WSUS on Server 2003

Discussion in 'Networks' started by GmanUK, Oct 2, 2006.

  1. GmanUK

    GmanUK Byte Poster

    154
    5
    32
    Hi All

    Just wondering if anyone has come up against the following problem before:

    Network setup -

    1) Server1 - SBS 2003 Premium (with ISA Server 2004) as DC, DHCP, DNS etc.
    2) Server2 - Server 2003 Standard as file server

    I have just installed WSUS on the file server, now I have done this on previous networks with the same kind of setup but something strange is going on with this one.

    When I try to sync it comes back with an error:

    Code:
    WebException: The underlying connection was closed: Could not establish secure channel for SSL/TLS. ---> System.IO.IOException: Unable to read data from the transport connection.
    at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
       at Microsoft.UpdateServices.ServerSync.ServerSyncCompressionProxy.GetWebResponse(WebRequest webRequest)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetCookie(AuthorizationCookie[] authCookies, Cookie oldCookie, String protocolVersion)
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerCookie(ServerSyncProxy proxy, AuthorizationCookie[] authCookies, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
       at Microsoft.UpdateSer
    One thing I noticed with the above error code was the first part (The underlying connection was closed: Could not establish secure channel for SSL/TLS)...now to me that is saying I have a firewall issue or connection issue, however the server is fully operational in every other way bar WSUS!

    One of the weird things with this issue is that it will fail everytime I try to sync (manual & auto) but sometimes it will add some updates to the detected updates list. Not many (about 200 at the momnet) but still shows that it is connecting at some points.

    I have added all of the update sites to the Trusted Sites list. I have configured ISA Server for the update site also.

    Has anyone got any ideas on this one? I know it could be a huge amount of things but any ideas would be great due to the onset of hair loss!! :eek:

    G
     
    Certifications: CompTIA N+, Server+, CCSN, ITILv3 (f)
    WIP: MCITP Security
  2. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Im no WSUS guru but I`ll throw in a few suggestions.

    Firewall: Port 80 and 443 outbound need to be enabled.

    IIS: Does it matter which version of the .net Framework you are using?

    How does the WSUS server connect to the internet? Straight through the gateway or are you running ISA as a proxy?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  3. GmanUK

    GmanUK Byte Poster

    154
    5
    32
    Cheers for the input Sparky

    Both ports outbound and inbound are enabled as it runs through the main server (server1) which uses OWA (Outlook Web Access).

    When installing WSUS (2.0) it installs .NET 2.0 as a prerequisite so no go there.

    The server connects via a switch through the main server which runs ISA Server 2004....however ISA Server is configured to allow all update services including WSUS.

    Its doing my head in!!

    :twisted: :twisted:
     
    Certifications: CompTIA N+, Server+, CCSN, ITILv3 (f)
    WIP: MCITP Security
  4. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    This link might help you out. I'd try the ISA rule allowing all traffic from your WSUS server to the external network for all users and work backwards from there.
     
    Certifications: A few
    WIP: None - f*** 'em
  5. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    I take it these are the sites you have added to the trusted sites list? (outbound on your firewall) Also does the ISA server have any plug-ins to lock down internet traffic? (stop downloading etc.)

    http://*.windowsupdate.microsoft.com
    https://*.windowsupdate.microsoft.com
    http://*.update.microsoft.com
    https://*.update.microsoft.com
    http://*.windowsupdate.com
    http://download.windowsupdate.com
    http://download.microsoft.com
    http://*.download.windowsupdate.com
    http://wustat.windows.com
    http://ntservicepack.microsoft.com

    From the deployment guide it says WSUS needs .NET framework v1.1. In IIS you can change this as it may be running on 2.0

    I had this problem deploying MS CRM and the requirements stated it needed v1.1 but the server had 2.0 on it. Had a few probs running the app but when I downgraded to v1.1 everything worked fine!

    Also, anything in the event logs?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  6. GmanUK

    GmanUK Byte Poster

    154
    5
    32
    Yeah Sparky...all sites included...thanks. - The server is defaulted to 1.1 but has 2.0 installed...will check up on that one. No nothing in the event viewer...only the error message as I posted. :(

    Thanks for the link zebulebu, will take a look at opening it all up in the morning and working backwards...will let you know how I get on...thanks again. :)
     
    Certifications: CompTIA N+, Server+, CCSN, ITILv3 (f)
    WIP: MCITP Security
  7. GmanUK

    GmanUK Byte Poster

    154
    5
    32
    Well I have been changing settings left right and centre this morning...with no joy!! I changed the default .NET but no change. I added the WSUS server2 into the ISA Server "let it do anything" list and still not worked! However I now know it must be either the ISA Server or the AD within Server1....this is due to me connecting Server2 directly into the router/modem and it did a full sync!!

