You have WSUS in your infrastructure, and now you need to implement SSL because you want to be sure that your clients are connecting to the right WSUS server, the meta data is encrypted, or you are just curious to see how it’s done. Configuring WSUS to use SSL is a straight forward process, and all you need is a certificate, and some IIS configurations. For this guide I have a single WSUS server deployment in a single forest/domain environment running on Windows Server 2008 R2 SP1. The certificate is issued by an internal Enterprise CA. Information on how to install an Enterprise Certification Authority can be found here.
To get started, first we need to request a certificate for the WSUS web site, so open IIS, click the server name, then open Server Certificates.
On the Actions pane click Create Domain Certificate.
On the Common Name box we need to type the name we want appear in the certificate. I recommend to use either the name of the WSUS server, or the FQDN of the server. If you have external clients that use this WSUS server you need to type the FQDN (the internet public address) in this box. But now things are getting a little complicated, because you either need to create a split-brain DNS or create a SAN certificate that includes the FQDN and the WSUS server name. Complete the rest of the boxes and click Next.
Select your internal CA by clicking the Select button, give the certificate a friendly name and click Finish.
Now that we have our certificate in place we need to add this certificate to the web site. Expand Sites and click the Default Web Site. On the Actions pane click Bindings. Now click Add, on the Type drop down box select https, and your WSUS certificate on the SSL Certificate drop down box.
The next step is to enforce SSL encryption on the following virtual roots:
Select SimpleAuthWebService and open the SSL Settings.
Check the box Require SSL, and make sure Ignore is selected under Client certificates. Click Apply on the Actions pane to save the changes.
Repeat this operations for the rest of the virtual roots, mentioned before. By now, the connection to the service should be lost, and a connection error message appears in the WSUS console. This is because the console is trying to connect using the default port 80.
To fix this, open a terminal and issue the following command from <WSUS Installation Folder>\Tools:
WSUSUtil.exe configuressl FQDN of the software update point site system> (the name in your certificate)
in my case is:
WSUSUtil.exe configuressl Server-WSUS
I managed to get access to the console only after a system restart, but after restart I am connected using SSL.
The next step is to point your clients to the correct url, by modifying the existing GPO or creating a new one. Open the policy Specify intranet Microsoft update service location and type the new url in the form https://YourWSUSserver.
To see if all this is working correctly, go to one of your clients and force the new policy to apply using gpupdate /force.
The gpupdate /force command will just download all the GPO’s and re-apply them to the client, it won’t force the client to check for updates. For that you need to use wuauclt /detectnow.
First let’s see the client update log
WireShark is showing me that an encrypted connection is made between the client (192.168.50.11) and the WSUS server (192.168.50.10),
and updates are downloaded by the client.
Want content like this delivered right to your