Windows Clients not connecting to WSUS server.

Philsh
Philsh used Ask the Experts™
on
I have a fresh install of WSUS on a fresh install of Windows Server 2012R2.  I have edited group policy to have our desktops use our internal WSUS server for updates.  The only client showing in the WSUS console is the WSUS server itself.  I tried reinstalling WSUS on Windows Server 2016 and I get identical behavior.  I ran the Solarwinds Diagnostic Tool for the WSUS and the first two sections are fine. The last section, WSUS Server Connectivity, fails with "Cannot Connect - caused by a network infrastructure fault making the Windows Update unavailable ..."

Any assistance would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Check that port 8530 is not firewalled on your WSUS server as well as make sure you can telnet to it from a workstation on your LAN. It is quite possibly a windows firewall issue. in addition to this you can see what port you are utilizing from your Windows Server Update Services mmc panel Click on your WSUS server container under Update Services and look at Connection settings.


If you are still having issues make sure that the port is listening on your server.  netstat -ano from your command line
in addition to the information above, if you are not familiar with WSUS and the optimizations you soon will need the following:

WSUS base install will be extremely unreliable without the proper optimizations :

https://mivilisnet.wordpress.com/2017/09/28/increase-memory-for-a-stable-wsus-work/

Author

Commented:
I disabled the Firewall, same problem.  I get no response if I telnet to WSUS port 8530.

This is what I see with netstat:

Netstat
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

Author

Commented:
I also see the following with netstat.
Netstat2.PNG

Author

Commented:
If I try to navigate to http://wsus:8530/Selfupdate/iuident.cab , I do not get any response. So, I am assuming that the problem is with the WSUS server ?
Seth SimmonsSr. Systems Administrator

Commented:
is there a hardware firewall in between?
can you access that URL on the wsus server itself?
anything in the application log?

Author

Commented:
There is no hardware firewall.  The URL does work on the WSUS server.  I don't see anything obvious in the application log.

Author

Commented:
Update:  It looks like I can get to port 8530 on the WSUS server from itself and from the HYPER-V host on which WSUS is running. No other clients/servers can access this port.  I cannot see what is blocking this port.
@philsh,

Sounds like you need to create a firewall Rule to allow access to that port for your LAN workstations.
Try running this on your WSUS server in an admin PowerShell window:  
New-NetFirewallRule -DisplayName "Allow Wsus Traffic Port 8530 Out" -Direction Outbound -LocalPort 8530 -Protocol TCP -Action Allow
New-NetFirewallRule -DisplayName "Allow Wsus Traffic Port 8530 IN" -Direction Inbound -LocalPort 8530 -Protocol TCP -Action Allow

Open in new window

After you create those rules attempt to telnet to port 8530 from one of your clients to the WSUS server.

Author

Commented:
I had already created those rules and it did not work. Thanks.
Commented:
It looks like the issue is Symantec Endpoint Protection. It was installed on the Hyper-V host machine.   Even when you disable it, it blocks that traffic.  When I removed it, I could get to port 8530.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial