Problem with WSUS 3.0 SP2 Synchronization

I recently had to do some updating to my IIS7.5 server that runs WSUS and Exchange 2010 Web Services.  After finally getting autodiscover to work, I can no longer synchronize WSUS to the Microsoft site.  When I try to do so, I get the following message.

The error type is unknown.

TypeInitializationException: The type initializer for 'Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy' threw an exception. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
at Microsoft.UpdateServices.Internal.ClassFactory.CreateInstance(Type type, Object[] args)
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.GetWebServiceProxyInternal(UpdateServerConfiguration serverConfig, WebServiceCommunicationHelper webServiceHelper, Boolean useCompressionProxy)
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.GetWebServiceCompressionProxy(UpdateServerConfiguration serverConfig, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.RetrieveSubscriptionData()
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

It appears to be related to SSL/TLS negotiation.  There are also the following errors in the Applicaton Log

Error Windows Server Update Services, Event ID 13042 Task Category 6, Self-update is not working.
Error Windows Server Update Services, Event ID 10022 Task Category 7, The last catalog synchronization attempt was unsuccessful.
Error Windows Server Update Services, Event ID 12002, Task Category 9, The Reporting Web Service is not working.
Error Windows Server Update Services, Event ID 12012, Task Category 9, The API Remoting Web Service is not working.
Error Windows Server Update Services, Event ID 12022, Task Category 9, The Client Web Service is not working.
Error Windows Server Update Services, Event ID 12042, Task Category 9, The SimpleAuth Web Service is not working.
Error Windows Server Update Services, Event ID 12052, Task Category 9, The DSS Authentication Web Service is not working.

All of the client computers are able to connect to WSUS, and are reporting their status, the only issue is with the server not being able to synchronize.

The history...

Set up Server 2008 R2 and MS Exchange 2010 using domain.local.
Obtained GoDaddy UCC Certificate that listed both and domain.local for mail., autodiscover., etc...
Installed WSUS 2.0 (have since moved to latest version).

Everything worked fine.

When the certificate expired, I had to purchase a new UCC certificate.  GoDaddy took away the ability to have .local as a alt subject.  Still things were working OK.

I ran into some problems over the past weekend trying to make a configuration change (web redirect for to go to our www site hosted on another server (compliance reasons).  Broke a lot of things, but got everything running OK for Exchange (no more certificate errors, autodiscover, which never worked correctly in the past now fixed, etc...).  I did this by changing the local server for a number of the services in IIS7.5 to the or instead of domain.local or mail.domain.local.

After all was fixed, tried to open the MMC for WSUS.  It wouldn't connect to the computer, which in the past was connected to simply by entering the computer name MAILSERVER1.   Was able to connect using MAIL.DOMAIN.COM or DOMAIN.COM instead.  However, now I can't get synchronizations to work.  I have checked to make sure the locally generated certificate was in the trusted store, it is.  I have also double, triple and quadruple checked all IIS security and authentication settings.  All appear to be OK.

Does anyone know what would be causing the error above?  I am at my wits end, and about to either move WSUS to a different server (really don't want to screw up Exchange again), or abandon it (which I hate to do because a number of our users don't install updates when prompted, or don't tell me if they have an error installing an update...very nice to be able to monitor from WSUS).

Thanks in advance to the wizard who can help me solve this problem.
Who is Participating?
CATMAN1966Connect With a Mentor Author Commented:
Ports 80, 443 are only open.  If I bind 8530 and 8531 (as http, https respectively), it causes an issue with autodiscover (documented, but I don't have the link handy).  Both ports redirect to the outside server our web site is hosted on.  Users can access the site at, and all other apps and virtual directories are redirected to the owa app.

I did set up WSUS to use https.

I am pretty sure I have two options.  

1. Move WSUS to a different site on the web server and bind to 8530 and 8531 then reconfigure WSUS.  I don't have a strong background in IIS7 configuration so this worries me since it is our production E-mail and backup server both of which are working exactly as intended.

