?
Solved

WSUS client won't update when behind firewall.

Posted on 2011-02-24
8
Medium Priority
?
5,845 Views
Last Modified: 2016-06-28
I have a couple of servers that are behind a firewall.  The firewall is configured to allow the servers to talk to the DNS servers, Domain Controllers, etc.  WSUS is not working correctly on those servers, however.  I have ports 80 and 443 open in the firewall, but Wireshark suggests that there is a dynamically allocated port that the servers and WSUS attempt to talk on.  Those ports, in the 55500+ range, are not open in the firewall.  Is there a way to make the servers and WSUS talk on a static port instead of a dynamically allocated port?
0
Comment
Question by:CousinDupree
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 1600 total points
ID: 34972739
8530 & 8531 need to be opened on the firewall.
See here for further details: http://technet.microsoft.com/en-us/library/bb693717.aspx
0
 
LVL 2

Assisted Solution

by:maxxmyer
maxxmyer earned 400 total points
ID: 34972796
Here is another one and many Enterprise Environments have a group policy adjusted to reflect it.

http://technet.microsoft.com/en-us/library/bb632477.aspx
0
 
LVL 2

Expert Comment

by:Mattrw
ID: 34972813
WSUS also communicates over HTTP 8530 and HTTPS 8531.  

Open the registry on the problematic servers and navigate to:

HKLM\ SOFTWARE \ POLICIES \ MICROSOFT \ MICROSOFT \ WINDOWS \ WINDOWSUPDATE

In the Windows Update hive you should be able to see the details of your WSUS such as:

Target group:  MyDMZServers
TargetGroupEnabled: 000001
WUServer: MYMSWSUS
WUStatusServer:  MYMSWSUS

If not then it will not be able to communicate with the WSUS.  My advice would be to manually configure the key, export it and then re-import to the other DMZ servers either by GP or just copy, paste and then double click it to import.

It's also worth checking:

HKLM \ SOFTWARE \ MICROSOFT \ WINDOWS \ CURRENT VERSION\ WINDOWSUPDATE \ AUTOUPDATE

Here you can see the auto update options, have these details been received?

0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:CousinDupree
ID: 34975212
It appears that port 80 is the only port my WSUS server is trying to use.  That port is open.  I've been troubleshooting this by issuing the command 'wuauclt /detectnow' from a command prompt and capturing the network activity in Wireshark.  Wireshark shows that there is communication on port 80 to the WSUS server and then communication is attempted on port 56344 to the WSUS server.  I tried again a little later and the port changed to 56362.  It appears that the server and WSUS try to set up communication on a dynamically allocated port after the initial handshaking.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34975235
Can you try opening ports 8530 and 8531 on the firewall see if this makes any difference?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34976428

How to Configure a Firewall for Software Updates

http://technet.microsoft.com/en-us/library/bb693717.aspx


0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34977244
That's the exact same link I posted! Why did you feel the need to repeat it?
0
 

Expert Comment

by:Anthony Maw
ID: 41679745
Some firewalls, especially "enterprise-class" products don't automatically perform stateful-inspection so the server replies never get back to the client and you see time-out errors in the logs (for example c:\windows\windowsupdate.log).  I came across this issue with SonicWall (now Dell) products in the past.  Most home routers are stateful-inspection type so its easy for admins to forget about this issue. Normally in TCP/IP traffic when a client connects to a server it also includes in the IP header the reply port that the client listens for the server to connect back to.  This is part of the RFC specification that was adopted since Windows Server 2008 and Vista. Administrators might create a rule that allows clients to connect to the WSUS server on TCP 80, 443, 8530, 8531 but the server is unable to connect back to the client because the firewall product didn't automatically read that information from the initial client to server contact.  WSUS normally uses 3 of these ephemeral ports to connect back to the client computer.  I recall that the RFC specifies that the WSUS needs to have TCP 49152 through 65535 open to be able to connect back to the client.  Regards, Anthony Maw, Vancouver, Canada
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This program is used to assist in finding and resolving common problems with wireless connections.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question