Nathan
asked on
WSUS 6.3 Clients not connecting
I just installed WSUS on Windows server 2012 R2 . I have GPOs set to point the Servers and desktops to the WSUS Server, but so far only the Servers have connected. I reinstalled WSUS and IIS hoping that there was a gliche in the install, but that didn't work either.
Here is the SolarWinds Diagnostic tool results for my PC:
# Solarwinds® Diagnostic Tool for the WSUS Agent
# 8/21/2015
Machine state
User rights: User does not have administrative rights (Administrator rights are not available)
Update service status: Running
Background Intelligent Transfer service status: Running
OS Version: Windows 7 Enterprise Service Pack 1
Windows update agent version: 7.6.7601.18847 (WU Agent is OK)
Windows Update Agent configuration settings
Automatic Update: Enabled
Options: Scheduled (Every day at 4:00 AM)
Use WSUS Server: Enabled
Windows Update Server: http://WSUS_Server:8530
Windows Update Status Server: http://WSUS_Server:8530
WSUS URLs are identical: Identical
WSUS URL is valid: Valid URL
WSUS Server Connectivity -- Unable to connect to the remote server
clientwebservice/client.as
simpleauthwebservice/simpl
content: Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)
selfupdate/iuident.cab: Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)
iuident.cab: Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)
Here is the SolarWinds Diagnostic tool results for a Server that was able to connect to WSUS:
# Solarwinds® Diagnostic Tool for the WSUS Agent
# 8/21/2015
Machine state
User rights: User does not have administrative rights (Administrator rights are not available)
Update service status: Running
Background Intelligent Transfer service status: Running
OS Version: Windows Server 2008 R2 Enterprise Service Pack 1
Windows update agent version: 7.5.7601.17514 (WU Agent is OK)
Windows Update Agent configuration settings
Automatic Update: Disabled
Options: Not found (There is no such key)
Use WSUS Server: Enabled
Windows Update Server: http://WSUS_Server:8530
Windows Update Status Server: http://WSUS_Server:8530
WSUS URLs are identical: Identical
WSUS URL is valid: Valid URL
WSUS Server Connectivity
clientwebservice/client.as
simpleauthwebservice/simpl
content: Error: Forbidden (Incorrect proxy client configuration - use settings tab to test proxy configuration settings; may also be caused by misconfigured SSL implementation or access rights on WSUS server)
selfupdate/iuident.cab: OK
iuident.cab: Error: NotFound (Omitting required port suffix on URL to access WSUS installed to port 8530 or resource is unreachable)
Has anyone run into this before?
Here is the SolarWinds Diagnostic tool results for my PC:
# Solarwinds® Diagnostic Tool for the WSUS Agent
# 8/21/2015
Machine state
User rights: User does not have administrative rights (Administrator rights are not available)
Update service status: Running
Background Intelligent Transfer service status: Running
OS Version: Windows 7 Enterprise Service Pack 1
Windows update agent version: 7.6.7601.18847 (WU Agent is OK)
Windows Update Agent configuration settings
Automatic Update: Enabled
Options: Scheduled (Every day at 4:00 AM)
Use WSUS Server: Enabled
Windows Update Server: http://WSUS_Server:8530
Windows Update Status Server: http://WSUS_Server:8530
WSUS URLs are identical: Identical
WSUS URL is valid: Valid URL
WSUS Server Connectivity -- Unable to connect to the remote server
clientwebservice/client.as
simpleauthwebservice/simpl
content: Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)
selfupdate/iuident.cab: Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)
iuident.cab: Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)
Here is the SolarWinds Diagnostic tool results for a Server that was able to connect to WSUS:
# Solarwinds® Diagnostic Tool for the WSUS Agent
# 8/21/2015
Machine state
User rights: User does not have administrative rights (Administrator rights are not available)
Update service status: Running
Background Intelligent Transfer service status: Running
OS Version: Windows Server 2008 R2 Enterprise Service Pack 1
Windows update agent version: 7.5.7601.17514 (WU Agent is OK)
Windows Update Agent configuration settings
Automatic Update: Disabled
Options: Not found (There is no such key)
Use WSUS Server: Enabled
Windows Update Server: http://WSUS_Server:8530
Windows Update Status Server: http://WSUS_Server:8530
WSUS URLs are identical: Identical
WSUS URL is valid: Valid URL
WSUS Server Connectivity
clientwebservice/client.as
simpleauthwebservice/simpl
content: Error: Forbidden (Incorrect proxy client configuration - use settings tab to test proxy configuration settings; may also be caused by misconfigured SSL implementation or access rights on WSUS server)
selfupdate/iuident.cab: OK
iuident.cab: Error: NotFound (Omitting required port suffix on URL to access WSUS installed to port 8530 or resource is unreachable)
Has anyone run into this before?
