WSUS SSL Client Configuration

newhouse1390 · 09-09-2006, 11:08 AM

I set the clients to access the https://192.168.10.101 address which is of my WSUS server. I am using the deafult port for SSL (431) so I should not have to include that but my clients still will not check in. I think this is my problem. Can anyone help me.

Quote:

Configuring SSL on client computers
There are two important caveats when configuring client computers:

• You must include a URL for a secure port that the WSUS server is listening on. Because you cannot require SSL on the server, the only way to ensure that client computers use a secure channel is to make sure they use a URL that specifies HTTPS. If you are using any port other than 443 for SSL, you must include that port in the URL, too.

For example, you might use https://ssl-servername:3051 to point clients to a WSUS server that is using a custom SSL port of 3051.

Likewise, you might use https://ssl-servername for a WSUS server that is using port 443 for HTTPS.

For more information about how to point client computers to the WSUS server, see "Specify intranet Microsoft Update service location" in Configure Automatic Updates by Using Group Policy later in this guide.

• The certificate on client computers has to be imported into either the Local Computer's Trusted Root CA store or Automatic Update Service's Trusted Root CA store. If the certificate is only imported to the Local User's Trusted Root CA store Automatic Updates will fail server authentication.

• Your client computers must trust the certificate you bind to the WSUS server in IIS. Depending upon the type of certificate you are using, you may have to set up a service to enable the clients to trust the certificate bound to the WSUS server. For more information, see "Further Reading" later in this section.

whardman · 09-09-2006, 02:44 PM

The default port for https is 443 not 431. You need to change the port to 443 or change the address to https://192.168.10.101:431.

newhouse1390 · 09-10-2006, 08:05 AM

I think I just misspoke. I did not change the default port used, and I am under the understanding that if that doesn't change their is no reason to include the port number in the URL. I will try putting the port number in. I still believe this issue is along the line of certificates not being trusted.

**Cellus** · 09-10-2006, 12:31 PM

Untrusted certificates are a common problem when you create a custom CA and forget to have the new CA trusted.

newhouse1390 · 09-10-2006, 09:07 PM

Can you tell me how I can get my Certificate trusted by my client computers?

crazijoe · 09-11-2006, 06:47 AM

You will need to install the certificate on the users computers.

newhouse1390 · 09-13-2006, 11:01 AM

Will installing the cert that is presented when you access the webpage good enough to install. Or do I need to go to the cert services intranet site? How would you reccommend getting that done?

crazijoe · 09-13-2006, 11:05 AM

Quote:

Originally Posted by newhouse1390

Will installing the cert that is presented when you access the webpage good enough to install.

We tried it that way and it didn't work. I know this sounds crazy but this was the only way we could get it to work. What we did it was we imported it off the server and installed it onto each machine that needed it.

newhouse1390 · 09-21-2006, 03:30 PM

This link has the fix, I have been able to come up with a new error message

. I think I just need to know where to get the cert off of the server and where / how to input it on the clients.

http://www.security-forums.com/viewt...fa88a97da921ed

newhouse1390 · 09-25-2006, 07:09 AM

This issue was resolved. There was a conflict with the SSL configuration on the default page and that change did not take affect on the child websites.

09-10-2006, 08:05 AM	#3 (permalink)
newhouse1390 Member, Networking Team Join Date: Jan 2005 Location: Ohio Posts: 1,040 OS: Windows Server 2003	I think I just misspoke. I did not change the default port used, and I am under the understanding that if that doesn't change their is no reason to include the port number in the URL. I will try putting the port number in. I still believe this issue is along the line of certificates not being trusted. __________________ Because you can read this thank a teacher, because it's English thank a soldier.

09-10-2006, 12:31 PM	#4 (permalink)
Cellus Moderator Networking Team Join Date: Aug 2006 Location: Canada Posts: 2,664 OS: Windows Vista Business SP1, Windows XP Professional SP3 My System	Untrusted certificates are a common problem when you create a custom CA and forget to have the new CA trusted. __________________ TSF Networking Team Virus/Trojan/Spyware Removal Help Donate!

09-10-2006, 09:07 PM	#5 (permalink)
newhouse1390 Member, Networking Team Join Date: Jan 2005 Location: Ohio Posts: 1,040 OS: Windows Server 2003	Can you tell me how I can get my Certificate trusted by my client computers? __________________ Because you can read this thank a teacher, because it's English thank a soldier.

09-11-2006, 06:47 AM	#6 (permalink)
crazijoe Registered User Join Date: Oct 2004 Location: Omaha, The Center of the Universe Posts: 7,632 OS: WinXP, Win2K3 My System	You will need to install the certificate on the users computers. __________________ Microsoft MCSA + Messaging, MVP, A+, Network+ http://i16.photobucket.com/albums/b3...other/Help.jpg Do you want a real Republican? HDD diagnostic tools / HDD data recovery software

09-13-2006, 11:01 AM	#7 (permalink)
newhouse1390 Member, Networking Team Join Date: Jan 2005 Location: Ohio Posts: 1,040 OS: Windows Server 2003	Will installing the cert that is presented when you access the webpage good enough to install. Or do I need to go to the cert services intranet site? How would you reccommend getting that done? __________________ Because you can read this thank a teacher, because it's English thank a soldier.

09-09-2006, 02:44 PM	#2 (permalink)
whardman Registered User Join Date: Jun 2006 Location: Cincinnati, Ohio Posts: 617 OS: Windows XP My System	The default port for https is 443 not 431. You need to change the port to 443 or change the address to https://192.168.10.101:431.

09-21-2006, 03:30 PM	#9 (permalink)
newhouse1390 Member, Networking Team Join Date: Jan 2005 Location: Ohio Posts: 1,040 OS: Windows Server 2003	This link has the fix, I have been able to come up with a new error message . I think I just need to know where to get the cert off of the server and where / how to input it on the clients. http://www.security-forums.com/viewt...fa88a97da921ed __________________ Because you can read this thank a teacher, because it's English thank a soldier.

09-25-2006, 07:09 AM	#10 (permalink)
newhouse1390 Member, Networking Team Join Date: Jan 2005 Location: Ohio Posts: 1,040 OS: Windows Server 2003	This issue was resolved. There was a conflict with the SSL configuration on the default page and that change did not take affect on the child websites. __________________ Because you can read this thank a teacher, because it's English thank a soldier.