    I had noticed a couple other things as well (before hooking it up to the router)....firstly it sometimes still starts to sync but only gets up to 4/5% then fails..so it was letting something out and back in again....the second thing that I have noticed is that when I open IE on the WSUS server it asks for a username/password to see the company intranet....also does the same when trying to open the WSUS admin using IE...now that tells me I have a bigger issue than WSUS and its got to do with the WSUS server not authenticating with the DC (server1)...What do you think?

    Just to note though...server2 is fully working as a file server, it shows within Servers in comp management and has both firewall client and AV client installed and they connect fine. Shares are also working normally.....I can also manage the server from within comp management on the DC.
     
    Certifications: CompTIA N+, Server+, CCSN, ITILv3 (f)
    WIP: MCITP Security
  8. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,205
    136
    199
    Might be worth posting your query on this site to see if anyone there can help you?

    :hhhmmm
     
  9. GmanUK

    GmanUK Byte Poster

    154
    5
    32
    Great site Simon - We like, we like alot!!

    I have put my question to the forum over there as well.... heres to hoping I get this solved before all my hair goes!!!

    :alc

    Cheers
     
    Certifications: CompTIA N+, Server+, CCSN, ITILv3 (f)
    WIP: MCITP Security
  10. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    That does seem to add to the problem, I take it you are logged onto the WSUS server as domain admin? Also does the IIS virtual directories use integrated Windows authentication?

    What are the IE settings? Do you have ISA as a proxy in there? If so check the ‘Bypass the proxy for local addresses’ option.

    I had a similar problem with not being able to access the ‘companyweb’ address from a file sever which I had promoted to being a secondary DC (the main DC is going to fall on its arse one day!). Anyways I just rebooted the file server and then I could access companyweb with no prompts for user authentication.

    Not saying a reboot will solve all your problems but might be worth doing! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  11. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    From Zebs link..

    Firstly Tom Shinder is *the man* when it comes to ISA, so his words should be treated as gems of wisdom. So bearing that in mind I will ask you this..

    Do you have the firewall client installed on the WSUS server?

    If so have you done what he suggested?

    ISA can only authenticate users/groups etc if the Firewall client is installed. The client is an application which gives you an Icon in the system tray.

    If not, have you created an anonymous access rule as he mentioned?
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  12. GmanUK

    GmanUK Byte Poster

    154
    5
    32
    Bluerinse - I had read the comments in the link...The WSUS server does have the firewall client installed but I took it as Direct Access meaning that the server needed to be connected directly to the external router/modem, am I thinking straight with this one? This I can do, and did which worked, but is not really a secure way of running the server! :rolleyes:
     
    Certifications: CompTIA N+, Server+, CCSN, ITILv3 (f)
    WIP: MCITP Security
  13. GmanUK

    GmanUK Byte Poster

    154
    5
    32
    OMG

    I think I have just cracked it!!!!! Thanks to Sparky in part....I was just going through the IE settings for the 'Bypass the proxy for local addresses' and thought I would also check the local sites listing. Now I had already been adding update sites to the trusted sites list like mad over the past couple of days....but this time had a quick peek at the Local Intranet sites....it was empty!!!! So I added the http://server etc and also companyweb and gues what.....it not only sync'ed straight away it now does not ask for a user/pass when trying to access either WSUS admin or company web!! I can't beleive this was probably the issue all along!!

    I'm guesing that when the server was added to the domain it did not configure itself properly....looks like I am where I want to be....hopefully....will let you guys know tomorrow when I have a proper look as I'm logging in from home at the moment!

    Thank you to all who have given their comments and helped out!

    Cheers :alc :rocks :rocks
     
    Certifications: CompTIA N+, Server+, CCSN, ITILv3 (f)
    WIP: MCITP Security
  14. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  15. GmanUK

    GmanUK Byte Poster

    154
    5
    32
    Thanks Bluerinse....seems like a good informative read. I think I will have a good look at that while in work tomorrow! Nothing like being paid for it!

    thanks again for you help with this one! :biggrin
     
    Certifications: CompTIA N+, Server+, CCSN, ITILv3 (f)
    WIP: MCITP Security
  16. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    all working now mate? 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  17. GmanUK

    GmanUK Byte Poster

    154
    5
    32
    :rocks :rocks

    Yeah all working - Cheers Sparky!

    I can't believe it was the bloody Intranet Site settings!! :dry

    But I will know if I get that problem again thats for sure!!! :biggrin

    The funny thing was that today....about 10 minutes after I had sat back feeling smug that it was all now working...a guy from the software dept walked in and said "didn't touch anything...but there is smoke coming from my pc tower".......and life goes on!!! lol :eek:
     
    Certifications: CompTIA N+, Server+, CCSN, ITILv3 (f)
    WIP: MCITP Security
  18. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    LOL :biggrin

    P.S at least it wasnt a Dell laptop 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  19. GmanUK

    GmanUK Byte Poster

    154
    5
    32
    LMAO...it was a Dell tower though!!! haha
     
    Certifications: CompTIA N+, Server+, CCSN, ITILv3 (f)
    WIP: MCITP Security

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.