Solved

WSUS client won't update when behind firewall.

Posted on 2011-02-24
8
4,779 Views
Last Modified: 2016-06-28
I have a couple of servers that are behind a firewall.  The firewall is configured to allow the servers to talk to the DNS servers, Domain Controllers, etc.  WSUS is not working correctly on those servers, however.  I have ports 80 and 443 open in the firewall, but Wireshark suggests that there is a dynamically allocated port that the servers and WSUS attempt to talk on.  Those ports, in the 55500+ range, are not open in the firewall.  Is there a way to make the servers and WSUS talk on a static port instead of a dynamically allocated port?
0
Comment
Question by:CousinDupree
8 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 400 total points
ID: 34972739
8530 & 8531 need to be opened on the firewall.
See here for further details: http://technet.microsoft.com/en-us/library/bb693717.aspx
0
 
LVL 2

Assisted Solution

by:maxxmyer
maxxmyer earned 100 total points
ID: 34972796
Here is another one and many Enterprise Environments have a group policy adjusted to reflect it.

http://technet.microsoft.com/en-us/library/bb632477.aspx
0
 
LVL 2

Expert Comment

by:Mattrw
ID: 34972813
WSUS also communicates over HTTP 8530 and HTTPS 8531.  

Open the registry on the problematic servers and navigate to:

HKLM\ SOFTWARE \ POLICIES \ MICROSOFT \ MICROSOFT \ WINDOWS \ WINDOWSUPDATE

In the Windows Update hive you should be able to see the details of your WSUS such as:

Target group:  MyDMZServers
TargetGroupEnabled: 000001
WUServer: MYMSWSUS
WUStatusServer:  MYMSWSUS

If not then it will not be able to communicate with the WSUS.  My advice would be to manually configure the key, export it and then re-import to the other DMZ servers either by GP or just copy, paste and then double click it to import.

It's also worth checking:

HKLM \ SOFTWARE \ MICROSOFT \ WINDOWS \ CURRENT VERSION\ WINDOWSUPDATE \ AUTOUPDATE

Here you can see the auto update options, have these details been received?

0
 

Author Comment

by:CousinDupree
ID: 34975212
It appears that port 80 is the only port my WSUS server is trying to use.  That port is open.  I've been troubleshooting this by issuing the command 'wuauclt /detectnow' from a command prompt and capturing the network activity in Wireshark.  Wireshark shows that there is communication on port 80 to the WSUS server and then communication is attempted on port 56344 to the WSUS server.  I tried again a little later and the port changed to 56362.  It appears that the server and WSUS try to set up communication on a dynamically allocated port after the initial handshaking.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 74

Expert Comment

by:Glen Knight
ID: 34975235
Can you try opening ports 8530 and 8531 on the firewall see if this makes any difference?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34976428

How to Configure a Firewall for Software Updates

http://technet.microsoft.com/en-us/library/bb693717.aspx


0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34977244
That's the exact same link I posted! Why did you feel the need to repeat it?
0
 

Expert Comment

by:Anthony Maw
ID: 41679745
Some firewalls, especially "enterprise-class" products don't automatically perform stateful-inspection so the server replies never get back to the client and you see time-out errors in the logs (for example c:\windows\windowsupdate.log).  I came across this issue with SonicWall (now Dell) products in the past.  Most home routers are stateful-inspection type so its easy for admins to forget about this issue. Normally in TCP/IP traffic when a client connects to a server it also includes in the IP header the reply port that the client listens for the server to connect back to.  This is part of the RFC specification that was adopted since Windows Server 2008 and Vista. Administrators might create a rule that allows clients to connect to the WSUS server on TCP 80, 443, 8530, 8531 but the server is unable to connect back to the client because the firewall product didn't automatically read that information from the initial client to server contact.  WSUS normally uses 3 of these ephemeral ports to connect back to the client computer.  I recall that the RFC specifies that the WSUS needs to have TCP 49152 through 65535 open to be able to connect back to the client.  Regards, Anthony Maw, Vancouver, Canada
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now