David Johnson, CD
check your proxy gpo's
Are you sure your WSUS is configured/setup on the 8530 port or might it be on the 80?
Do you have other clients that have no issues? check the windowsupdate.log file for those systems.
Check IIS site/bindings to see where it is looking for the connection.
make sure you've set the window firewall settings to allow incoming port 8530 TCP connection if that is where you installed the WSUS web server interface.
Do you have other clients that have no issues? check the windowsupdate.log file for those systems.
Check IIS site/bindings to see where it is looking for the connection.
make sure you've set the window firewall settings to allow incoming port 8530 TCP connection if that is where you installed the WSUS web server interface.
ASKER
I've looked at the firewall settings and port 8530 and 8531 are both open. For some reason all of the desktops are unable to connect to the WSUS server. I'll look into it a bit more and report back.
Also, I took a look at the bindings and they are set to the default 8530 and 8531.
Still receiving the errors when using SolarWinds Diagnostic tool for WSUS.
WSUS Server Connectivity -- Unable to connect to the remote server
clientwebservice/client.as
simpleauthwebservice/simpl
content: Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)
selfupdate/iuident.cab: Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)
iuident.cab: Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)
Also, I took a look at the bindings and they are set to the default 8530 and 8531.
Still receiving the errors when using SolarWinds Diagnostic tool for WSUS.
WSUS Server Connectivity -- Unable to connect to the remote server
clientwebservice/client.as
simpleauthwebservice/simpl
content: Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)
selfupdate/iuident.cab: Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)
iuident.cab: Error: ConnectFailure (Cannot Connect – caused by a network infrastructure fault making the Windows Update unavailable to the client system)
ASKER
SO I tried a couple things. I changed the pointer from http://WSUS_Server:8530 to http://IP_Address:8530 with no luck.
I also noticed that when I set the GPO in group policy to 8530:TCP:*:enable:WSUS or 8530:TCP:WSUS_Server:enabl
I ran the wuauclt.exe /resetauthorization /reportnow command and my windowsupdate.log shows below.
2015-08-26 11:53:48:639 516 748 Misc FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072ee2
2015-08-26 11:53:48:639 516 748 PT + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2015-08-26 11:53:48:639 516 748 PT + Caller provided credentials = No
2015-08-26 11:53:48:639 516 748 PT + Impersonate flags = 0
2015-08-26 11:53:48:639 516 748 PT + Possible authorization schemes used =
2015-08-26 11:53:48:639 516 748 PT WARNING: GetConfig failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2015-08-26 11:53:48:639 516 748 PT WARNING: PTError: 0x80072ee2
2015-08-26 11:53:48:639 516 748 PT WARNING: GetConfig_WithRecovery failed: 0x80072ee2
2015-08-26 11:53:48:639 516 748 PT WARNING: RefreshConfig failed: 0x80072ee2
2015-08-26 11:53:48:639 516 748 PT WARNING: RefreshPTState failed: 0x80072ee2
2015-08-26 11:53:48:639 516 748 PT WARNING: PTError: 0x80072ee2
2015-08-26 11:53:48:639 516 748 Report WARNING: Reporter failed to upload events with hr = 80072ee2.
2015-08-26 11:55:14:088 516 748 Misc WARNING: Send failed with hr = 80072ee2.
2015-08-26 11:55:14:088 516 748 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2015-08-26 11:55:14:088 516 748 Misc FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072ee2
2015-08-26 11:55:14:088 516 748 PT + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2015-08-26 11:55:14:088 516 748 PT + Caller provided credentials = No
2015-08-26 11:55:14:088 516 748 PT + Impersonate flags = 0
2015-08-26 11:55:14:088 516 748 PT + Possible authorization schemes used =
2015-08-26 11:55:14:088 516 748 PT WARNING: GetConfig failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2015-08-26 11:55:14:088 516 748 PT WARNING: PTError: 0x80072ee2
2015-08-26 11:55:14:088 516 748 PT WARNING: GetConfig_WithRecovery failed: 0x80072ee2
2015-08-26 11:55:14:088 516 748 PT WARNING: RefreshConfig failed: 0x80072ee2
2015-08-26 11:55:14:088 516 748 PT WARNING: RefreshPTState failed: 0x80072ee2
2015-08-26 11:55:14:088 516 748 PT WARNING: PTError: 0x80072ee2
2015-08-26 11:55:14:088 516 748 Report WARNING: Reporter failed to upload events with hr = 80072ee2.
