Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Patch download to downstream server over port 443

microsoft.public.windowsupdate






Speedup My PC
Reply
  #1 (permalink)  
Old 04-29-2009
Andrew
 

Posts: n/a
Patch download to downstream server over port 443
Is there a way to force a WSUS 3.0 downstream to pull its patches from the
upstream server over TCP port 443 and not port 80. From what I have gather
the metatdata comes over 443 with no issue but the patches fail to download.
Our firewall that only allow 443 communication between the two server.
Thanks in advance.
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 04-30-2009
PA Bear [MS MVP]
 

Posts: n/a
Re: Patch download to downstream server over port 443
[[ Right pew, wrong church. Forwarded to WSUS newsgroup
(microsoft.public.windows.server.update_services) via crosspost as a
convenience to OP.

On the web:
http://www.microsoft.com/communities... date_services

In your newsreader:
news://msnews.microsoft.com/microsof...pdate_services
]]

Andrew wrote:
> Is there a way to force a WSUS 3.0 downstream to pull its patches from the
> upstream server over TCP port 443 and not port 80. From what I have
> gather
> the metatdata comes over 443 with no issue but the patches fail to
> download.
> Our firewall that only allow 443 communication between the two server.
> Thanks in advance.


Reply With Quote
  #3 (permalink)  
Old 04-30-2009
Lawrence Garvin [MVP]
 

Posts: n/a
Re: Patch download to downstream server over port 443

> Andrew wrote:
>> Is there a way to force a WSUS 3.0 downstream to pull its patches from
>> the
>> upstream server over TCP port 443 and not port 80. From what I have
>> gather
>> the metatdata comes over 443 with no issue but the patches fail to
>> download.


Well, to that point, the metadata will always come over an unsecured channel
because it's already digitally signed. File transfers occur via HTTP, and it
would be counterproductive to encrypt digitally signed file content using
SSL (or IPSec).

>> Our firewall that only allow 443 communication between the two server.


Then you have an unreconcilable deployment issue. Upstream/downstream server
communications *require* access on both HTTP (port 80) and HTTPS (port 443).




--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Reply With Quote
  #4 (permalink)  
Old 04-30-2009
Andrew
 

Posts: n/a
Re: Patch download to downstream server over port 443
If server performance and bandwidth was not an issue, I will take your
answers as a NO. Thanks.

"Lawrence Garvin [MVP]" wrote:

>
> > Andrew wrote:
> >> Is there a way to force a WSUS 3.0 downstream to pull its patches from
> >> the
> >> upstream server over TCP port 443 and not port 80. From what I have
> >> gather
> >> the metatdata comes over 443 with no issue but the patches fail to
> >> download.

>
> Well, to that point, the metadata will always come over an unsecured channel
> because it's already digitally signed. File transfers occur via HTTP, and it
> would be counterproductive to encrypt digitally signed file content using
> SSL (or IPSec).
>
> >> Our firewall that only allow 443 communication between the two server.

>
> Then you have an unreconcilable deployment issue. Upstream/downstream server
> communications *require* access on both HTTP (port 80) and HTTPS (port 443).
>
>
>
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>
>

Reply With Quote
  #5 (permalink)  
Old 05-01-2009
Harry Johnston [MVP]
 

Posts: n/a
Re: Patch download to downstream server over port 443
> Andrew wrote:

>> Is there a way to force a WSUS 3.0 downstream to pull its patches from
>> the
>> upstream server over TCP port 443 and not port 80.


Not directly, but if you were to run SSL tunnelling software on the downstream
computer you could redirect traffic from a port of your choice (let's say 81) to
the SSL port on the upstream server. That is, you could set it up so that any
program on the downstream server connecting to localhost:81 would have the
connection translated into SSL and forwarded to upstream-server:443.

Then, if you configured WSUS on the downstream server to use localhost:81 as the
proxy server, the BITS connection would be redirected to the upstream server and
it should work. (I think.)

Obviously this isn't a supported configuration, but if you really can't open
port 80 or use a VPN connection this may provide you with a workable, albiet
less than ideal, solution.

The other option would be to set up the downstream server as a disconnected
server, as documented by Microsoft in the WSUS guides. This is at least
supported, though it would be more labour-intensive.

Harry.


From what I have
>> gather
>> the metatdata comes over 443 with no issue but the patches fail to
>> download.
>> Our firewall that only allow 443 communication between the two server.
>> Thanks in advance.

Reply With Quote
  #6 (permalink)  
Old 05-01-2009
Lawrence Garvin [MVP]
 

Posts: n/a
Re: Patch download to downstream server over port 443
"Harry Johnston [MVP]" <harry@scms.waikato.ac.nz> wrote in message
news:erdvq9gyJHA.480@TK2MSFTNGP06.phx.gbl...
>> Andrew wrote:

>
>>> Is there a way to force a WSUS 3.0 downstream to pull its patches from
>>> the upstream server over TCP port 443 and not port 80.


> Not directly, but if you were to run SSL tunnelling software on the
> downstream computer you could redirect traffic from a port of your choice
> (let's say 81) to the SSL port on the upstream server. That is, you could
> set it up so that any program on the downstream server connecting to
> localhost:81 would have the connection translated into SSL and forwarded
> to upstream-server:443.
>
> Then, if you configured WSUS on the downstream server to use localhost:81
> as the proxy server, the BITS connection would be redirected to the
> upstream server and it should work. (I think.)
>
> Obviously this isn't a supported configuration, but if you really can't
> open port 80 or use a VPN connection this may provide you with a workable,
> albiet less than ideal, solution.
>
> The other option would be to set up the downstream server as a
> disconnected server, as documented by Microsoft in the WSUS guides. This
> is at least supported, though it would be more labour-intensive.


Also... something that didn't occur to me in my previous reply...

If the issue is with =PORT 80= (specifically), and not with the idea of HTTP
(unsecured) or a second port in general,
then the *supported* configuration is to install WSUS on port 8530 and use
port 8531 for SSL.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
KMS Server not listening on port 1688 dukkipati19 microsoft.public.windows.vista.installation setup 3 03-17-2009 06:22
WSUS Downstream servers Local admin groups microsoft.public.windowsupdate 2 07-19-2008 01:15
Mozilla Releases Firefox Update To Patch Port-Scanning Flaw Steve Security News 0 03-22-2007 10:41
USB 1 Port Print Server with Vista =?Utf-8?B?a25lZXNsaWRpbmc=?= microsoft.public.windows.vista hardware devices 9 03-15-2007 16:44
Use 2 NICs: 1 Upstream, 1 downstream =?Utf-8?B?SiBNYW4=?= microsoft.public.windows.vista.networking sharing 1 02-07-2007 19:09




All times are GMT +1. The time now is 01:26.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120