2. Install WSUS on the other server.  Opens IIS services up to our LAN, but shouldn't cause a huge security risk.  

I am doing the second.  I will have to reapprove all updates, but it is a lot less time consuming than trying to mess with the e-mail server and potentially causing a mess.  The whole issue started when a client noticed that was redirected to our OWA site.  Times are changing and a lot more users don't type www at the beginning of an URL so I made changes to DNS and IIS.  In the process I ran into a couple of issues with autodiscover and OOF settings.  It took me two days to get them working again (with certificate errors to users and other issues along the way).  I didn't realize I had created the current issue until the other day when I went to manually check for updates in WSUS.  Given my last encounter with making changes to IIS, I am nervous to do anything else since it is working fine and only has a couple of minor potential security issues that I will resolve in the near future (I regularly scan externally and internally with Nexpose).  

At the moment, it is working...failed on the first install.  Uninstalled, reinstalled, installed correctly.  It is synchronizing, but since it is the first time, it is doing so very slowly (about 51% in an hour).  I haven't changed GP to point to the new WSUS server yet, but know how to negotiate the registry very well to resolve client connection errors (have dealt with these for years on various clients).

I'm not going to uninstall WSUS from the mail/backup server as it will be decommissioned next year as it is near the end of it's life cycle. I'm not having performance issues so just will make sure all machines are checking in with the new and not checking in with the old.

I'll let you know how it goes.  Thanks for the ideas.
Are you getting any crypt32 errors in your event logs? Are the root certificates up to date on your server?

On a side note, you stated your web server host both wsus and Exchange web services. I hope you have other servers if not this is a single point of failure for you.
CATMAN1966Author Commented:
No crypt32 errors in any of the logs.

My environment is relatively simple.  2 Win 2008 R2 servers.  Server 1 is file server/SQL server.  Server 2 is Exchange 2010/WSUS server.  About 40 clients.

I am using the Windows Internal Database with WSUS, not SQL.

When I set up originally, I wanted to keep the file server set up without web services for security, so I used the Exchange Server (that does not host our company web site, that is hosted elsewhere) when I set up WSUS.  It has worked pretty well for the most part over the past 4 years.  

I think I can get it to work if I set up bindings for 8530 and 8531, but both Exchange and WSUS are running under the Default Web Site and this causes autodiscover to fail.

I am far from being an IIS 7.5 expert, and am not sure what applications/virtual directories need to be moved or copied (how do you copy, or can you) from the Default Site to a new web site on IIS using the bindings above.  I think that would be one solution.  The other solution that might be easier is to move WSUS to the file/SQL server where there are no other web apps.

Of course, I would prefer to leave as-is and correct the problem, but I have searched everywhere for advice on this issue, and can't find anything that will work.

What course of action would you choose?
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

While this is not an idea setup .... it did work before you made changes to autodiscovery.  Is the server itself able to access the WInodws Update site? Control Pane => Windows Update?

Is the server a VM by any chance?
CATMAN1966Author Commented:
The server CAN reach the server, as can all of the clients.  It is only a problem with the server trying to reach the external Windows Update Server.  No virtual machines...yet, I am toying with the idea when I upgrade late this year or mid 2016.

Just checked registry...there were a number of values pointing to the local domain relating to WSUS.  Changed to the public domain, rebooted, no difference.  Everything still works the same, still get the error trying to synchronize.

In IIS what ports are in use by your web sites?
If WSUS is going right to MS it would be using port 80 or 443?  Did you set WSUS up to use https?
compdigit44Connect With a Mentor Commented:
Reinstall WSUS was going to be one of my next suggestion to you. This is why I asked if the server was a VM so you could take a snapshot...

Nice work..
CATMAN1966Author Commented:
Thanks...the synchronization finished on the new server, and machines are starting to check in, so this ended up being the easiest solution without doing anything that would cause me additional headaches on our Exchange Server.  I imagine I will have to do a wuauclt /detectnow /resetauthorization on a couple, but so far that doesn't seem to be an issue.
CATMAN1966Author Commented:
Expert helped me think through the issue with the above comments, but my idea to move to a different server was the final resolution that worked with the least amount of headaches.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.