«

»

Jan 13 2012

Configure WSUS to use SSL

You have WSUS in your infrastructure, and now you need to implement SSL because you want to be sure that your clients are connecting to the right WSUS server, the meta data is encrypted, or you are just curious to see how it’s done. Configuring WSUS to use SSL is a straight forward process, and all you need is a certificate, and some IIS configurations. For this guide I have a single WSUS server deployment in a single forest/domain environment running on Windows Server 2008 R2 SP1. The certificate is issued by an internal Enterprise CA. Information on how to install an Enterprise Certification Authority can be found here

To get started, first we need to request a certificate for the WSUS web site, so open IIS, click the server name, then open Server Certificates.

On the Actions pane click Create Domain Certificate.

On the Common Name box we need to type the name we want appear in the certificate. I recommend to use either the name of the WSUS server, or the FQDN of the server. If you have external clients that use this WSUS server you need to type the FQDN (the internet public address) in this box. But now things are getting a little complicated, because you either need to create a split-brain DNS or create a SAN certificate that includes the FQDN and the WSUS server name. For more info you can read this post. Complete the rest of the boxes and click Next.

Select your internal CA by clicking the Select button, give the certificate a friendly name and click Finish.

Now that we have our certificate in place we need to add this certificate to the web site. Expand Sites and click the Default Web Site. On the Actions pane click Bindings.  Now click Add, on the Type drop down box select https, and your WSUS certificate on the SSL Certificate drop down box.

    

The next step is to enforce SSL encryption on the following virtual roots:

• SimpleAuthWebService
• DSSAuthWebService
• ServerSyncWebService
• ApiRemoting30
• ClientWebService

Select SimpleAuthWebService and open the SSL Settings.

Check the box Require SSL, and make sure Ignore is selected under Client certificates. Click Apply on the Actions pane to save the changes.



Repeat  this operations for the rest of the virtual roots, mentioned before. By now, the connection to the service should be lost, and a connection error message appears in the WSUS console. This is because the console is trying to connect using the default port 80.

To fix this, open a terminal and issue the following command from <WSUS Installation Folder>\Tools:

WSUSUtil.exe configuressl FQDN of the software update point site system>  (the name in your certificate)

in my case is:

WSUSUtil.exe configuressl Server-WSUS

I managed to get access to the console only after a system restart, but after restart I am connected using SSL.

The next step is to point your clients to the correct url, by modifying the existing GPO or creating a new one. Open the policy Specify intranet Microsoft update service location and type the new url in the form https://YourWSUSserver.

To see if all this is working correctly, go to one of your clients and force the new policy to apply using gpupdate /force.

The gpupdate /force command will just download all the GPO’s and re-apply them to the client, it won’t force the client to check for updates. For that you need to use wuauclt /detectnow.

First let’s see the client update log

WireShark is showing me that an encrypted connection is made between the client (192.168.50.11) and the WSUS server (192.168.50.10),

and updates are downloaded by the client.

Want content like this delivered right to your

email inbox?


10 comments

Skip to comment form

  1. Tommy

    Is it possible to use SSL on WSUS Server but keeping the clients point to a url on port 80?

    1. Adrian Costea

      Hmm, I don’t know about this because I never try it, but if you are willing to test this, please put a comment in here with your findings.

  2. shing

    Great guide. I have done this using port 443 and clients are contacting and updating fine, I can access WSUS admin console from the server itself with no issues. My only issue is I get these periodic errors in the event logs. 13042, 12002, 12012, 12032, 12022, 12042, 12052. All saying that DSS Authentication Web service or whatever other random service is not working.
    Any idea how to get rid of these infernal errors? Again, everything seems to be working.

    1. Adrian Costea

      Post the error here if is not to long so I can take a look at it.

  3. Adi

    After more than 2 years after this article was published, security researchers have discovered that windows updates can be intercepted to inject malware, if SSL certificates are not used.

    http://thehackernews.com/2015/08/windows-update-malware.html

    Direct link to the PDF article : WSUSpect: Compromising the Windows Enterprise via Windows Update -> here : http://bit.ly/1L3Bxnd

    Adrian ,keep up the good work !

    Regards,
    Adrian

    1. Adrian Costea

      Hi,
      Thanks for the tip, much appreciated.

  4. Taylor Knoblock

    Adrian,

    I need some help getting my WSUS off the ground. I’ve used your guide to try and configure WSUS using SSL and one issue I’m somewhat confused about is how to setup the certificate. At our organization, we want to be able to connect to our WSUS server from home w/o having to fire up our VPN. We have the split brain DNS entries setup and I can connect to the update console using the local machine name.

    1. Adrian Costea

      Hi,
      First of all you will need a public commercial certificate; or if you want a FREE thing import the root certificate from your internal CA to your home clients. The second thing is open the ports 443 and 80/8530; it depends witch one you configured during the WSUS wizard. The third thing is to configure the home clients; follow this article. Have fun.

  5. Wojciech Sciesinski

    Hi!

    Please add information that port for SSL connections to WSUS 443 or 8531 must be opened on WSUS server also. By default the rule on Windows Firewall that open this port is disabled.

    1. Adrian Costea

      Hi,
      Indeed, I did not said that because I taught it was obvious. Thanks anyway.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

css.php