Configure SSL connection for WSUS Upstream and Downstream Servers

Posted on IT Expert By IT Expert No Comments on Configure SSL connection for WSUS Upstream and Downstream Servers
Secure communication

In this article, we will learn how to Configure SSL connection for WSUS Upstream and Downstream Servers. SSL stands for Secure Sockets Layer, a vital security technology. See the following guides for some related articles I have written. Configuring WSUS Email Notification to Work With Office365, How to setup and configure Windows server update services (WSUS), important Areas to Master on WSUS (Installed and not applicable, Install 1/4, and Installed / Not applicable 100).

SSL and its successor, Transport Layer Security (TLS) are protocols that establish authenticated and encrypted links between networked computers.

Before we proceed with these steps, please take a look at the articles below. – Targeting WSUS Client with the Registry keys: How to configure WSUS Clients to get Updates from the WSUS server using Registry settings and how to apply Windows Updates from WSUS to the server using AWS RunCommand and some very handy WSUS Commands “Windows Server Update Services Commands, WAUACLT, PowerShell and USOClient “.

Configure Server Certificate

From the Server Manager, click Tools and open IIS. Click on the IIS Server Node, and double click on the Server Certificate

SSL setup

Click on Import (and import the SSL certificate in .pfx format and enter the password)

WSUS servers

Note: Nonetheless, to ensure secure communication, it’s crucial to learn how to configure SSL. Import the CA certificate into the Trusted Root CA store on downstream WSUS servers or the local computer.

If the certificate is only imported to the Local User Trusted Root CA store, the downstream WSUS server will not be authenticated on the upstream server.

Note: Moreover, You must import the certificate to all computers that will communicate with the WSUS server. Therefore, this includes all client computers, downstream servers, and computers that run the WSUS Administration Console.

The certificate should be imported into the local computer Trusted Root CA store or into the Windows Server Update Service Trusted Root CA store. See how to configure WSUS.

Bind the SSL certificate

We have to bind the SSL certificate. Expand your server, expand Sites, and select WSUS Administration

Under Actions, click on Bindings

The binding windows opens, click on Edit and enter the host names (Select the cert for HTTPS)

SSL configuration

Enforce SSL Encryption

Now enforce the SSL encryption on the following virtual roots listed below. Ensure to repeat all steps for each directory listed below

  • ApiRemoting30
  • ClientWebService
  • DSSAuthWebService
  • ServerSyncWebService
  • SimpleAuthWebService
Secure communication

Select the directory (virtual root) e.g  ClientWebService and double click on SSL Settings

Check the require SSL  and under Actions click on Apply

Let’s instruct WSUS to make use of SSL, and this can be done via the command line.

Navigate to the WSUS installation path C:Program FilesUpdate ServicesTools as shown below on your Server

Run the WsusUtil.exe as shown above followed by configuressl and the FQDN as shown below

The result would be this

Finally, restart the WSUS server to make sure all changes take effect.  This should enable access to the  WSUS management console if everything is okay.

See the following guide for some related WSUS contents “how to Start, Stop and Restart Windows Server Update Services (WSUS) via PowerShell and CMD, Windows Server Update Services: Windows 2016 Servers does not show up on the WSUS console, and WSUS clients appear and disappear from the WSUS Update Services console“.

Note: However, You can witness some weird issues after configuring SSL, simply use these link

  • wsusutil usecustomwebsite false
  • wsusutil usecustomwebsite true
C:Program FilesUpdate ServicesToolsWSUSutil usecustomwebsite false

And rerun

C:Program FilesUpdate ServicesToolsWSUSutil usecustomwebsite True

To establish secure communication for downstream servers connecting to the upstream server via port 8531. Ensure proper rules are in place for this setup. And you can additionally reconfigure using the configure SSL from this path. 

C:Program FilesUpdate ServicesToolsWSUSutil

Note: However, You can set up your own CA: (Enterprise root CA). I hope you found this article useful on how to Configure SSL connection for WSUS Upstream and Downstream Servers. Please feel free to leave a comment below.

Rate this post
Windows Server Tags:, ,

Related Posts

More Related Articles

0318 4 Active Directory Authentication methods: How do Kerberos and NTLM work Windows Server
fix windows activation 0x87E10BC6 error Fix Error 0x87E10BC6 on a PC running Windows non-core Edition Windows
WinRM set up for specific IP Configure WinRM to accept connection from a specific IP Address Windows
Windows Server 2016 1 1 Merits and demerits of Local System Account and Service Logon Account Windows Server
App Locker Harden your Veeam Backup Server with Microsoft AppLocker Windows
PSD1 Azure 2 How to install PSD Hydration Kit for remote bare-metal deployment or via PXE boot Windows Server

Leave a Reply