Any ideas as to what else I can try. I'm puzzled because the servers have connected, but not the desktops. Also, out of the 10 servers, all are failing to report except 1.
All desktops are windows 7 and all of the servers are windows 2008 R2, except the WSUS server which is Windows 2012 R2.
I also noticed that when I set the GPO in group policy to 8530:TCP:*:enable:WSUS or 8530:TCP:WSUS_Server:enabl
I ran the wuauclt.exe /resetauthorization /reportnow command and my windowsupdate.log shows below.
2015-08-26 11:53:48:639 516 748 Misc FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072ee2
2015-08-26 11:53:48:639 516 748 PT + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2015-08-26 11:53:48:639 516 748 PT + Caller provided credentials = No
2015-08-26 11:53:48:639 516 748 PT + Impersonate flags = 0
2015-08-26 11:53:48:639 516 748 PT + Possible authorization schemes used =
2015-08-26 11:53:48:639 516 748 PT WARNING: GetConfig failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2015-08-26 11:53:48:639 516 748 PT WARNING: PTError: 0x80072ee2
2015-08-26 11:53:48:639 516 748 PT WARNING: GetConfig_WithRecovery failed: 0x80072ee2
2015-08-26 11:53:48:639 516 748 PT WARNING: RefreshConfig failed: 0x80072ee2
2015-08-26 11:53:48:639 516 748 PT WARNING: RefreshPTState failed: 0x80072ee2
2015-08-26 11:53:48:639 516 748 PT WARNING: PTError: 0x80072ee2
2015-08-26 11:53:48:639 516 748 Report WARNING: Reporter failed to upload events with hr = 80072ee2.
2015-08-26 11:55:14:088 516 748 Misc WARNING: Send failed with hr = 80072ee2.
2015-08-26 11:55:14:088 516 748 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2015-08-26 11:55:14:088 516 748 Misc FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072ee2
2015-08-26 11:55:14:088 516 748 PT + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2015-08-26 11:55:14:088 516 748 PT + Caller provided credentials = No
2015-08-26 11:55:14:088 516 748 PT + Impersonate flags = 0
2015-08-26 11:55:14:088 516 748 PT + Possible authorization schemes used =
2015-08-26 11:55:14:088 516 748 PT WARNING: GetConfig failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2015-08-26 11:55:14:088 516 748 PT WARNING: PTError: 0x80072ee2
2015-08-26 11:55:14:088 516 748 PT WARNING: GetConfig_WithRecovery failed: 0x80072ee2
2015-08-26 11:55:14:088 516 748 PT WARNING: RefreshConfig failed: 0x80072ee2
2015-08-26 11:55:14:088 516 748 PT WARNING: RefreshPTState failed: 0x80072ee2
2015-08-26 11:55:14:088 516 748 PT WARNING: PTError: 0x80072ee2
2015-08-26 11:55:14:088 516 748 Report WARNING: Reporter failed to upload events with hr = 80072ee2.
Any ideas as to what else I can try. I'm puzzled because the servers have connected, but not the desktops. Also, out of the 10 servers, all are failing to report except 1.
All desktops are windows 7 and all of the servers are windows 2008 R2, except the WSUS server which is Windows 2012 R2.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have two test PCs. One I placed in the same OU that the servers are in to see if it uses the same GPO's that they have and connects. So far it hasn't and the only thing I can thing of is that the servers are on different network. All of our servers have ip addresses of xxx.xxx.27.xxx.
The other machine I placed in a test OU with no GPO's except the WSUS settings and then I manually opened the TCP and UDP ports 8530 and 8531.
So far neither machine has contacted the WSUS server and are still receiving the 0x80072EE2 error in the windowsupdate.logs
The other machine I placed in a test OU with no GPO's except the WSUS settings and then I manually opened the TCP and UDP ports 8530 and 8531.
