SBS 2003 WSUS SSL configuration

[david08]

I am trying to setup SBS 2003 with WSUS using SSL certificate and I am at a loss. I have installed the Certificate Authority, made a request for certificate in IIS, and used the option to send request immediately to an online CA (which chooses my server automatically in the next screen). I have also ran the 'iisreset' command to restart IIS services but it just won't work with SSL - without SSL, everything works great. But I want security when client computers communicate with server. I have googled this but not a lot of info out there about SSL and WSUS full configuration setup.

[david08]

Well, I have solved my ssl problems! Here are a few key points that I did reading around the net.

You must install 'Certificate Authority' if not already installed. Do all your SSL requests/signings within IIS on the WSUSADMIN site.

If you run the client diagnostic (wsus tools - google it) and you get '0x80072f8f' error, Null, Null. Then you have a SSL certificate problem only. When your done doing the ssl cert request/install for wsusadmin site, check you certifcate to make sure it's loaded properly. Then enable ssl requirement under wsusadmin site, directory security - tick require secure channel. Then go to the command prompt, go to this directory %program files%\Update Services\Tools and run 'wsusutil configuressl SERVERNAME'. The server name should be in caps, hit enter and it will say https://servername:8531. Make note of the ouput - if only http then verify your wsusadmin site cert. If it says https://servername:8531 your golden! Run the client diagnostic tool to test all connections/config. If all passed, make a gpo to send out the cert so all machines can connect and verify the identity.

Hope this info will help others getting familiar with WSUS SSL setup.

[david08]

One last note, you do not want the whole wsusadmin site to use SSL other wise performance issues will occur and update deployment problems. I only enabled it on the wsusadmin site to fully install and run the configuressl command. After that I looked up a microsoft article to only enable ssl on the following - which is only 4 or 5 directories under the wsusadmin site that requires ssl to be checked.

So you wanted to purchase a 3rd party cert instead of the built in Self
Signed SSL?
Have your received the 3rd party cert back yet?

--
Cris Hanna [SBS - MVP]
Co-Author, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-...7269967&sr=8-1
------------------------------------
MVPs do not work for Microsoft
Please do not submit questions directly to me.

"david08" <david08.3jyxvc@DoNotSpam.com> wrote in message
news:david08.3jyxvc@DoNotSpam.com...
>
> I am trying to setup SBS 2003 with WSUS using SSL certificate and I am
> at a loss. I have installed the Certificate Authority, made a request
> for certificate in IIS, and used the option to send request immediately
> to an online CA (which chooses my server automatically in the next
> screen). I have also ran the 'iisreset' command to restart IIS services
> but it just won't work with SSL - without SSL, everything works great.
> But I want security when client computers communicate with server. I
> have googled this but not a lot of info out there about SSL and WSUS
> full configuration setup.
>
>
> --
> david08
> ------------------------------------------------------------------------
> david08's Profile: http://forums.techarena.in/members/david08.htm
> View this thread:
> SBS 2003 WSUS SSL configuration
>
> http://forums.techarena.in
>

[david08]

No, I was going to use a self signed cert from the SBS 2003 server itself. After a little struggle, everything is working great. Although I do have one question. In a SBS environment, what is the best method to push the cert out to all clients? My understanding is, if the client is joined to the domain via the 'connectcomputer' wizard there is no need to push the cert out to them (the wizard installs the basic 'servername' cert for such things as OWA for local access. Is that a correct assumption? I know you can use a gpo under computer configuration, windows settings, security settings, pki folder (I forget the exact name) and import/attach the cert so that it's pushed for all current and future clients on the network.

Hello David,

SBS 2003 server is not a CA server by default, therefore there is no
configured GPO regarding deploy certificate to clients(the pki folder has
not configured). Instead , after SBS server installation, when you finish
the CEICW wizard, a Self-assigned root certificate will be created for all
domain computers.

To prevent the manual installation of the certificate on every client
computer, Client Configuration will place the certificate in the Trusted
Root Certification Authorities store. Once the client is joined to the
domain by Network Configuration, and all the applications are installed by
Application Deployment, the next step is automating the configuration of
the applications and operating systems by Client Configuration.

The followings modifications are performed by the Client Configuration:

" My Network Places
" Client TAPI Information
" Connection Manager
" Fax Printer
" SSL Certificate
" Active Sync
" Active Sync Provisioning Information
" Internet Explorer
" Outlook
" Global Settings

Hope this helps.


Best regards,
Robbin Meng(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security