Externally Facing WSUS Server - Best Practice

Article
2018-10-09

Question

_{Tuesday, October 9, 2018 10:00 AM}

We have an internal WSUS server working fine, we have external clients that we now need to get update on WSUS.

I understand we can have an externally facing WSUS server and purchase an SSL certificate for the url etc etc.

My question is what is the best practice for this. Do i

*Have a separate WSUS server in my DMZ setup as a replica server (does it have its on update DB or use the other servers)

*Move my existing WSUS server into my DMZ and make one server for all

Thanks in advanced

All replies (24)

_{Wednesday, October 10, 2018 6:52 AM}

Hello,

I suggest that you set a replica server in the DMZ instead of moving the existing WSUS. And then you could restrict and encrypt the communication just between upstream and downstream, not between WSUS and all internal clients.

If there are not many clients in the DMZ, I recommend using WID, but it also depends on system and network performance.

Hope my answer could help you.

Best Regards,
Ray

Please remember to mark the replies as answers if they help.

If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Wednesday, October 10, 2018 8:14 AM}

Thanks for the reply

I will setup a replica server in the DMZ then. To encrpt the traffic is this just a case of using SSL port 8531 for both my internal and external WSUS?

The SSL cert should be applied to the externally facing WSUS server correct?

Thanks

_{Wednesday, October 10, 2018 8:28 AM}

Hello,

The SSL cert should be applied to the externally facing WSUS server correct?

Yes, you must import the certificate to all computers that will communicate with the WSUS server. This includes all client computers, downstream servers, and computers that run the WSUS Administration Console. The certificate should be imported into the local computer Trusted Root CA store or into the Windows Server Update Service Trusted Root CA store.

Reviewing following article to get more details on configuring SSL.

/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939849(v=ws.10)#secure-wsus-with-the-secure-sockets-layer-protocol

Best Regards,
Ray

Please remember to mark the replies as answers if they help.

If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Wednesday, October 10, 2018 8:52 AM}

Thanks for the help and sorry if im asking stupid questions.

I have purchased WSUS.mydomian.com from godaddy and have the ssl cert. This is the certificate that i put on both internal WSUS and external WSUS for port 8531 ? Correct?

Thanks

_{Thursday, October 11, 2018 7:33 AM}

Hello,

Sorry for the delay.

Yes, you could use that certificate issued to your server. I find a step by step guide for you. You could skip previous steps and start from "bind the SSL certificate to your network adapter".

http://jackstromberg.com/2013/11/enabling-ssl-on-windows-server-update-services-wsus/

Good luck,
Ray

Please remember to mark the replies as answers if they help.

If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Thursday, October 11, 2018 7:54 AM}

No worry's about the delay i appreciate your help.

Im a little confused as to why the same ssl cert i created for wsus.mydomain.com on my external server needs to also be applied to my internal server?

I thought that the ssl cert is binded to port 8531 on my external server so my clients look at https://wsus.mydomain.com:8531

I plan to then have ARecord internally that points wsus.mydomain.com to my internal WSUS server.

Is this correct?

_{Friday, October 12, 2018 4:44 AM}

I'm now writing a blog post that will answer this question. Stay tuned. Hopefully I'll get it up before the end of the weekend.

Adam Marshall, MCSE: Security
https://www.ajtek.ca
Microsoft MVP - Windows and Devices for IT

_{Friday, October 12, 2018 10:51 AM}

Thanks. Look forward to that.

One other question. To work both my external and internal WSUS server should be setup to use SSL 8531?

Or can i have my external one using 8531 but internal 8530?

_{Friday, October 12, 2018 12:51 PM}

Hello,

Yes, of cause it could. When you import the cert and enable SSL on the external WSUS, the clients assigned to external WSUS would communicate with it via Https, while the communication between internal and external is still through http. In other words, the clients assigned to the external WSUS would use https:\externalWSUS:8531 as their WSUS, while the external WSUS would use http:\internalWSUS:8530 as its upstream WSUS.

If you want encrypt the communication between internal and external, you should import another cert on the internal WSUS server. In my lab, i use a self signed certificate to encrypt the communication between USS and DSS, you could try it.

Best Regards,

Ray

Please remember to mark the replies as answers if they help.

If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Monday, October 15, 2018 12:32 AM}

Hello,

I am reviewing old cases. Have your issue been solved? Or is there any update? Please feel free to feedback.

Best Regards,
Ray

Please remember to mark the replies as answers if they help.

If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Monday, October 15, 2018 7:06 AM}

Still waiting for an answer

Im a little confused as to why the same ssl cert i created for wsus.mydomain.com on my external server needs to also be applied to my internal server?

I thought that the ssl cert is binded to port 8531 on my external server so my clients look at https://wsus.mydomain.com:8531

I plan to then have ARecord internally that points wsus.mydomain.com to my internal WSUS server.

Is this correct?

_{Monday, October 15, 2018 10:46 AM}

My blog post is almost ready..

The reason why you want SSL is to protect against MitM attacks.

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-7-ssl-setup-for-wsus-and-why-you-should-care/

Adam Marshall, MCSE: Security
https://www.ajtek.ca
Microsoft MVP - Windows and Devices for IT

_{Wednesday, October 17, 2018 10:24 AM}

Thanks

I've installed my ssl cert and then setup SLL on my wsus server.

Set the bindings for 8351 to the cert and setup SSL on

• SimpleAuthWebService
• DSSAuthWebService
• ServerSyncWebService
• ApiRemoting30
• ClientWebService

Ran the command WSUSUtil.exe configuressl wsus.mydomain.com

All ran ok , restarted the server and can now not connect to the WSUS console. Looking in event log is see "The API Remoting Web Service is not working" and "The API Remoting Web Service is not working."

From the IIS logs

2018-10-17 08:07:38 172.25.200.59 POST /ApiRemoting30/WebService.asmx - 8531 - 172.25.200.59 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 401 2 5 475
2018-10-17 08:07:38 172.25.200.59 POST /ApiRemoting30/WebService.asmx - 8531 - 172.25.200.59 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 401 1 2148074252 0
2018-10-17 08:07:38 172.25.200.59 POST /ApiRemoting30/WebService.asmx - 8531 - 172.25.200.59 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 401 2 5 1
2018-10-17 08:07:38 172.25.200.59 POST /ApiRemoting30/WebService.asmx - 8531 - 172.25.200.59 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 401 1 2148074252 3

_{Wednesday, October 17, 2018 4:46 PM}

This makes sense - the old connection was using HTTP. Right click and remove the connection and then re-add a new connection using the hostname wsus.domain.com with HTTPS

It should work then.

My blog post is done in the preliminary content - I have to still polish it up.

Adam Marshall, MCSE: Security
https://www.ajtek.ca
Microsoft MVP - Windows and Devices for IT

_{Thursday, October 18, 2018 8:34 AM}

I thought it made sense but...

When i connect with the host name wvwsus.mydomaim.com port 8531 it doesn't work

As per https://blogs.technet.microsoft.com/sus/2011/05/09/how-to-create-an-internet-facing-wsus-server-that-uses-different-internal-and-external-names/

I do have different internal name to the external name e.g. your domain name is wsus.contoso.com internally but you want to publish the same WSUS to work on the Internet with a different name such as wsus.fabrikan.com

*Is this my issue and i need to get the ssl cert reissued with *a public or domain certificate that will be trusted by the clients so that they can use SSL/HTTPS. This certificate will require a Subject that will include the internal FQDN for the WSUS server as well as a Subject Alternative Name (SAN) for the external FQDN that will be published outside.