So far neither machine has contacted the WSUS server and are still receiving the 0x80072EE2 error in the windowsupdate.logs
Double check that using a browser you can connect to the wsus server on port 8530. Configure IIS site for wsus to be browsable after you confirm the bindings are for port 8530 on the ipv4 ip; if it works, you should see folders there, if it does, it means either it
ASKER
When WSUS installs, it installs IIS by default. Are there other changes that have to be made in order for it to work? I didn't see any reference to that in the install articles I've read.
If I go to http://WSUS_Server/ from one of the servers I get an IIS screen, http://WSUS_Server:8530/ from a server I get a blank screen.
If I do either of the above from a desktop I get a blank screen.
If I go to http://WSUS_Server/ from one of the servers I get an IIS screen, http://WSUS_Server:8530/ from a server I get a blank screen.
If I do either of the above from a desktop I get a blank screen.
You have to make sure which options are set and whether the web interface is accessible.
relying on what should be by default without checking may lead to thinking what should be rather than what is.
Based on your prior comment, you do not have a single client that is able to connect to the wsus server as your GPO is configured. The first thing to do is to make sure the WSUS setup is as you expect and then work your way back. One thing you can try is make sure the WSUS server itself is using the WSUS server setup to get its updates.
you get a blank screen because by default directory browsing is not enabled. Within the IIS administration tool, enable directory browsing on the wsus site.
And will go from there whether you have the subfolders there that are needed.
make sure within this site the next folder is selfupdate, content, etc. if you have a wsus folder withiin which the others are, that would explain your issue. your GPO will then need to change the intranet site as http://wsus server:8350/wsus and that should resolved that issue.
relying on what should be by default without checking may lead to thinking what should be rather than what is.
Based on your prior comment, you do not have a single client that is able to connect to the wsus server as your GPO is configured. The first thing to do is to make sure the WSUS setup is as you expect and then work your way back. One thing you can try is make sure the WSUS server itself is using the WSUS server setup to get its updates.
you get a blank screen because by default directory browsing is not enabled. Within the IIS administration tool, enable directory browsing on the wsus site.
And will go from there whether you have the subfolders there that are needed.
make sure within this site the next folder is selfupdate, content, etc. if you have a wsus folder withiin which the others are, that would explain your issue. your GPO will then need to change the intranet site as http://wsus server:8350/wsus and that should resolved that issue.
ASKER
After installing and enabling directory browsing; from the WSUS server I now see one directory and one file when I browse to http://WSUS_Server:8530. There is a aspnet_client directory and a web.config file.
Just FYI, I tried the same with 2 other servers and could see the same.
Just FYI, I tried the same with 2 other servers and could see the same.
You are missing several directories, self update, simplewebauth, content, and one or two more.
Check the default dire to see if the above referenced folders exist there.
You might have to use wsusutil tore initialize the web portion where you want it. I suspect firing the install of the role you made different choice.
If the directories exist under the default domain, alter the GPO to point to the default site http://wsus server/ and see if the clients start communicating ......
Check the default dire to see if the above referenced folders exist there.
You might have to use wsusutil tore initialize the web portion where you want it. I suspect firing the install of the role you made different choice.
If the directories exist under the default domain, alter the GPO to point to the default site http://wsus server/ and see if the clients start communicating ......
ASKER
Within IIS I have two sites. Default website that is listening on port 80 and WSUS Administration which is listening under port 8530 and 8531.
I noticed that under the default web site there is only one directory, aspnet_client.
Under WSUS Administration there is all of the wsus directories.
from the WSUS server I can browse to http:\\localhost:8530 and still only see the aspnet_client dir, but I am able to browse to http:\\localhost:8530/Selfupdate/ and view the folders within it.
I noticed that under the default web site there is only one directory, aspnet_client.
Under WSUS Administration there is all of the wsus directories.
from the WSUS server I can browse to http:\\localhost:8530 and still only see the aspnet_client dir, but I am able to browse to http:\\localhost:8530/Selfupdate/ and view the folders within it.
ASKER
Something else I noticed. When I right click on WSUS Administration -> Manage Website -> Browse, it takes me to https://localhost:8531/
that is the secure site configuration presumably you configured your admin console for secure access. you could within the GPO point to this,
if you go with the browser are you getting redirected to the secure site?
double check the wsus site 8530 whether the bindings are only on the 127.0.0.1 or do you have a binding that no matter what IP port 8530 it will be selected as well?
if you go with the browser are you getting redirected to the secure site?
double check the wsus site 8530 whether the bindings are only on the 127.0.0.1 or do you have a binding that no matter what IP port 8530 it will be selected as well?
