From LedHed's Wiki
Jump to: navigation, search
 
(2 intermediate revisions by the same user not shown)
Line 9: Line 9:
 
4. Create a Domain Cert (or CSR if you don't have an internal CA, and have a CA sign it.) <br>
 
4. Create a Domain Cert (or CSR if you don't have an internal CA, and have a CA sign it.) <br>
 
5. Bind the newly signed certificate to the WSUS Administration site. (click Bindings -> https -> edit -> Select) <br>
 
5. Bind the newly signed certificate to the WSUS Administration site. (click Bindings -> https -> edit -> Select) <br>
6. Require SSL on the following virtual roots: ApiRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, SimpleAuthWebService <br>
+
6. Require SSL on the following virtual roots:  
 +
*ApiRemoting30
 +
*ClientWebService
 +
*DSSAuthWebService
 +
*ServerSyncWebService
 +
*SimpleAuthWebService
 
This can be done by expanding the WSUS Administration site, selecting one of the above virtual roots, and clicking "SSL Settings" and checking "Require SSL" <br>
 
This can be done by expanding the WSUS Administration site, selecting one of the above virtual roots, and clicking "SSL Settings" and checking "Require SSL" <br>
 +
 
7. Run the following command:
 
7. Run the following command:
 
  "C:\Program Files\Update Services\Tools\WSUSUtil.exe" configuressl YOURSERVER.DOMAIN.TLD
 
  "C:\Program Files\Update Services\Tools\WSUSUtil.exe" configuressl YOURSERVER.DOMAIN.TLD
 
Where YOURSERVER.DOMAIN.TLD is the FQDN of your WSUS server. <br>
 
Where YOURSERVER.DOMAIN.TLD is the FQDN of your WSUS server. <br>
 +
 
8. Reboot <br>
 
8. Reboot <br>
 
9. Launch the WSUS MMC. <br>
 
9. Launch the WSUS MMC. <br>
Line 25: Line 32:
 
Create/Update the GPO that tells client workstations which WSUS server to connect to. Set it to:
 
Create/Update the GPO that tells client workstations which WSUS server to connect to. Set it to:
 
  https://YOURSERVER.DOMAIN.TLS:8531
 
  https://YOURSERVER.DOMAIN.TLS:8531
 +
 +
Computer Configuration\Polices\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location
 +
 +
Detailed steps can be found in the reference article below.
  
  

Latest revision as of 22:13, 10 November 2016

Overview

This article describes how to setup WSUS to use SSL. This article is a condensed post, of which all content was taken from another site. This is here for redundancy and ease of access. All credit goes to Jack Stromberg (the author of the referenced article).


WSUS SSL Down-N-Dirty

1. Install WSUS Role
2. Launch IIS Manager
3. Click the Server, then Server Certificates.
4. Create a Domain Cert (or CSR if you don't have an internal CA, and have a CA sign it.)
5. Bind the newly signed certificate to the WSUS Administration site. (click Bindings -> https -> edit -> Select)
6. Require SSL on the following virtual roots:

  • ApiRemoting30
  • ClientWebService
  • DSSAuthWebService
  • ServerSyncWebService
  • SimpleAuthWebService

This can be done by expanding the WSUS Administration site, selecting one of the above virtual roots, and clicking "SSL Settings" and checking "Require SSL"

7. Run the following command:

"C:\Program Files\Update Services\Tools\WSUSUtil.exe" configuressl YOURSERVER.DOMAIN.TLD

Where YOURSERVER.DOMAIN.TLD is the FQDN of your WSUS server.

8. Reboot
9. Launch the WSUS MMC.
10. Delete the old reference to your WSUS server. (Odds are its throwing a Node error anyway)
11. Right click "Update Services", click "Connect to Server", Type in your server's FQDN and check the SSL checkbox

With any luck you're server will show up in the MMC.


Next Steps

Create/Update the GPO that tells client workstations which WSUS server to connect to. Set it to:

https://YOURSERVER.DOMAIN.TLS:8531
Computer Configuration\Polices\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location

Detailed steps can be found in the reference article below.


Reference

http://jackstromberg.com/2013/11/enabling-ssl-on-windows-server-update-services-wsus/