Thanks

_{Thursday, October 18, 2018 8:45 AM}

IIS Logs attached

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2018-10-18 08:36:50 172.25.200.59 GET /selfupdate/iuident.cab - 8531 - 172.25.200.59 - - 200 0 0 1248
2018-10-18 08:36:55 172.25.200.59 POST /reportingwebservice/reportingwebservice.asmx - 8531 - 172.25.200.59 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 200 0 0 3457
2018-10-18 08:36:56 172.25.200.59 POST /ApiRemoting30/WebService.asmx - 8531 - 172.25.200.59 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 401 2 5 175
2018-10-18 08:36:56 172.25.200.59 POST /ApiRemoting30/WebService.asmx - 8531 - 172.25.200.59 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 401 1 3221225581 0
2018-10-18 08:36:56 172.25.200.59 POST /ApiRemoting30/WebService.asmx - 8531 - 172.25.200.59 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 401 2 5 4
2018-10-18 08:36:56 172.25.200.59 POST /ApiRemoting30/WebService.asmx - 8531 - 172.25.200.59 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 401 1 3221225581 3
2018-10-18 08:37:01 172.25.200.59 POST /ServerSyncWebService/serversyncwebservice.asmx - 8531 - 172.25.200.59 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 200 0 0 4972
2018-10-18 08:37:07 172.25.200.59 POST /ClientWebService/Client.asmx - 8531 - 172.25.200.59 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 200 0 0 5257
2018-10-18 08:37:07 172.25.200.59 POST /SimpleAuthWebService/SimpleAuth.asmx - 8531 - 172.25.200.59 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 200 0 0 267
2018-10-18 08:37:07 172.25.200.59 POST /DssAuthWebService/DssAuthWebService.asmx - 8531 - 172.25.200.59 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 200 0 0 369
2018-10-18 08:37:07 172.25.200.59 GET /Content/anonymousCheckFile.txt - 8531 - 172.25.200.59 - - 200 0 0 4

_{Thursday, October 18, 2018 9:04 AM}

Hello,

I think this is the issue. If you have several website (different FQDN) need to enable SSL, you should associate both of them to the cert. Your cert is from godaddy, right? Refer to following link to add Subject Alternative Names from UCC certificates.

https://sg.godaddy.com/help/adding-or-dropping-subject-alternative-names-from-ucc-certificates-4649

Hope my answer could help you.

Best Regards,
Ray

Please remember to mark the replies as answers if they help.

If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Monday, October 22, 2018 1:09 PM}

Thanks

Im having trouble adding the server FQDN as a SAN for the Cer the server name is MDCWSUSDMZ and the FQDN is MDCWSUSDMZ.XXX.local

You must use a fully-qualified subject alt name.

You entered an invalid subject alt name.

how can i add both names

_{Monday, October 22, 2018 1:35 PM}

Hello,

I am afraid you can not add a intranet name.

https://sg.godaddy.com/help/can-i-request-a-certificate-for-an-intranet-name-or-ip-address-6935

Best Regards,
Ray

Please remember to mark the replies as answers if they help.

If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Monday, October 22, 2018 2:27 PM}

It's not 100% done (probably about 98%), but since you're hitting this part now, I'll publish it publicly so you can see it.

https://www.ajtek.ca/wsus/externally-facing-wsus-servers/

Adam Marshall, MCSE: Security
https://www.ajtek.ca
Microsoft MVP - Windows and Devices for IT

_{Tuesday, October 23, 2018 6:53 AM}

Thanks both of you

This cert issue is my problem. Can i get around this with internal DNS somehow?

_{Tuesday, October 23, 2018 10:55 AM}

Yes with Split-DNS. See my guide for the details of how to get it set up.

Adam Marshall, MCSE: Security
https://www.ajtek.ca
Microsoft MVP - Windows and Devices for IT

_{Wednesday, October 24, 2018 4:41 PM}

Understand that part but when i enabled SSL i couldnt open the WSUS console on the externally facing DMZ server which i believe was due to "I think this is the issue. If you have several website (different FQDN) need to enable SSL, you should associate both of them to the cert. Your cert is from godaddy, right? Refer to following link to add Subject Alternative Names from UCC certificates."

I cant have a cert with both as my server name is .local

Thanks again

_{Monday, October 29, 2018 2:34 PM}

Any ideas for the client to connect?

Wont connect with Wsus.domain.com or the local server name

Share via

Externally Facing WSUS Server - Best Practice

Question

All replies (24)

Additional resources