Informations, tips and technics.

WSUS, Default Web Site and custom ports in IIS

Those days, I have moved my wsus server into a existing server that have already McAfee ePolicy Orchestrator 4 installed.  I have also take the time to put the 2 applications on SQLServer 2005. I will post the entire process of this move later.

Because EPO use Apache on the port 80, I have tested wsus on a new tcp port in IIS (8530 and 8531 for SSL), I have discovered that wsus seems not very confortable with a least 2 things:

  • If wsus install itself in iis using custom port, it put itself in the ‘WSUS Administration’ web site on port 8530
  • When running the client diag of wsus on some client, every client complain with some errors (VerifyWUServerURL() failed with hr=0×80072efd). I have finally discovered that it is mainly due to the fact the the ‘SelfUpdate’ service in IIS is not in the Default web site.
  • I have also discovered that even if all seems working nice, I still have some errors in the event viewer like ‘The DSS Authentication Web Service is not working’

Here are the steps that I have taken to solve my issues:

  • Move EPO apache to port other that 86
    • See https://knowledge.mcafee.com/article/579/614037_f.SAL_Public.html for more information about this. Just remember that you will have also to reinstall your client on each computer that connect to your EPO server.
    • At this end of the procedure, remember to delete the file following the procedure found here:
      • Recompile the ePO agent: 
        In Windows Explorer, navigate to: …\Program Files\Network Associates\ePO\3.x.x\DB\Software\Current\EPOAGENT3000\Install409
      • Move the FramePkg.exe and Framework.z files out of this folder to the root of the c: drive.
        NOTE: Once the ePO services are restarted in the next step, the FramePkg.exe and Framework.z files will be recompiled back into this folder.
      • Click Start, Run, type: services.msc right-click on the following services and click Start:
        NOTE: This will create a new FramePkg.exe and Framework.z file.
        McAfee ePolicy Orchestrator 3.x.x Server
        McAfee ePolicy Orchestrator 3.x.x Event Parser
    • Generate a new Framework package using EPO console
    • On each client, update the Framework EPO agent using : FramePkg.exe /Install=agent /ForceInstall /silent
      On some computers, you will have to uninstall the agent before updating it using “C:\Program Files\Network Associates\Common Framework\FrmInst.exe” /forceuninstall”
  • Ok now the port 80 is free for IIS.
    • Make sure the value for PortNumber under the “HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup” key is set to the correct port (the one your WSUS site is on).
    • Make sure that the IIS web site where WSUS is installed is called ‘Default Web Site’
    • Go to your wsus installation (C:\Program Files\Update Services\Tools) and use:
      wsusutil configure ssl : if you use ssl
      wsusutil usecustomwebsite false : this will either move your wsus to the ‘Default Web Site’ site in IIS on use port 80 or if you use the ‘true’ option, this will move wsus to the ‘WSUS Administration’ IIS web site on port 8530 port.
  • Reconfigure your SSL in IIS
    – On the root ‘Default Web Site’ site in IIS, go in ‘Directory Security’ tab on tell IIS to reuse a certificate that you have already have created.
    – Reconfigure SSL for some folders in IIS, according my previous post.
  • Of course, you will have to configure your GPO or registry to reflect the changes.

And finally no more errors!


Filed under: Windows, , , , , ,

WSUS Installation with SSL

I would like to share with you some stuff that could help you with an new installation of WSUS (Windows Server Update Service 3).

In fact the setup itself is quite straitforward, the only thing that you have to care about is :

