Solved

WSUS client won't update when behind firewall.

Posted on 2011-02-24
8
4,644 Views
Last Modified: 2016-06-28
I have a couple of servers that are behind a firewall.  The firewall is configured to allow the servers to talk to the DNS servers, Domain Controllers, etc.  WSUS is not working correctly on those servers, however.  I have ports 80 and 443 open in the firewall, but Wireshark suggests that there is a dynamically allocated port that the servers and WSUS attempt to talk on.  Those ports, in the 55500+ range, are not open in the firewall.  Is there a way to make the servers and WSUS talk on a static port instead of a dynamically allocated port?
0
Comment
Question by:CousinDupree
8 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 400 total points
ID: 34972739
8530 & 8531 need to be opened on the firewall.
See here for further details: http://technet.microsoft.com/en-us/library/bb693717.aspx
0
 
LVL 2

Assisted Solution

by:maxxmyer
maxxmyer earned 100 total points
ID: 34972796
Here is another one and many Enterprise Environments have a group policy adjusted to reflect it.

http://technet.microsoft.com/en-us/library/bb632477.aspx
0
 
LVL 2

Expert Comment

by:Mattrw
ID: 34972813
WSUS also communicates over HTTP 8530 and HTTPS 8531.  

Open the registry on the problematic servers and navigate to:

HKLM\ SOFTWARE \ POLICIES \ MICROSOFT \ MICROSOFT \ WINDOWS \ WINDOWSUPDATE

In the Windows Update hive you should be able to see the details of your WSUS such as:

Target group:  MyDMZServers
TargetGroupEnabled: 000001
WUServer: MYMSWSUS
WUStatusServer:  MYMSWSUS

If not then it will not be able to communicate with the WSUS.  My advice would be to manually configure the key, export it and then re-import to the other DMZ servers either by GP or just copy, paste and then double click it to import.

It's also worth checking:

HKLM \ SOFTWARE \ MICROSOFT \ WINDOWS \ CURRENT VERSION\ WINDOWSUPDATE \ AUTOUPDATE

Here you can see the auto update options, have these details been received?

0
 

Author Comment

by:CousinDupree
ID: 34975212
It appears that port 80 is the only port my WSUS server is trying to use.  That port is open.  I've been troubleshooting this by issuing the command 'wuauclt /detectnow' from a command prompt and capturing the network activity in Wireshark.  Wireshark shows that there is communication on port 80 to the WSUS server and then communication is attempted on port 56344 to the WSUS server.  I tried again a little later and the port changed to 56362.  It appears that the server and WSUS try to set up communication on a dynamically allocated port after the initial handshaking.
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 74

Expert Comment

by:Glen Knight
ID: 34975235
Can you try opening ports 8530 and 8531 on the firewall see if this makes any difference?
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 34976428

How to Configure a Firewall for Software Updates

http://technet.microsoft.com/en-us/library/bb693717.aspx


0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34977244
That's the exact same link I posted! Why did you feel the need to repeat it?
0
 

Expert Comment

by:Anthony Maw
ID: 41679745
Some firewalls, especially "enterprise-class" products don't automatically perform stateful-inspection so the server replies never get back to the client and you see time-out errors in the logs (for example c:\windows\windowsupdate.log).  I came across this issue with SonicWall (now Dell) products in the past.  Most home routers are stateful-inspection type so its easy for admins to forget about this issue. Normally in TCP/IP traffic when a client connects to a server it also includes in the IP header the reply port that the client listens for the server to connect back to.  This is part of the RFC specification that was adopted since Windows Server 2008 and Vista. Administrators might create a rule that allows clients to connect to the WSUS server on TCP 80, 443, 8530, 8531 but the server is unable to connect back to the client because the firewall product didn't automatically read that information from the initial client to server contact.  WSUS normally uses 3 of these ephemeral ports to connect back to the client computer.  I recall that the RFC specifies that the WSUS needs to have TCP 49152 through 65535 open to be able to connect back to the client.  Regards, Anthony Maw, Vancouver, Canada
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now