[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6417
  • Last Modified:

WSUS client won't update when behind firewall.

I have a couple of servers that are behind a firewall.  The firewall is configured to allow the servers to talk to the DNS servers, Domain Controllers, etc.  WSUS is not working correctly on those servers, however.  I have ports 80 and 443 open in the firewall, but Wireshark suggests that there is a dynamically allocated port that the servers and WSUS attempt to talk on.  Those ports, in the 55500+ range, are not open in the firewall.  Is there a way to make the servers and WSUS talk on a static port instead of a dynamically allocated port?
0
CousinDupree
Asked:
CousinDupree
2 Solutions
 
Glen KnightCommented:
8530 & 8531 need to be opened on the firewall.
See here for further details: http://technet.microsoft.com/en-us/library/bb693717.aspx
0
 
maxxmyerCommented:
Here is another one and many Enterprise Environments have a group policy adjusted to reflect it.

http://technet.microsoft.com/en-us/library/bb632477.aspx
0
 
MattrwCommented:
WSUS also communicates over HTTP 8530 and HTTPS 8531.  

Open the registry on the problematic servers and navigate to:

HKLM\ SOFTWARE \ POLICIES \ MICROSOFT \ MICROSOFT \ WINDOWS \ WINDOWSUPDATE

In the Windows Update hive you should be able to see the details of your WSUS such as:

Target group:  MyDMZServers
TargetGroupEnabled: 000001
WUServer: MYMSWSUS
WUStatusServer:  MYMSWSUS

If not then it will not be able to communicate with the WSUS.  My advice would be to manually configure the key, export it and then re-import to the other DMZ servers either by GP or just copy, paste and then double click it to import.

It's also worth checking:

HKLM \ SOFTWARE \ MICROSOFT \ WINDOWS \ CURRENT VERSION\ WINDOWSUPDATE \ AUTOUPDATE

Here you can see the auto update options, have these details been received?

0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
CousinDupreeAuthor Commented:
It appears that port 80 is the only port my WSUS server is trying to use.  That port is open.  I've been troubleshooting this by issuing the command 'wuauclt /detectnow' from a command prompt and capturing the network activity in Wireshark.  Wireshark shows that there is communication on port 80 to the WSUS server and then communication is attempted on port 56344 to the WSUS server.  I tried again a little later and the port changed to 56362.  It appears that the server and WSUS try to set up communication on a dynamically allocated port after the initial handshaking.
0
 
Glen KnightCommented:
Can you try opening ports 8530 and 8531 on the firewall see if this makes any difference?
0
 
Donald StewartNetwork AdministratorCommented:

How to Configure a Firewall for Software Updates

http://technet.microsoft.com/en-us/library/bb693717.aspx


0
 
Glen KnightCommented:
That's the exact same link I posted! Why did you feel the need to repeat it?
0
 
Anthony MawCommented:
Some firewalls, especially "enterprise-class" products don't automatically perform stateful-inspection so the server replies never get back to the client and you see time-out errors in the logs (for example c:\windows\windowsupdate.log).  I came across this issue with SonicWall (now Dell) products in the past.  Most home routers are stateful-inspection type so its easy for admins to forget about this issue. Normally in TCP/IP traffic when a client connects to a server it also includes in the IP header the reply port that the client listens for the server to connect back to.  This is part of the RFC specification that was adopted since Windows Server 2008 and Vista. Administrators might create a rule that allows clients to connect to the WSUS server on TCP 80, 443, 8530, 8531 but the server is unable to connect back to the client because the firewall product didn't automatically read that information from the initial client to server contact.  WSUS normally uses 3 of these ephemeral ports to connect back to the client computer.  I recall that the RFC specifies that the WSUS needs to have TCP 49152 through 65535 open to be able to connect back to the client.  Regards, Anthony Maw, Vancouver, Canada
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now