  • If possible, put the WSUS server in a Active Directory domainb because that way it will be simplier to administer the computers, groups and the certificate if you use SSL
  • Put the database of WSUS and the downloaded files on a bug disk and if possible in a different drive than the one where the OS and SQLServer will be installed
  • If you have SQLServer 2005 you can use it instead of the embeded version shipped with this tool but in any case, do not use the SQLServer 2005 Express edition simply because this version has some limitation that the embeded version (Windows Internal Database as Windows reports it) has not like the amount of memory you can give to the server, the number of CPU that SQLServer can use and the database size. (ref : http://blogs.codes-sources.com/christian/archive/2007/04/19/sql-server-2005-sql-server-embedded-edition-windows-internal-database.aspx)
  • Well maybe this embeded version is cool but what if you want to manage it a little more? Well you have the option to install and use the SQLServer Management Studio Express and as a parameter of the connection, use :
  • For the backup now. Well, in my case I use a simple script that :
    • Create the backup of the WSUS database using NTBACKUP by command line
    • Then, use 7-zip to compress the resulting file (NTBackup does not …)
      Here is the listing :
      REM Date 1 have now the yyymmdd date format
      for /f “tokens=1-3 delims=/ ” %%a in (‘date/t’) do set Date1=%%c%%a%%b
      REM delete of the old bkf file, the echo y| stuff if to auto-confirm
      echo y|del D:\*.bkf
      ntbackup backup D:\Databases\WSUS\UpdateServicesDbFiles\  /J “WSUS Databases backup” /FU /V:yes /HC:on /L:f /F “D:\WSUS_DB_BCK_%Date1%.bkf”
      cd “C:\Program Files\7-Zip”
      7z.exe a -tzip d:\WSUS_DB_BCK_%Date1%.bkf.zip “d:\WSUS_DB_BCK_%Date1%.bkf”
      echo y|del D:\WSUS_DB_BCK_%Date1%.bkf

Here is the basic. I will not go into configuring the entire system because you are big boys and some configurations may differ depending how your setup is.

 Anyway, for the SSL part now.

Just remember that when WSUS is configured to use SSL, in fact SSL will not be used to encrypt the transfert of the patchs or updates. This part is done by the BITS system (I really don’t know if the file transfert is encrypted or not). SSL will be used to secure communications for :

  • The remote console with the server itself (which is accessible using IIS)
  • Communication between client (computers and servers) and the WSUS server when they request about new updates or send status reports
  • Communication between and upstream server and a downstream server

That’s all.

Now see what will be the process to use SSL.

  • Install Certificate Service for Windows (this is good when you don’t want to pay for a certificate and when you want to only udpates internals systems)
  • Generate the certificate for the web server
  • Configure IIS to use SSL
  • Configure the console to connect using SSL
  • Deploy the certificate on the clients machines and on other remote WSUS administration console

 You want details now? Here they are :

 Install ‘Certificate Service’

  • Control Panel / Add Remove programs / Add remove windows components  and select ‘Certificate Service’
  • Confirm (Yes), Next
  • Choose what ‘kind’ of CA you want to install (in my case Stand Alone Root CA)
  • Choose a common name (the name of the server) WSUSSRV
  • Distinguish name suffix dc=yourdomain,dc=com
  • Validity perdiod 5 years
  • Next. A message may popup if you already have installed and then uninstalled Certificate Service : ‘The private key “WSUSSRV” already exists. Do you want to overwrite this key with a new one?’, confirm by ‘Yes’
    Certificate Service setup will generate a new key
  • Options Certificate database C:\WINDOWS\system32\CertLog
  • Certificate database log C:\WINDOWS\system32\CertLog
  • Shared folder C:\CAConfig
  • Next. A message will popup saying that IIS will be restarted, confirm ‘Yes’
    Certificate Service setup will then install and copy some files (the Windows CD maybe required)
  • Finish 

Certificate request for the WSUS web site

  • In IIS, right click on the WSUS web site and then Properties\Directory Security\Secured Communications
  • Click on ‘Server certificate’, Next 
  • Create new certificate
  • Choose Prepare request now but send it later, Next
  • Bit length  1024
  • Do not check the option ‘Select cryptographic service provider (CSP) for this certificate’ , Next
  • Organization : your organization
  • Organizational unit : again, you know your company better than me
  • Next
  • Common name WSUSSRV
  • Next
  • Country/Region : CA (canada) (at least for me, you know where you live)
  • State/Province : Québec
  • City/Locality : Montréal
  • Next
  • Give the path and the file name for the certificate request file :
  • Next, Next, Finish

