Patch download to downstream server over port 443

Is there a way to force a WSUS 3.0 downstream to pull its patches from the
upstream server over TCP port 443 and not port 80. From what I have gather
the metatdata comes over 443 with no issue but the patches fail to download.
Our firewall that only allow 443 communication between the two server.
Thanks in advance.

[[ Right pew, wrong church. Forwarded to WSUS newsgroup
(microsoft.public.windows.server.update_services) via crosspost as a
convenience to OP.

On the web:
http://www.microsoft.com/communities... date_services

In your newsreader:
news://msnews.microsoft.com/microsof...pdate_services
]]

Andrew wrote:
> Is there a way to force a WSUS 3.0 downstream to pull its patches from the
> upstream server over TCP port 443 and not port 80. From what I have
> gather
> the metatdata comes over 443 with no issue but the patches fail to
> download.
> Our firewall that only allow 443 communication between the two server.
> Thanks in advance.

> Andrew wrote:
>> Is there a way to force a WSUS 3.0 downstream to pull its patches from
>> the
>> upstream server over TCP port 443 and not port 80. From what I have
>> gather
>> the metatdata comes over 443 with no issue but the patches fail to
>> download.

Well, to that point, the metadata will always come over an unsecured channel
because it's already digitally signed. File transfers occur via HTTP, and it
would be counterproductive to encrypt digitally signed file content using
SSL (or IPSec).

>> Our firewall that only allow 443 communication between the two server.

Then you have an unreconcilable deployment issue. Upstream/downstream server
communications *require* access on both HTTP (port 80) and HTTPS (port 443).




--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

If server performance and bandwidth was not an issue, I will take your
answers as a NO. Thanks.

"Lawrence Garvin [MVP]" wrote:

>
> > Andrew wrote:
> >> Is there a way to force a WSUS 3.0 downstream to pull its patches from
> >> the
> >> upstream server over TCP port 443 and not port 80. From what I have
> >> gather
> >> the metatdata comes over 443 with no issue but the patches fail to
> >> download.
>
> Well, to that point, the metadata will always come over an unsecured channel
> because it's already digitally signed. File transfers occur via HTTP, and it
> would be counterproductive to encrypt digitally signed file content using
> SSL (or IPSec).
>
> >> Our firewall that only allow 443 communication between the two server.
>
> Then you have an unreconcilable deployment issue. Upstream/downstream server
> communications *require* access on both HTTP (port 80) and HTTPS (port 443).
>
>
>
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>
>

> Andrew wrote:

>> Is there a way to force a WSUS 3.0 downstream to pull its patches from
>> the
>> upstream server over TCP port 443 and not port 80.

Not directly, but if you were to run SSL tunnelling software on the downstream
computer you could redirect traffic from a port of your choice (let's say 81) to
the SSL port on the upstream server. That is, you could set it up so that any
program on the downstream server connecting to localhost:81 would have the
connection translated into SSL and forwarded to upstream-server:443.

Then, if you configured WSUS on the downstream server to use localhost:81 as the
proxy server, the BITS connection would be redirected to the upstream server and
it should work. (I think.)

Obviously this isn't a supported configuration, but if you really can't open
port 80 or use a VPN connection this may provide you with a workable, albiet
less than ideal, solution.

The other option would be to set up the downstream server as a disconnected
server, as documented by Microsoft in the WSUS guides. This is at least
supported, though it would be more labour-intensive.

Harry.


From what I have
>> gather
>> the metatdata comes over 443 with no issue but the patches fail to
>> download.
>> Our firewall that only allow 443 communication between the two server.
>> Thanks in advance.

"Harry Johnston [MVP]" <harry@scms.waikato.ac.nz> wrote in message
news:erdvq9gyJHA.480@TK2MSFTNGP06.phx.gbl...
>> Andrew wrote:
>
>>> Is there a way to force a WSUS 3.0 downstream to pull its patches from
>>> the upstream server over TCP port 443 and not port 80.

> Not directly, but if you were to run SSL tunnelling software on the
> downstream computer you could redirect traffic from a port of your choice
> (let's say 81) to the SSL port on the upstream server. That is, you could
> set it up so that any program on the downstream server connecting to
> localhost:81 would have the connection translated into SSL and forwarded
> to upstream-server:443.
>
> Then, if you configured WSUS on the downstream server to use localhost:81
> as the proxy server, the BITS connection would be redirected to the
> upstream server and it should work. (I think.)
>
> Obviously this isn't a supported configuration, but if you really can't
> open port 80 or use a VPN connection this may provide you with a workable,
> albiet less than ideal, solution.
>
> The other option would be to set up the downstream server as a
> disconnected server, as documented by Microsoft in the WSUS guides. This
> is at least supported, though it would be more labour-intensive.

Also... something that didn't occur to me in my previous reply...

If the issue is with =PORT 80= (specifically), and not with the idea of HTTP
(unsecured) or a second port in general,
then the *supported* configuration is to install WSUS on port 8530 and use
port 8531 for SSL.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin