WSUS 6.3 Clients not connecting

I just installed WSUS on Windows server 2012 R2 . I have GPOs set to point the Servers and desktops to the WSUS Server, but so far only the Servers have connected. I reinstalled WSUS and IIS hoping that there was a gliche in the install, but that didn't work either.


Here is the SolarWinds Diagnostic tool results for my PC:

# Solarwinds® Diagnostic Tool for the WSUS Agent
# 8/21/2015
Machine state
  User rights:                                       User does not have administrative rights (Administrator rights are not available)
  Update service status:                             Running
  Background Intelligent Transfer service status:    Running
  OS Version:                                        Windows 7 Enterprise  Service Pack 1
  Windows update agent version:                      7.6.7601.18847 (WU Agent is OK)
Windows Update Agent configuration settings
  Automatic Update:                                  Enabled
  Options:                                           Scheduled (Every day at  4:00 AM)
  Use WSUS Server:                                   Enabled
  Windows Update Server:                             http://WSUS_Server:8530 
  Windows Update Status Server:                      http://WSUS_Server:8530
  WSUS URLs are identical:                           Identical
  WSUS URL is valid:                                 Valid URL
WSUS Server Connectivity -- Unable to connect to the remote server
  clientwebservice/client.asmx:                      Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)

  simpleauthwebservice/simpleauth.asmx:              Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)

  content:                                           Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)

  selfupdate/iuident.cab:                            Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)

  iuident.cab:                                       Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)


Here is the SolarWinds Diagnostic tool results for a Server that was able to connect to WSUS:

# Solarwinds® Diagnostic Tool for the WSUS Agent
# 8/21/2015
Machine state
  User rights:                                       User does not have administrative rights (Administrator rights are not available)
  Update service status:                             Running
  Background Intelligent Transfer service status:    Running
  OS Version:                                        Windows Server 2008 R2 Enterprise  Service Pack 1
  Windows update agent version:                      7.5.7601.17514 (WU Agent is OK)
Windows Update Agent configuration settings
  Automatic Update:                                  Disabled
  Options:                                           Not found (There is no such key)
  Use WSUS Server:                                   Enabled
  Windows Update Server:                             http://WSUS_Server:8530 
  Windows Update Status Server:                      http://WSUS_Server:8530
  WSUS URLs are identical:                           Identical
  WSUS URL is valid:                                 Valid URL
WSUS Server Connectivity
  clientwebservice/client.asmx:                      OK

  simpleauthwebservice/simpleauth.asmx:              OK

  content:                                           Error: Forbidden (Incorrect proxy client configuration - use settings tab to test proxy configuration settings; may also be caused by misconfigured SSL implementation or access rights on WSUS server)

  selfupdate/iuident.cab:                            OK

  iuident.cab:                                       Error: NotFound (Omitting required port suffix on URL to access WSUS installed to port 8530 or resource is unreachable)




Has anyone run into this before?
NathanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
check your proxy gpo's
0
arnoldCommented:
Are you sure your WSUS is configured/setup on the 8530 port or might it be on the 80?

Do you have other clients that have no issues? check the windowsupdate.log file for those systems.

Check IIS site/bindings to see where it is looking for the connection.
make sure you've set the window firewall settings to allow incoming port 8530 TCP connection if that is where you installed the WSUS web server interface.
0
NathanAuthor Commented:
I've looked at the firewall settings and port 8530 and 8531 are both open. For some reason all of the desktops are unable to connect to the WSUS server. I'll look into it a bit more and report back.

Also, I took a look at the bindings and they are set to the default 8530 and 8531.

Still receiving the errors when using SolarWinds Diagnostic tool for WSUS.


WSUS Server Connectivity -- Unable to connect to the remote server
   clientwebservice/client.asmx:                      Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)

   simpleauthwebservice/simpleauth.asmx:              Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)

   content:                                           Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)

   selfupdate/iuident.cab:                            Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)

   iuident.cab:                                       Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

NathanAuthor Commented:
SO I tried a couple things. I changed the pointer from http://WSUS_Server:8530 to http://IP_Address:8530 with no luck.

I also noticed that when I set the GPO in group policy to 8530:TCP:*:enable:WSUS or 8530:TCP:WSUS_Server:enable:WSUS the rule in the firewall showed up as blocked. I disabled the GPO and set the port manually on the server and on a test machine, but still no luck. The desktop doesn't show up in the WSUS console.

I ran the wuauclt.exe /resetauthorization /reportnow command and my windowsupdate.log shows below.

