Solved

WSUS client won't update when behind firewall.

Posted on 2011-02-24
8
5,114 Views
Last Modified: 2016-06-28
I have a couple of servers that are behind a firewall.  The firewall is configured to allow the servers to talk to the DNS servers, Domain Controllers, etc.  WSUS is not working correctly on those servers, however.  I have ports 80 and 443 open in the firewall, but Wireshark suggests that there is a dynamically allocated port that the servers and WSUS attempt to talk on.  Those ports, in the 55500+ range, are not open in the firewall.  Is there a way to make the servers and WSUS talk on a static port instead of a dynamically allocated port?
0
Comment
Question by:CousinDupree
8 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 400 total points
ID: 34972739
8530 & 8531 need to be opened on the firewall.
See here for further details: http://technet.microsoft.com/en-us/library/bb693717.aspx
0
 
LVL 2

Assisted Solution

by:maxxmyer
maxxmyer earned 100 total points
ID: 34972796
Here is another one and many Enterprise Environments have a group policy adjusted to reflect it.

http://technet.microsoft.com/en-us/library/bb632477.aspx
0
 
LVL 2

Expert Comment

by:Mattrw
ID: 34972813
WSUS also communicates over HTTP 8530 and HTTPS 8531.  

Open the registry on the problematic servers and navigate to:

HKLM\ SOFTWARE \ POLICIES \ MICROSOFT \ MICROSOFT \ WINDOWS \ WINDOWSUPDATE

In the Windows Update hive you should be able to see the details of your WSUS such as:

Target group:  MyDMZServers
TargetGroupEnabled: 000001
WUServer: MYMSWSUS
WUStatusServer:  MYMSWSUS

If not then it will not be able to communicate with the WSUS.  My advice would be to manually configure the key, export it and then re-import to the other DMZ servers either by GP or just copy, paste and then double click it to import.

It's also worth checking:

HKLM \ SOFTWARE \ MICROSOFT \ WINDOWS \ CURRENT VERSION\ WINDOWSUPDATE \ AUTOUPDATE

Here you can see the auto update options, have these details been received?

0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:CousinDupree
ID: 34975212
It appears that port 80 is the only port my WSUS server is trying to use.  That port is open.  I've been troubleshooting this by issuing the command 'wuauclt /detectnow' from a command prompt and capturing the network activity in Wireshark.  Wireshark shows that there is communication on port 80 to the WSUS server and then communication is attempted on port 56344 to the WSUS server.  I tried again a little later and the port changed to 56362.  It appears that the server and WSUS try to set up communication on a dynamically allocated port after the initial handshaking.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34975235
Can you try opening ports 8530 and 8531 on the firewall see if this makes any difference?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 34976428

How to Configure a Firewall for Software Updates

http://technet.microsoft.com/en-us/library/bb693717.aspx


0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34977244
That's the exact same link I posted! Why did you feel the need to repeat it?
0
 

Expert Comment

by:Anthony Maw
ID: 41679745
Some firewalls, especially "enterprise-class" products don't automatically perform stateful-inspection so the server replies never get back to the client and you see time-out errors in the logs (for example c:\windows\windowsupdate.log).  I came across this issue with SonicWall (now Dell) products in the past.  Most home routers are stateful-inspection type so its easy for admins to forget about this issue. Normally in TCP/IP traffic when a client connects to a server it also includes in the IP header the reply port that the client listens for the server to connect back to.  This is part of the RFC specification that was adopted since Windows Server 2008 and Vista. Administrators might create a rule that allows clients to connect to the WSUS server on TCP 80, 443, 8530, 8531 but the server is unable to connect back to the client because the firewall product didn't automatically read that information from the initial client to server contact.  WSUS normally uses 3 of these ephemeral ports to connect back to the client computer.  I recall that the RFC specifies that the WSUS needs to have TCP 49152 through 65535 open to be able to connect back to the client.  Regards, Anthony Maw, Vancouver, Canada
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question