Does WSUS use HTTP or HTTPS?
WSUS in the Real World (Under construction)I have been managing WSUS for about ten years. It hasn't always been a happy relationship. But I've finally found a setup I'm happy with, and I'd love to share it with you. This article is meant to be a mind-dump on tons of subjects within WSUS. I'm writing it to teach my successor everything I've learned. Show
This article will detail how to configure an internal WSUS server hosting approved updates, and an external WSUS replica server that syncs approvals with the the internal server, but tells clients to download update files from Microsoft. The external server then rolls-up all client status to the internal server. This is great for a roaming laptop workforce without constant VPN access. This configuration is used at a company with over 60 offices in multiple AD domains. However, all machines pointed to the same WSUS infrastructure. WSUS does not use Active Directory or Kerberos and functions solely over HTTP and HTTPS. Normally this would not work totally reliably because of a known issue with WSUS not replicating WSUS ID cookies between master and replica servers. However, with a scheduled task on your clients you can just kick them to refresh the cookie if needed. This will be detailed in the client configuration section. Annoying voice: You should follow my advice and rebuild WSUSWSUS is notorious for degrading over time and increasing in storage costs without extreme administrative intervention. Additionally, it is disposable infrastructure as it contains no business nor historical data. For this guide you should prepare to completely wipe out your entire WSUS configuration and data, and I'll help you. I've done this several times in my career and it should not be a big deal. However, this guide can be retrofitted to an existing installation if you see absolutely no need. Strip down WSUS server for reinstallationThis assumes you have a dedicated machine for WSUS that may already have components installed. If the machine has other things installed, some instructions will irrevocably delete applications and websites. Some of these steps seem redundant or pointless but they each prevent/address a problem I've encountered. 1. Cleanup with features and roles uninstall
2. Server hygiene and orphan configuration cleanupThese steps are to ensure a long stable life for your server and remove any past orphaned configurations. Uninstalling some roles doesn't uninstall their configuration settings. You have to purge some role configurations manually if they're corrupted, and this fact trips up many administrators trying to fix issues.
Building a blank-slate WSUS serverThis will prepare either a master or replica server, whose individual configuration diverges later. The default settings of installing WSUS is unfortunately not the best way to do it, please follow these instructions very carefully because there are some tricks. 1. Storage folder
2. Roles install
Master internal server - specializationYou need a 2012R2, preferably 2016, Windows server. You can try 2008R2/2012 and it will sort-of work with hacks you can find on Google. I use 2012R2, but if you have the choice use Server 2016 because I do not trust Microsoft to backport all future WSUS fixes. For WSUS I use a 60GB OS disk and a 150GB storage disk. Your requirements will vary drastically depending on the breadth of software in your organization. It's best to over-provision storage as much as possible to give yourself slack space as WSUS naturally expands and contracts by tens of gigabytes during normal use. Regarding RAM I don't know the realistic minimum, but I'd say 4GB RAM+. Remember, Windows caches commonly-used files in RAM, so the more RAM you have the better you can serve clients at wire speed. On CPU, I do know how it feels running WSUS on a two-core VM and a 1.8GHz E5-2403 server, and it's painful. But it still works. 1. Windows Server Updates Services Configuration Wizard - Master
2. Update Services console configuration - Master
3. Configure IIS - MasterNow we need our Master server to respond to WSUS.EXAMPLE.COM.
Preparation to roam your clients with DNS, DMZ, TLS, and IISIf you want to enable roaming clients to securely use WSUS, it may appear you only have two options. You could:
You can't win! Or can you? In fact, there is another option. You can combine the particularities of split-brain DNS and WSUS replica servers to provide what your clients need, in the most appropriate way, from anywhere in the world, all rolling up to a single central console. This is possible because the clients who request the IP address of WSUS.EXAMPLE.COM inside your network can be given your internal WSUS server, and external clients who request the IP address of WSUS.EXAMPLE.COM will be given your publicly-accessible server in the DMZ. Both servers will have a TLS certificate for WSUS.EXAMPLE.COM. There's no reason a TLS certificate can only be on one server. The replica server will clone all the patch approvals on your master server, then report-back to your master server everything it does with external clients. How to configure the servers themselves will be later in the guide. 1. Internal DNS configuration
2. External DNS configuration
3. DMZ network configurationFor the external server in DMZ, on the network layer allow inbound port 80 and 443 from external. Allow the server unlimited outbound access to the Internet, or restrict it to just the addresses in this article. 4. TLS certificateCommunications with your WSUS server over untrusted networks should be protected with HTTPS, so you'll need a TLS (formerly SSL) certificate for WSUS.EXAMPLE.COM. You'll need to acquire that and install it yourself for the internal server, but we can get an automated certificate for the external server. Replica external server - specializationThere are several fundamental differences in configuring a replica server, please follow instructions very carefully. 1. Windows Server Updates Services Configuration Wizard - Replica
2. Update Services console configuration - Replica
3. Configure IIS for HTTP - ReplicaFirst we need the Replica to respond to WSUS.EXAMPLE.COM on HTTP.
4. Get self-renewing TLS certificate with Let'sEncryptConfiguring IISClient configurationtodo Client configuration - Scheduled taskstodo Referenceshttps://omgdebugging.com/2017/10/09/command-line-equivalent-of-wuauclt-in-windows-10-windows-server-2016/ Does Windows Update use HTTPS?Microsoft Update Catalog gets secure with HTTPS connection
The switch to HTTPS will now apply when you are manually downloading the files for Windows updates, new Windows builds, new drivers, and hotfixes for PC from the Microsoft Update Catalogue.
Does WSUS need SSL?WSUS uses TLS/SSL to authenticate client computers and downstream WSUS servers to the upstream WSUS server. WSUS also uses TLS/SSL to encrypt update metadata. WSUS doesn't use TLS/SSL for an update's content files. The content files are signed and the hash of the file is included in the update's metadata.
How do I enable HTTPS on WSUS?Enabling SSL on WSUS. Click 'Create Self-Signed Certificate' on the right side. ... . Fill in the field “Specify a friendly name for the certificate”. ... . Open Sites in the connection tree > Click 'WSUS Administration'. Under Actions column to your right, click on.. Select the 'https 8531' row and click edit.. What services does WSUS use?WSUS uses seven services. They are the Update Service (wsusservice.exe), the Reporting Web Service, the API Remoting Web Service, the Client Web Service, the Simple Web Authentication Web Service, the Server Synchronization Service, and the DSS Authentication Web Service.
|