2015-08-26      11:53:48:639       516      748      Misc      FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072ee2
2015-08-26      11:53:48:639       516      748      PT        + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2015-08-26      11:53:48:639       516      748      PT        + Caller provided credentials = No
2015-08-26      11:53:48:639       516      748      PT        + Impersonate flags = 0
2015-08-26      11:53:48:639       516      748      PT        + Possible authorization schemes used =
2015-08-26      11:53:48:639       516      748      PT      WARNING: GetConfig failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2015-08-26      11:53:48:639       516      748      PT      WARNING: PTError: 0x80072ee2
2015-08-26      11:53:48:639       516      748      PT      WARNING: GetConfig_WithRecovery failed: 0x80072ee2
2015-08-26      11:53:48:639       516      748      PT      WARNING: RefreshConfig failed: 0x80072ee2
2015-08-26      11:53:48:639       516      748      PT      WARNING: RefreshPTState failed: 0x80072ee2
2015-08-26      11:53:48:639       516      748      PT      WARNING: PTError: 0x80072ee2
2015-08-26      11:53:48:639       516      748      Report      WARNING: Reporter failed to upload events with hr = 80072ee2.
2015-08-26      11:55:14:088       516      748      Misc      WARNING: Send failed with hr = 80072ee2.
2015-08-26      11:55:14:088       516      748      Misc      WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2015-08-26      11:55:14:088       516      748      Misc      FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072ee2
2015-08-26      11:55:14:088       516      748      PT        + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2015-08-26      11:55:14:088       516      748      PT        + Caller provided credentials = No
2015-08-26      11:55:14:088       516      748      PT        + Impersonate flags = 0
2015-08-26      11:55:14:088       516      748      PT        + Possible authorization schemes used =
2015-08-26      11:55:14:088       516      748      PT      WARNING: GetConfig failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2015-08-26      11:55:14:088       516      748      PT      WARNING: PTError: 0x80072ee2
2015-08-26      11:55:14:088       516      748      PT      WARNING: GetConfig_WithRecovery failed: 0x80072ee2
2015-08-26      11:55:14:088       516      748      PT      WARNING: RefreshConfig failed: 0x80072ee2
2015-08-26      11:55:14:088       516      748      PT      WARNING: RefreshPTState failed: 0x80072ee2
2015-08-26      11:55:14:088       516      748      PT      WARNING: PTError: 0x80072ee2
2015-08-26      11:55:14:088       516      748      Report      WARNING: Reporter failed to upload events with hr = 80072ee2.



Any ideas as to what else I can try. I'm puzzled because the servers have connected, but not the desktops. Also, out of the 10 servers, all are failing to report except 1.

All desktops are windows 7 and all of the servers are windows 2008 R2, except the WSUS server which is Windows 2012 R2.
0
arnoldCommented:
Are you certain that it is listening on 8350, please the advanced firewall settings to make sure. You gave a rule on the 2012 to allow inbound 8350 TCP connections.

Are other clients connecting, check their settings.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NathanAuthor Commented:
I have two test PCs. One I placed in the same OU that the servers are in to see if it uses the same GPO's that they have and connects. So far it hasn't and the only thing I can thing of is that the servers are on different network. All of our servers have ip addresses of xxx.xxx.27.xxx.

The other machine I placed in a test OU with no GPO's except the WSUS settings and then I manually opened the TCP and UDP ports 8530 and 8531.


So far neither machine has contacted the WSUS server and are still receiving the 0x80072EE2 error in the windowsupdate.logs
0
arnoldCommented:
Double check that using a browser you can connect to the wsus server on port 8530. Configure IIS site for wsus to be browsable after you confirm the bindings are for port 8530 on the ipv4 ip; if it works, you should see folders there, if it does, it means either it
0
NathanAuthor Commented:
When WSUS installs, it installs IIS by default. Are there other changes that have to be made in order for it to work? I didn't see any reference to that in the install articles I've read.


If I go to http://WSUS_Server/ from one of the servers I get an IIS screen, http://WSUS_Server:8530/ from a server I get a blank screen.

If I do either of the above from a desktop I get a blank screen.
0
arnoldCommented:
You have to make sure which options are set and whether the web interface is accessible.
relying on what should be by default without checking may lead to thinking what should be rather than what is.

Based on your prior comment, you do not have a single client that is able to connect to the wsus server as your GPO is configured.  The first thing to do is to make sure the WSUS setup is as you expect and then work your way back.  One thing you can try is make sure the WSUS server itself is using the WSUS server setup to get its updates.


you get a blank screen because by default directory browsing is not enabled.  Within the IIS administration tool, enable directory browsing on the wsus site.
And will go from there whether you have the subfolders there that are needed.
make sure within this site the next folder is selfupdate, content, etc. if you have a wsus folder withiin which the others are, that would explain your issue.  your GPO will then need to change the intranet site as http://wsus server:8350/wsus and that should resolved that issue.
1
NathanAuthor Commented:
After installing and enabling directory browsing; from the WSUS server I now see one directory and one file when I browse to http://WSUS_Server:8530. There is a aspnet_client directory and a web.config file.

