Remove the server from the console then connect again, but this time use the 443 port option from the drop-dwon box.
Adrian Costea - MCP, MCTS, MCSA 2003, MCITP: Windows 7
My Blog: www.vkernel.ro/blog
↧
WSUS not working properly with SSL
↧
WSUS not working properly with SSL
Hi!
I have configured an "Internet facing" WSUS With Windows Server 2012 and WSUS With SSL. The WSUS is set up With an external FQDN and corresponding SSL (internal CA signed) certificate.
I have changed my WSUS GPO and Clients are able to Connect to the WSUS and get their updates (both on the LAN and over the Internet).
My problem is that since I configured the WSUS for SSL, I can no longer Access it from the MMC on my WSUS server. I also get the error 12012 "The API Remoting Web Service is not working" error in the event log on the server.
I am, however, able to Connect to the WSUS MMC from another server (2008R2) and I am able to manage the server from there, but I would like to be able to do it from the WSUS server itself also.
Thanks,
Robert
↧
↧
WSUS not working properly with SSL
No, the WSUS server itself is not registered in the WSUS as a Client.
Then, as a diagnostic measure, if not as an operational requirement -- I would start by getting the WSUS server's WUAgent to properly register with the WSUS server.
If the WSUS server is configured (via policy) as a WSUS client, and it's not registered, then I can almost guarantee you that these two conditions:
- WUAgent does not register with SSL-enabled WSUS server.
- Local MMC cannot establish a connection to SSL-enabled WSUS server.
are caused by exactly the same thing.
If the WSUS server is not configured as a WSUS client, the reason why is yet another conversation to be had, but configuring it as a client, and having it successfully register, detect, and report, will eliminate the client-side of the SSL certificate as a consideration and then we can move on to other more obscure possibilities.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
↧
WSUS not working properly with SSL
Yes, the SSL certificate used by the WSUS IIS (update.organization.com) is installed in the Computer account personal store of the WSUS server.
No, the WSUS server itself is not registered in the WSUS as a Client.
↧
WSUS not working properly with SSL
Yes, I have.
WSUS settings are controlled through Group Policy, and the WSUS server itself also has this policy applied to it. In regards to certificates, I have used an internal (Microsoft) CA, which is used in conjunction with an Automatic certificate request GPO, so that all Clients have the root CA certificate installed on them, so certificate trust should not be an issue. I can confirm that the SSL (webserver) certificate issued to and used by the WSUS IIS has the internal root CA as root. The internal root CA is also installed in Trusted Root Certification Authorities on both the Computer account, and the User account on the WSUS server.
Please forgive my pedantic nature.. but in scenarios like this, I quite often find the fact assumed is the fact bitten by.
- You've used an Enterprise CA to create and distribute a root certificate.
- You created an SSL certificate derived from that root certificate.
- The root CA is installed in the Trusted Root CA store of the Computer account. (As noted in the cited documentation, the root cert in the User store is meaningless.)
But I don't see anywhere that you have confirmed that the *SSL* certificate has been installed in the Computer store of the WSUS server -- in the same manner that it has (apparently) been installed on all of the other systems in your network (as evidenced by their ability to establish an SSL connection to WSUS).
Question: Can the Windows Update Agent of the WSUS server successfully detect/report to the WSUS server?
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
↧
↧
WSUS not working properly with SSL
Yes, I have.
WSUS settings are controlled through Group Policy, and the WSUS server itself also has this policy applied to it. In regards to certificates, I have used an internal (Microsoft) CA, which is used in conjunction with an Automatic certificate request GPO, so that all Clients have the root CA certificate installed on them, so certificate trust should not be an issue. I can confirm that the SSL (webserver) certificate issued to and used by the WSUS IIS has the internal root CA as root. The internal root CA is also installed in Trusted Root Certification Authorities on both the Computer account, and the User account on the WSUS server.
↧
WSUS not working properly with SSL
I am able to Connect to the WSUS from Clients (both internally and externally over the Internet) AND I am able to Connect to the WSUS console from another server, but NOT from the WSUS server itself.
So my problem is why/how can't I Connect to WSUS console on the server?
As asked... but not appearing to be answered.... have you performed the Configure SSL on client computers procedure on the WSUS server so that the WSUS server can be a 'client' of itself.
This procedure is not required just for the WUAgent to be able to talk to an SSL-enabled WSUS server, but also to allow the MMC to be able to talk to the SSL-enabled server. Inasmuch as you can connect from everywhere else, this seems to be the most logical cause.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
↧
WSUS not working properly with SSL
OK..
To recap this issue a bit..
I am able to Connect to the WSUS from Clients (both internally and externally over the Internet) AND I am able to Connect to the WSUS console from another server, but NOT from the WSUS server itself.
So my problem is why/how can't I Connect to WSUS console on the server?
