Informations, tips and technics.

WSUS, Default Web Site and custom ports in IIS

Those days, I have moved my wsus server into a existing server that have already McAfee ePolicy Orchestrator 4 installed.  I have also take the time to put the 2 applications on SQLServer 2005. I will post the entire process of this move later.

Because EPO use Apache on the port 80, I have tested wsus on a new tcp port in IIS (8530 and 8531 for SSL), I have discovered that wsus seems not very confortable with a least 2 things:

  • If wsus install itself in iis using custom port, it put itself in the ‘WSUS Administration’ web site on port 8530
  • When running the client diag of wsus on some client, every client complain with some errors (VerifyWUServerURL() failed with hr=0×80072efd). I have finally discovered that it is mainly due to the fact the the ‘SelfUpdate’ service in IIS is not in the Default web site.
  • I have also discovered that even if all seems working nice, I still have some errors in the event viewer like ‘The DSS Authentication Web Service is not working’

Here are the steps that I have taken to solve my issues:

  • Move EPO apache to port other that 86
    • See https://knowledge.mcafee.com/article/579/614037_f.SAL_Public.html for more information about this. Just remember that you will have also to reinstall your client on each computer that connect to your EPO server.
    • At this end of the procedure, remember to delete the file following the procedure found here:
      • Recompile the ePO agent: 
        In Windows Explorer, navigate to: …\Program Files\Network Associates\ePO\3.x.x\DB\Software\Current\EPOAGENT3000\Install409
      • Move the FramePkg.exe and Framework.z files out of this folder to the root of the c: drive.
        NOTE: Once the ePO services are restarted in the next step, the FramePkg.exe and Framework.z files will be recompiled back into this folder.
      • Click Start, Run, type: services.msc right-click on the following services and click Start:
        NOTE: This will create a new FramePkg.exe and Framework.z file.
        McAfee ePolicy Orchestrator 3.x.x Server
        McAfee ePolicy Orchestrator 3.x.x Event Parser
    • Generate a new Framework package using EPO console
    • On each client, update the Framework EPO agent using : FramePkg.exe /Install=agent /ForceInstall /silent
      On some computers, you will have to uninstall the agent before updating it using “C:\Program Files\Network Associates\Common Framework\FrmInst.exe” /forceuninstall”
  • Ok now the port 80 is free for IIS.
    • Make sure the value for PortNumber under the “HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup” key is set to the correct port (the one your WSUS site is on).
    • Make sure that the IIS web site where WSUS is installed is called ‘Default Web Site’
    • Go to your wsus installation (C:\Program Files\Update Services\Tools) and use:
      wsusutil configure ssl : if you use ssl
      wsusutil usecustomwebsite false : this will either move your wsus to the ‘Default Web Site’ site in IIS on use port 80 or if you use the ‘true’ option, this will move wsus to the ‘WSUS Administration’ IIS web site on port 8530 port.
  • Reconfigure your SSL in IIS
    – On the root ‘Default Web Site’ site in IIS, go in ‘Directory Security’ tab on tell IIS to reuse a certificate that you have already have created.
    – Reconfigure SSL for some folders in IIS, according my previous post.
  • Of course, you will have to configure your GPO or registry to reflect the changes.

And finally no more errors!


Filed under: Windows, , , , , ,