Just FYI, I tried the same with 2 other servers and could see the same.
0
arnoldCommented:
You are missing several directories, self update, simplewebauth, content, and one or two more.

Check the default dire to see if the above referenced folders exist there.

You might have to use wsusutil tore initialize the web portion where you want it.  I suspect firing the install of the role you made different choice.

If the directories exist under the default domain, alter the GPO to point to the default site http://wsus server/ and see if the clients start communicating ......
0
NathanAuthor Commented:
Within IIS I have two sites. Default website that is listening on port 80 and WSUS Administration which is listening under port 8530 and 8531.

I noticed that under the default web site there is only one directory, aspnet_client.

Under WSUS Administration there is all of the wsus directories.

from the WSUS server I can browse to http:\\localhost:8530 and still only see the aspnet_client dir, but I am able to browse to http:\\localhost:8530/Selfupdate/ and view the folders within it.
0
NathanAuthor Commented:
Something else I noticed. When I right click on WSUS Administration -> Manage Website -> Browse, it takes me to https://localhost:8531/
0
arnoldCommented:
that is the secure site configuration presumably you configured your admin console for secure access.  you could within the GPO point to this,

if you go with the browser are you getting redirected to the secure site?

double check the wsus site 8530 whether the bindings are only on the 127.0.0.1 or do you have a binding that no matter what IP port 8530 it will be selected as well?
1
NathanAuthor Commented:
Been off for a couple days. I will try this and get back to you.

Thanks
0
NathanAuthor Commented:
ugggh.

So I got frustrated and wiped the entire thing. Rebuilt the server and reinstalled everything and still having the same issues.

I'm going to start from the top of this ticket and see if there is something I haven't done. I never had this much trouble with WSUS 3.0.
0
arnoldCommented:
Enable directory browsing on the website that wsus 8350 is on
There is a client test utility for connection.
Or use a browser http://wsusserver:8350
What happens?
0
arnoldCommented:
1
NathanAuthor Commented:
I enabled directory browsing, but according to the troubleshooting guide I seem to have an IIS issue I guess.

On the Server:
In IIS, from WSUS Administration site I click browse:8530 (http) and the page says "The Website declined to show this webpage"

I get the same error if I attempt to browse to http://WSUSserver:8530/selfupdate/ from the WSUS server.

On the client test machine:
going to either http://WSUSserver:8530/selfupdate/ or http://WSUSserver:8530/ both return "This page cannot be displayed
0
arnoldCommented:
Is the web site started? if you go to http://localhost:8530/selfupdate is the behavior different?
If it is, that means that your IIS binding are limited to local host meaning you have to add in the bindings
wsus_ip port 8530 and that should fix it.
0
NathanAuthor Commented:
I enabled directory browsing.

From the WSUS Server, if I go to:
          http://localhost:8530/                       I can see the web.config file listed
          http://WSUSServername:8530/       I can see the web.config file listed
         
          http://localhost:8530/selfupdate                        I can see AU, iuident.cab, wsus3, and wuident.cab
          http://WSUSServername:8530/selfupdate        I can see AU, iuident.cab, wsus3, and wuident.cab




From my PC, only get "Page cannot be displayed"
0
arnoldCommented:
Go into advanced firewall settings and open port 8350 TCP on the domain.  The windows firewall is blocking requests.  Presumably your server's network connection in the network an sharing display shows that it is a work/domain connection type not public.
If public, you need to change it to domain, or include public in the firewall rule.
0
NathanAuthor Commented:
8530 and 8531 TCP are both open on the firewall for Domain, Private, and Public.
0
arnoldCommented:
Do your workstations  go through proxy to access the Internet, barracuda, etc?  You need to configure proxy settings to not use proxy for intranet sites, exclude local LAN ip/24 from going through the proxy.

Does https://wsusseverip:8531 work as well?
Does the site allow announimous browsing?
0
NathanAuthor Commented:
I feel like such an idiot.

Arnold, your very first suggestion ended up being how I solved this. While I had allowed port 8530 on the firewall in Windows 2012, I didn't take into account our hardware firewalls. Once I requested that port be opened for my server everything started working.

Thank you for all your help and patience.
0
NathanAuthor Commented:
Arnold was great help! I wish I could give him way more points for patience.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.