↧
WSUS not working properly with SSL
Remove WSUS then reinstall using these guides:
Install WSUS 3.0 on Windows Server 2008 R2
http://www.vkernel.ro/blog/install-wsus-3-0-on-windows-server-2008-r2
Configure WSUS to use SSL
It really is preferred, that when posting in Microsoft forums, that you use links to theMicrosoft official documentation.
http://technet.microsoft.com/en-us/library/dd939849(v=ws.10).aspx
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
↧
↧
WSUS not working properly with SSL
I did the following steps to try and get it working (without any luck of course):
This is only part of what needs to be done. I'm not sure where this copy-and-paste came from, but the complete procedure can be found in the current WSUS Deployment Guide (July 2011) in the sectionSecure the WSUS 3.0 SP2 Deployment, which contains this (edited for relevancy) follow-up section:
Configure SSL on client computers
When you configure SSL on client computers, you should consider the following issues:
- You must include a URL for a secure port on the WSUS server. Because you cannot require SSL on the server, the only way to make sure that client computers can use a security channel is by using a URL that specifies HTTPS. If you use any port other than 443 for SSL, you must include that port in the URL also. For example, https://<ssl-servername>specifies a WSUS server that uses port 443 for HTTPS. https://<ssl-servername>:8531 specifies a WSUS server that uses a custom SSL port of 8531. </ssl-servername></ssl-servername>
- The certificate on a client computer must be imported into the Local Computer Trusted Root CA store or Automatic Update Service Trusted Root CA store. If the certificate is imported to the Local User's Trusted Root CA store only, Automatic Updates will
fail server authentication.
- <ssl-servername><ssl-servername>The client computers must trust the certificate that you bind to the WSUS server. Depending on the type of certificate that is used, you might have to set up a service to enable the client computers to trust the certificate that is bound to the WSUS server. For more information about certificates, see Additional SSL resources.</ssl-servername></ssl-servername>
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
↧
WSUS not working properly with SSL
Reinstall WSUS using default site witch is running on port 80.
Something I recently learned.. which I'm still in shock over...
The default installation port for WSUS on Windows Server 2012 is 8530. :-//
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
↧
WSUS not working properly with SSL
Did you install the SSL certificate on the WSUS server (as a client)?My problem is that since I configured the WSUS for SSL, I can no longer Access it from the MMC on my WSUS server.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
SolarWinds Head Geek
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
↧
WSUS not working properly with SSL
Remove WSUS then reinstall using these guides:
Install WSUS 3.0 on Windows Server 2008 R2
http://www.vkernel.ro/blog/install-wsus-3-0-on-windows-server-2008-r2
Configure WSUS to use SSL
http://www.vkernel.ro/blog/configure-wsus-to-use-ssl
Adrian Costea - MCP, MCTS, MCSA 2003, MCITP: Windows 7
My Blog: www.vkernel.ro/blog
↧
↧
WSUS not working properly with SSL
I am not able to connect w/o SSL, as I have already done the bindings you are asking about, and also required SSL on some of the directories in IIS (as per the deployment guide).
↧
WSUS not working properly with SSL
I have removed the server and tried to re-add it with it's Public name. I have also checked the SSL Box (using port 8531), but getting the error:
Cannot Connect to 'UPDATE.DOMAIN.COM'. Please make sure the Post-Installation task is completed successfully in that server. If it was, please verify if the server is using another port og different Secure Sockets Layer (SSL) setting.
If you can connect w/o SSL using port 8530, then think you need to add ssl binding in IIS on port 8531
c:\windows\system32\inetsrv\appcmd set site "Default Web Site" /+bindings.[protocol='https',bindingInformation='*:8531:']
↧
WSUS not working properly with SSL
I have removed the server and tried to re-add it with it's Public name. I have also checked the SSL Box (using port 8531), but getting the error:
Cannot Connect to 'UPDATE.DOMAIN.COM'. Please make sure the Post-Installation task is completed successfully in that server. If it was, please verify if the server is using another port og different Secure Sockets Layer (SSL) setting.
I am having the same problem. Have tried EVERYTHING. I can get SSL working with WSUS on 2008R2 no problem, so I know that to get it to work on server 2012 must require some level of tweaking. Also, once I enable SSL, even after rolling back changes, I cannot access the server anymore via the MMC (gives the error above)
I did the following steps to try and get it working (without any luck of course):
To configure SSL on the WSUS server by using IIS 7.0
On the WSUS server, open Internet Information Services (IIS) Manager.
Expand Sites, and then expand the Web site for the WSUS server. We recommend that you use the WSUS Administration custom Web site, but the default Web site might have been chosen when WSUS was being installed.
Perform the following steps on the APIRemoting30, ClientWebService,DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService virtual directories that reside under the WSUS Web site.
- In Features View, double-click SSL Settings.
- On the SSL Settings page, select the Require SSL checkbox. Ensure thatClient certificates is set to Ignore.
- In the Actions pane, click Apply.
Close Internet Information Services (IIS) Manager.
Run the following command from <WSUS Installation Folder>\Tools:WSUSUtil.exe configuressl <Intranet FQDN of the software update point site system>.
↧
WSUS not working properly with SSL
Hello,
The error I get in the WSUS server Application log is: Event ID 12012, The API Remoting Web Service is not working.
↧
↧
WSUS not working properly with SSL
Hi,
What is your current situation?My suggestion would be log onto this machine using the account which you start installation.After the installation and reboot,maybe you don't log onto the WSUS server to finish the post-Installation task?Are there any errors
in the eventlog?
If there are nothing else to provide,i suggest you try a reinstallation with the remaining DB,LOG files and update files to see whether you can connect locally.
Regards,
Clarence
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
↧
WSUS not working properly with SSL
Reinstall WSUS using default site witch is running on port 80.
Adrian Costea - MCP, MCTS, MCSA 2003, MCITP: Windows 7
My Blog: www.vkernel.ro/blog
↧
WSUS not working properly with SSL
I am having the exact same problem! I also can't figure out how to for sure change it back to port 80/443 (which I would very much prefer).
↧