate.log file.
Our primary child SUP has a Server Authentication certificate installed in IIS on port 8351.
We've already run "wsusutil.exe configuressl" and passed it the fqdn.
That appears correctly if you run "wsusutil.exe configuressl" again (i.e., https://primary-child.fqdn:8531).
In the ConfigMgr Console, the Software Update Point Component Properties already shows the correct non-HTTP port of 8530
(I guess this is not used) and HTTPS port of 8531 in the General tab.
The "Enable SSL for this WSUS server" is ticked and greyed out.
In the Sync Settings tab, "Synchronize from an upstream update server" is also ticked and greyed out.
We do not need nor specify a proxy server.
We've also tried a "wsus reset" command and the usual IIS resets/server restarts with no luck.
Any ideas?
ASKER
Hi, thanks your feedback, unfortunately we have already covered these items off.
Port settings and SSL settings are correct, and as stated above we have already run the "wsusutil.exe configuressl" and passed it the FQDN with no errors. We need to know how to force the EULA downloads to use port 8531 instead of 8530. Ther regular WSUS downloads are working fine and using port 8531 but the EULA downloads are using port 8530 which is causing the problem.
Port settings and SSL settings are correct, and as stated above we have already run the "wsusutil.exe configuressl" and passed it the FQDN with no errors. We need to know how to force the EULA downloads to use port 8531 instead of 8530. Ther regular WSUS downloads are working fine and using port 8531 but the EULA downloads are using port 8530 which is causing the problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Ismail
Thanks for that! Will use it to get security team to open this port on firewall.
Cheers
Anne
Thanks for that! Will use it to get security team to open this port on firewall.
Cheers
Anne
ASKER
We have tried other sites for an answer and whilst this answer doesn't tell us how to get the EULA downloads to happen on port 8531, it does give us sufficient info to pass to the security team to open the port 8530 in the firewall (hopefully).
you must Configure the WSUS Web Site to Use SSL, use the link below
http://technet.microsoft.com/en-us/library/bb633246.aspx
also it seems your primary child SUP server need to trust your primary SUP server CA.
Good Luck!
Tarek Ismail