Solved

Primary child active SUP trying to download EULA files from central site over port 8530 in Native Mode

Posted on 2010-09-15
5
1,587 Views
Last Modified: 2013-11-21
Hi guys,

We have a primary child site in one forest with an active SUP installed.
It's meant to synchronise with the central site SUP in another forest.
We're running in Native Mode (each forest has it's own PKI) so we're expecting the primary child SUP to use port 8531,
but from the logs, it's trying to grab the files on port 8530 -- which is closed via our firewall!

       - - - - - - - - - - - - - - - -    
E.g.,: SoftwareDistribution.log on the primary child site:

2010-09-13 04:57:52.427 UTC Error WsusService.21 ContentSyncAgent.JobError Download error: http://central.fqdn:8530/Content/FD/37DE761B8616436D10208B6F9D9C18D64C8BFEFD.txt failed in download: (-2147012867) A connection with the server could not be established

      - - - - - - - - - - - - - - - - -

As a result, there are no EULA files in D:\WSUS\WsusContent on the primary child site.
All the folders are there (e.g., FD, FB, F6, F2, ... but there are absolutely no files inside any of them).
Therefore, when our clients sync up with the SUP, they fail because they can't download the EULA files
as per their local WindowsUpdate.log file.

Our primary child SUP has a Server Authentication certificate installed in IIS on port 8351.
We've already run "wsusutil.exe configuressl" and passed it the fqdn.
That appears correctly if you run "wsusutil.exe configuressl" again (i.e., https://primary-child.fqdn:8531).

In the ConfigMgr Console, the Software Update Point Component Properties already shows the correct non-HTTP port of 8530
(I guess this is not used) and HTTPS port of 8531 in the General tab.

The "Enable SSL for this WSUS server" is ticked and greyed out.
In the Sync Settings tab, "Synchronize from an upstream update server" is also ticked and greyed out.
We do not need nor specify a proxy server.
We've also tried a "wsus reset" command and the usual IIS resets/server restarts with no luck.

Any ideas?

 
0
Comment
Question by:AGoodwin42
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 6

Expert Comment

by:TarekIsmail
ID: 33691460
the default port numbers are port 8530 for HTTP protocol and port 8531 for HTTPS protocol (SSL). These port settings will need to be specified when creating the active software update point for the site.

you must  Configure the WSUS Web Site to Use SSL, use the link below
http://technet.microsoft.com/en-us/library/bb633246.aspx

also it seems your primary child SUP server need to trust your primary SUP server  CA.

Good Luck!
Tarek Ismail
0
 

Author Comment

by:AGoodwin42
ID: 33697406
Hi, thanks your feedback, unfortunately we have already covered these items off.

Port settings and SSL settings are correct, and as stated above we have already run the "wsusutil.exe configuressl" and passed it the FQDN with no errors. We need to know how to force the EULA downloads to use port 8531 instead of 8530. Ther regular WSUS downloads are working fine and using port 8531 but the EULA downloads are using port 8530 which is causing the problem.
0
 
LVL 6

Accepted Solution

by:
TarekIsmail earned 500 total points
ID: 33697969
HI,

I have checked my WSUS and found the below , only the following directory are configured to use SSL
SimpleAuthWebService
DSSAuthWebService
ServerSyncWebService
ApiRemoting30
ClientWebService
 
but the EULA located and downloaded on content directory of WSUS web site which mean it will not go throuth SSL and will use the non secure port 8530.

You can use the Secure Sockets Layer (SSL) protocol to secure your WSUS deployment. WSUS uses SSL to allow client computers and downstream WSUS servers to authenticate the WSUS server.

 WSUS also uses SSL to encrypt the metadata (the information about the updates) passed between clients and downstream WSUS servers. Note that WSUS uses SSL only for metadata, not for content (the update files themselves). This is also the way Microsoft Update distributes updates.

sorry to say the EULA is a part from the update content not metadata.

Good Luck!
Tarek Ismail
0
 

Author Comment

by:AGoodwin42
ID: 33698686
Hi Ismail

Thanks for that! Will use it to get security team to open this port on firewall.

Cheers

Anne
0
 

Author Closing Comment

by:AGoodwin42
ID: 33698693
We have tried other sites for an answer and whilst this answer doesn't tell us how to get the EULA downloads to happen on port 8531, it does give us sufficient info to pass to the security team to open the port 8530 in the firewall (hopefully).
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description: Actually I found the below issue with some customers after migration from SMS 2003 to SCCM 2007 and epically if they change site code, some clients may appear in the console with old site code, plus old sites still appearing …
Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question