 Installation and Approval of the certificate request

  • Programs /Administrative Tools / Certification Authority 
  • Right click on the name of the server then, All tasks / Submit new request
  • Give the path of the the certificate request you have just done earlier
  • Click in the folder ‘Pending Requests’
  • Select the certificate in the right pane (Ex : Request id 2)
  • Right click / All tasks / Issue 
  • Do to the folder ‘Issued Certificates’
  • Select in the right pane the certificate that we have just issued
  • Double click on the certificate (Ex : Request id 2)
  • In the Detail tab click on ‘Copy to file’, Next
  • Select the format (Base-64 encoded x509 (DER)), Next
  • Give the path and the name of the file
    C :\cert_wsus
  • Save, Next, Finish
  • A message should be displayed ‘The export was successfull’
  • In IIS, right click on thr WSUS web site, then Properties / Directory Security / Secured Communications
  • Click on ‘Server certificate’, Next
  • Select ‘Process the pending request and install the certificate’, Next
  • Select the certificate file 
    C :\cert_wsus.cer
  • Next
  • Select the SSL port (defaut : 443)
  • Next, Next, Finish, OK
  • Now, for the folders :
    • ApiRemoting30,
    • ClientWebService,
    • DssAuthWebService,
    • ServerSyncWebService,
    • SimpleAuthWebService
  • Right click on the folder, Properties / Directory Security / Secured Communications and then ‘Edit’
  • Check the option ‘Require Secure Shannel (SSL)
  • OK, Apply, OK 
  • Open a dos prompt and type iisreset to restart the web service
  • Run the dos command 
    Cd c:\program files\update services\tools
    wsustuil configuressl WSUSSRV
    (Note : be carefull to uppercase and lowercase. In my case, I have first used lowercase for the server name which make the server appear twice in the WSUS console)
  • Open the WSUS console
  • Check that you can connect and see the server. Or, delete the server and add it again cheking the option to use SSL this time


  • Now, in the domain controller or the the registry for the server that are not in the Active Directory and are managed by script, change the url of the WSUS server to http://WSUSSERVER. Note that on your domain controller, this setting is managed by a GPO.
  • On the client computer, open a dos prompt and type
    To refresh the policy settings
  • Download and install the WSUS client diagnostic tool ‘clientdiag.exe’ and the execute it to check if all is correct (ref : http://technet.microsoft.com/en-us/wsus/bb466192.aspx)

Checkin certification installation

  • Start / Run / mmc and select the snap-in ‘Certificate’ for Local Machine
  • Check that in the ‘Personnal’ folder, the 2 cetificates (root and wsus) are present
  • Check that the root certificate is also listed in the Trusted Root Certification Authorities’ (You can do a copy paste if is not)
  • Open the root certificate by double click on it
  • In the Detail tab, click on ‘Copy to file’, Next
  • Select the format (Base-64 encoded x509 (DER)), Next
  • Select the name and path
    C :cert_root_wsussrv.cer
  • Save
  • Next, Finish. The message ‘The export was successfull’ should appear
  • Close the console

 Certificate installation on the client side

You can use a setting in AD Users and Computers to automatically push a certificate to your clients computers AND if you have configured your Certificate Service to be an Enterprise Root CA (so it will be integrated into the Active Directory). I will not cover this part now. I will assume that the certificat installation on the client computer will be done by hand. Of course, if you have under of PCs, doing it using AD Users and Comuters is more than recommanded.

 Do the folowing operations for any computers that will contact the WSUS server and any Server, computers where the WSUS console is installed. I will assume that you have copied the certificates on the C drive of each computer but you can put those files on a share in your network.

  • Start / Run / mmc, Select the snap in ‘Certificate’ for the local machine
  • In the Personnal / Certificate folder, right click / All tasks / Import
  • Next
  • Select the file 
  • Next
  • Select  ‘Place all certificate in the folowing store’ [Personnal]
  • Next, Next, Finish, OK
  • Do exactly the same process for the web certificate cert_wsus_wsussrv.cer
  • In the Trusted Root Certification Authorities / Certificate folder,  right click and All tasks / Import
  • Next
  • Select the file 
  • Select ‘Place all certificate in the folowing store’ [Trusted Root Certification Authorities]
  • Next, Next, Finish, OK
  • Close the console
  • Open the WSUS console to check if you can connect (in the case where this console in in another computer that the one where WSUS server is installed, like you desktop for example)

To check if you newly configured client can contact the server, remember to use in DOS:

wuauclt /detectnow

And then locate and open the file in C:\Windows\WindowsUpdate.log to see if all is correct.

Filed under: Uncategorized, , , , ,