Quantcast
Channel: Shavlik User Community : Document List - All Communities
Viewing all articles
Browse latest Browse all 1352

How To Configure IIS To Use SSL Connections On Your WSUS Server

$
0
0

Purpose

 

If you have created your code signing certificate using an internal CA, the Shavlik Patch plugin gives you the ability to import this certificate via the Shavlik Patch Settings on the WSUS Server tab. However, to be able to use the import function it is required to have an SSL connection to the WSUS server. As part of the SSL configuration, another type of Server certificate, a SSL Server Certificate, is required for the secure communication between the SCCM and the WSUS servers. This document is meant to provide some details about how to create a self signed SSL certificate and configure IIS to use SSL on your WSUS server for use with Shavlik Patch for Microsoft System Center.

 

Shavlik does not provide support for Microsoft products such as Configuration Manager, WSUS, or IIS. If you face trouble in setting up these prerequisites to installing the Shavlik Patch plugin it would be best to work directly with Microsoft support.

 

Description

 

The steps below show how to configure IIS on the WSUS Server to use SSL. You will need to have the IIS role and functionality working prior to performing these steps. This documentation was created using a Windows Server 2012 R2 environment.

 

1) Ensure that Server Manager is opened (run as administrator), and click Tools > Internet Information Services (IIS) Manager.

image186.png

 

2)  Click the server node in the Connections tree. Double-click "Server Certificates".

image187.png

 

3)  Click "Create Self-Signed Certificate...".

image188.png

 

4)  Fill in the edit field “Specify a friendly name for the certificate”.  Select the “Web Hosting” certificate store.  Click OK.

image189.png

 

5)  Click “WSUS Administration” in the Connections tree.

image190.png

 

6)  Click “Bindings…” in the Actions column.

image191.png

 

7)  Click “https 8531”.  Click “Edit…”.

image192.png

 

8)  Select the SSL certificate you just created in the dropdown box.  Click “View…”.

image193.png

 

9)  Note the FQDN of the “Issued to” server.  Click OK.

image194.png

 

10)  Enter FQDN host name you remembered from the Certificate window.  Click OK.

image195.png

 

11)  Click Close.

image196.png

 

12)  Expand “WSUS Administration” in the Connections tree.  Click on ClientWebService.  Double-click “SSL Settings”.

image197.png

 

13)  Click the checkbox “Require SSL”.  Click Apply.

image198.png

 

14)  Repeat the last two steps for “DssAuthWebService”, “ServerSyncWebService”, and “SimpleAuthWebService”.  Close Internet Information Services (IIS) Manager.

image199.png

 

15)  Start a command prompt in Administrator mode.  Change directory to C:\Program Files\Update Services\Tools.  Run WsusUtil.exe configuressl <FQDN>.  Make sure you get a similar URL response as shown.  Close the command prompt.

image200.png

 

16)  Now you need to export the certificate. Run MMC in Administrator mode.  Click File->Add/Remote Snap-in…

image201.png

 

17)  Click Certificates.  Click Add.

image202.png

 

18)  Click the radio button “Computer account”.  Click Next.

image203.png

 

19)  Click Finish.

image204.png

 

20)  Click OK.

image205.png

 

21)  Expand the Certificates (Local Computer) \ Trusted Root Certification Authorities and click on Certificates.  Right-click on the certificate that matches the FQDN of this server.  Click All Tasks > Export…

image206.png

 

22)  Once you export the certificate, you will need to copy the certificate to your SCCM system(s) that will need to connect to the WSUS server, and ensure it this certificate is imported to the Trusted Root Certification Authorities > Certificates on any of those systems.

 

23) Once this is configured you should then be able to connect using SSL via the Shavlik Patch plugin settings. If you have the Shavlik Patch plugin installed in SCCM, go to Software Library > Software Updates > right click on 'Shavlik Patch', then choose Settings.

 

24) Go to the WSUS Server tab. You can now choose Port 8531 and check the box for 'Use Secure Sockets Layer (SSL) to connect to this server. Test the connection, and then click the 'Import' button to import your code-signing certificate.

Capture-WSUScert.JPG

 

 

Additional Information

 

For more information refer to the following resources:

Technet - Secure the WSUS 3.0 SP2 Deployment

Microsoft's documentation on System Center 2012 at http://technet.microsoft.com/en-us/library/hh546785.aspx

Shavlik Patch for Microsoft System Center Documentation

 

Affected Product(s)

 

Shavlik Patch for Microsoft System Center

(Formerly Shavlik SCUPdates)


Viewing all articles
Browse latest Browse all 1352

Trending Articles