ASKER
Been off for a couple days. I will try this and get back to you.
Thanks
Thanks
ASKER
ugggh.
So I got frustrated and wiped the entire thing. Rebuilt the server and reinstalled everything and still having the same issues.
I'm going to start from the top of this ticket and see if there is something I haven't done. I never had this much trouble with WSUS 3.0.
So I got frustrated and wiped the entire thing. Rebuilt the server and reinstalled everything and still having the same issues.
I'm going to start from the top of this ticket and see if there is something I haven't done. I never had this much trouble with WSUS 3.0.
Enable directory browsing on the website that wsus 8350 is on
There is a client test utility for connection.
Or use a browser http://wsusserver:8350
What happens?
There is a client test utility for connection.
Or use a browser http://wsusserver:8350
What happens?
Here is a write up to troubleshoot
https://technet.microsoft.com/en-us/magazine/gg153542.aspx
https://technet.microsoft.com/en-us/magazine/gg153542.aspx
ASKER
I enabled directory browsing, but according to the troubleshooting guide I seem to have an IIS issue I guess.
On the Server:
In IIS, from WSUS Administration site I click browse:8530 (http) and the page says "The Website declined to show this webpage"
I get the same error if I attempt to browse to http://WSUSserver:8530/selfupdate/ from the WSUS server.
On the client test machine:
going to either http://WSUSserver:8530/selfupdate/ or http://WSUSserver:8530/ both return "This page cannot be displayed
On the Server:
In IIS, from WSUS Administration site I click browse:8530 (http) and the page says "The Website declined to show this webpage"
I get the same error if I attempt to browse to http://WSUSserver:8530/selfupdate/ from the WSUS server.
On the client test machine:
going to either http://WSUSserver:8530/selfupdate/ or http://WSUSserver:8530/ both return "This page cannot be displayed
Is the web site started? if you go to http://localhost:8530/selfupdate is the behavior different?
If it is, that means that your IIS binding are limited to local host meaning you have to add in the bindings
wsus_ip port 8530 and that should fix it.
If it is, that means that your IIS binding are limited to local host meaning you have to add in the bindings
wsus_ip port 8530 and that should fix it.
ASKER
I enabled directory browsing.
From the WSUS Server, if I go to:
http://localhost:8530/ I can see the web.config file listed
http://WSUSServername:8530/ I can see the web.config file listed
http://localhost:8530/selfupdate I can see AU, iuident.cab, wsus3, and wuident.cab
http://WSUSServername:8530/selfupdate I can see AU, iuident.cab, wsus3, and wuident.cab
From my PC, only get "Page cannot be displayed"
From the WSUS Server, if I go to:
http://localhost:8530/ I can see the web.config file listed
http://WSUSServername:8530/ I can see the web.config file listed
http://localhost:8530/selfupdate I can see AU, iuident.cab, wsus3, and wuident.cab
http://WSUSServername:8530/selfupdate I can see AU, iuident.cab, wsus3, and wuident.cab
From my PC, only get "Page cannot be displayed"
Go into advanced firewall settings and open port 8350 TCP on the domain. The windows firewall is blocking requests. Presumably your server's network connection in the network an sharing display shows that it is a work/domain connection type not public.
If public, you need to change it to domain, or include public in the firewall rule.
If public, you need to change it to domain, or include public in the firewall rule.
ASKER
8530 and 8531 TCP are both open on the firewall for Domain, Private, and Public.
Do your workstations go through proxy to access the Internet, barracuda, etc? You need to configure proxy settings to not use proxy for intranet sites, exclude local LAN ip/24 from going through the proxy.
Does https://wsusseverip:8531 work as well?
Does the site allow announimous browsing?
Does https://wsusseverip:8531 work as well?
Does the site allow announimous browsing?
ASKER
I feel like such an idiot.
Arnold, your very first suggestion ended up being how I solved this. While I had allowed port 8530 on the firewall in Windows 2012, I didn't take into account our hardware firewalls. Once I requested that port be opened for my server everything started working.
Thank you for all your help and patience.
Arnold, your very first suggestion ended up being how I solved this. While I had allowed port 8530 on the firewall in Windows 2012, I didn't take into account our hardware firewalls. Once I requested that port be opened for my server everything started working.
Thank you for all your help and patience.
ASKER
Arnold was great help! I wish I could give him way more points for patience.