How to configure WSUS / Software Update point to use SSL for communication

In this post I will show you how to configure WSUS / Software Update point to use SSL for Communication. If you have Windows Server certification authority (CA) installed in your environment, then you can create and issue the Web Server Certificate and request the certificate. Once this is done, we can configure the IIS to use newly created Web Server certificate.

In addition to this, if you are using Configuration Manager to use WSUS (Windows Server Update Services) as Software Update point (SUP), then we have to do one additional configuration setting change on Configuration manager console by selecting option “require ssl” which I will explain later.

Securing WSUS / SUP using SSL is a highly recommended step to protect the infrastructure from an attacker where to avoid any kind of compromise to the server.

Steps to configure SSL certificate

There are several steps which needs to be performed which includes following:

1. Create Web Server Certificate
2. Issue Web Server Certificate
3. Request Web Server Certificate (on WSUS Server)
4. Configure IIS on WSUS Server
5. Configure SSL Communication on SCCM Console

Create Web Server Certificate

You need to have a PKI infrastructure in your environment to create the Web server certificate. Login to one of the Domain server to launch Certificate Authority. This can also be launched by running command certsrv.msc

Under Certification Authority, right click Certificate Templates and select Manage.

This will launch Certificate Templates Console. Under several template, look for Web Server. Right click it and select Duplicate Template.

Under Properties of New Template > Compatibility tab, make sure Compatibility settings is set to Windows Server 2003.

Click on General tab, provide the Template display name as WSUS Web Server Certificate.

Provide the Validity period, default is 2 years.

Click on Subject Name tab and make sure “Supply in the request” is selected.

Click on Security tab, Remove Enroll permission for Domain Admins and Enterprise Admins.

Click on Add to add the WSUS server and provide permissions as Read & Enroll.

Click on OK and exit the Certificate Templates Console.

Issue Web Server Certificate

Under Certificate Authority console, navigate to Certificate Templates right click and select New > Certificate Template to Issue.

This will launch Enable Certificate Templates dialog box, scroll down to see previously created template with the name WSUS Web Server Certificate with Server Authentication Intended Purpose and click OK.

We are done with creating and Issuing the Web Server Certificate which is now visible under Certificate Templates.

Request Web Server Certificate

We are done with the task of creating the certificate of CA Authority. Now it is time to request the certificate on WSUS Server.

Login to WSUS Server and launch Computer Certificate Store by running certlm.msc. Alternatively you can launch this console by running mmc and adding the snap-ins for Certificates with Computer account.

Under Certificate Store, righ click on Personal > All Tasks > Request New Certificate.

This will launch Certificate Enrollment wizard, click Next.

On Select Certificate Enrollment Policy, click on Next.

Under Request Certificates page, we can see list of available certificates under Active Directory Enrollment Policy. Select WSUS Web Server Certificate, however it requires more information before Enrolling. Click on “More information is required to enroll for this certificate.”

This will launch Certificate Properties, we are not going to change Subject name but just Alternative name.

Under Alternative name > Type, using drop down menu change the type from Directory name to DNS. Provide the Value as FQDN of WSUS Server and click on Add.

It’s a good practice to specify Friendly name. Click on General tab and provide Friendly name as WSUS SSL Certificate which will help us analyzing and selecting the correct certificate while assigning it at later stage.

Once done, click on Enroll under Request Certificates page.

You will get message with Status “Succeeded”.

We can see the certificate is available under Personal store now.

Bind the certificate to WSUS website in IIS

Launch Internet Information Services (IIS) Manager (shortcut to launch IIS is by running command inetmgr)

Expand Server, under it you will be seeing Sites. We need to bind the certificate with WSUS Administration site. Select it and under right pane (actions) click on Bindings.

This will launch Site Bindings, you will see 2 ports one for http and another for https. We need to bind the SSL certificate with https type. Click on https and click Edit.

Under Edit Site Binding > SSL certificate, select the previously requested Web Server certificate which will show friendly name as WSUS SSL Certificate.

Once done, click on Close under Site Bindings.

Configure WSUS web services to require SSL

We are now going to change SSL Settings for following WSUS web services:

• ApiRemoting30
• ClientWebService
• DSSAuthWebService
• ServerSyncWebService
• SimpleAuthWebService

These web services can be seen under WSUS Administration.

Select the 1^st one ie. ApiRemoting30 and double click SSL Settings. Click on Require SSL, we are not going to make any changes with Client certificates and will keep on using “Ignore” setting. Click on Apply to save the settings.

Make sure to make these changes to mentioned above all 5 directories.

Configure WSUS application to use SSL

Our work is still not completed as WSUS Administration is still using http port. We need to change this behaviour by running following command:

WsusUtil.exe Configuressl WSUS01.MANBAN.COM

Note: to run this command, navigate to the folder “c:\Program Files\Update Servers\Tools” where WsusUtil.exe resides.

As the command ran successfully, you will see the URL has changed to port 8531 now.

Verify Connectivity with WSUS

Launch Windows Server Update Services console, if everything is properly configured, it will launch Update Services console without giving error. Click on the Server and you will the Connection type as Local/SSL with Port selected as 8531.

Configure SSL Setting in GPO for WSUS

If you are having standalone WSUS configured. You need to make changes into WSUS Server configuration. Login to domain controller and edit the existing GPO where you have specified the “Specify intranet Microsoft update service location” which points the clients to use WSUS server.

This GPO setting is located under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service.

Change the settings for:

Set the intranet update service for detecting updates: https://WSUS01.manban.com:8531

Set the intranet statistics server: https://WSUS01.manban.com:8531

Configure SSL setting in SUP for Configuration manager

If you are not using WSUS as standalone but as Software Update Point role under Configuration Manager, then launch SCCM console and navigate to \Administration\Overview\Site Configuration\Servers and Site System Roles.

Select the Site System Server, under below pane launch Software update point. Under General tab check the box “Require SSL communication to the WSUS server”

Conclusion

WSUS can be secured by using SSL certificate. This process also helps the infrastructure where they wanted to deploy third-party updates such as Dell, Lenovo and Adobe to deploy updates using Configuration Manager. If the SUP is remote, this configuration is must and one of the first step to be done before proceeding with anything else.

Important Links

Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority | Microsoft Docs