How to Configure the WSUS Web Site to Use SSL

3 out of 10 rated this helpful

Updated: May 1, 2011
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System
Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
When a Configuration Manager 2007 site server is in native mode, or when the active software update point is configured to use Secure Sockets Layer (SSL), there
are five virtual roots that must be configured to use a secured channel on the active software update point server and active Internet-based software update point
server, if it is configured. The virtual roots are located under the Web site used by the Windows Server Update Services (WSUS) server, and they are modified by
using the Internet Information Services(IIS) Manager. After the virtual roots have been configured, you must run the WSUSUtil tool to configure the health
monitoring feature of WSUS to use SSL.
Use one of the following procedures to configure SSL on the WSUS server.
To configure SSL on the WSUS server by using IIS 6.0
1. On the WSUS server, open Internet Information Services (IIS) Manager.
2. Expand Web Sites, and then expand the Web site for the WSUS server. We recommend that you use the WSUS Administration custom Web site, but the
default Web site might have been chosen when WSUS was being installed.
3. Perform the following steps on the APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService virtual
directories that reside under the WSUS Web site.
a. Right-click the Web site or virtual directory, and then click Properties.
b. Click the Directory Security tab, and then click Edit in the Secure Communications section.
c. Select the Require secure channel (SSL) checkbox. Ensure that Ignore client certificates is selected, and then click OK.
d. Click OK to close the properties for the virtual root.
4. Close Internet Information Services (IIS).
5. Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet fully qualified domain name (FQDN) of the
software update point site system)>.
Important
The native mode certificate for an Internet-based software update point requires that the Internet FQDN and intranet FQDN are both specified in the Web
server certificate, even when clients on the intranet do not connect to it. If you specify the intranet FQDN with the WSUSUtil command, and the same
FQDN is not included in the Web server certificate, the Internet-based software update point cannot connect to the active software update point on the
intranet, and software updates synchronization will fail. For more information, see Certificate Requirements for Native Mode.
To configure SSL on the WSUS server by using IIS 7.0
1. On the WSUS server, open Internet Information Services (IIS) Manager.
2. Expand Sites, and then expand the Web site for the WSUS server. We recommend that you use the WSUS Administration custom Web site, but the default
Web site might have been chosen when WSUS was being installed.
3. Perform the following steps on the APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService virtual
directories that reside under the WSUS Web site.
a. In Features View, double-click SSL Settings.
b. On the SSL Settings page, select the Require SSL checkbox. Ensure that Client certificates is set to Ignore.
c. In the Actions pane, click Apply.
4. Close Internet Information Services (IIS) Manager.
5. Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet FQDN of the software update point site system>.
See Also
Pgina 1 de 2 How to Configure the WSUS Web Site to Use SSL
26/09/2014 http://technet.microsoft.com/en-us/library/bb633246.aspx
Tasks
How to Install Windows Server Update Services 3.0
Concepts
About the Software Update Point
Administrator Checklist: Configuring Software Updates
Administrator Checklist: Planning and Preparing Software Updates
Benefits of Using Native Mode
Planning for the Software Update Point Installation
Planning for the Software Update Point Settings
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Pgina 2 de 2 How to Configure the WSUS Web Site to Use SSL
26/09/2014 http://technet.microsoft.com/en-us/library/bb633246.aspx