Wednesday, July 25, 2007

Windows Server Update Services (WSUS) 3.0

I know it's been almost two months, no excuses, let's get down to business with WSUS 3, the free tool to manage Microsoft Updates to Windows machines on a network. WSUS 3 requires MS SQL 2005 in one flavor or another and I wanted to use the full version (not Express, which is free here) to simplify backups since I use a dedicated SQL server. As such I had to make the upgrade from SQL 2000 to 2005 on that box, more about that in a later blog entry.

Any System Administrator that has to maintain more than 2 Windows servers or workstations who is not using WSUS, this blog entry is for you -- I'm about to make your life easier. If you're using WSUS 2.0 already, upgrading shouldn't be too hard, but that's not the subject of this blog entry -- take a look here *before* you upgrade. One more warning, it's going to be significantly harder to do this if you don't have an Active Directory infrastructure in place.

The install for this product is pretty easy (those who used WSUS 2.0 know what I mean). Make sure you install the prerequisites on the download page (IIS, .NET) and hold onto the Microsoft Report Viewer installer for your administrative workstation. After that you double-click the WSUS installer executable and almost the entire process is self-explanatory. I'll go through the post-install details that I didn't think were completely obvious rather than giving a step by step of "Next>", "Next>" etc. The only two installation details I can think of here are 1) make sure to use the WSUS dedicated site and 2) if you use a standalone sql server and are using the default instance to host your databases, you only need to put in the name of the sql server (as opposed to sql server\instance name).

You *need* to do a few things after running the installer. First you need to either issue or obtain a SSL certificate for the IIS server you are hosting WSUS on. Then you need to attach that SSL certificate to the two Web Sites that WSUS uses. That's right, it uses both the "Default Web Site" and the "WSUS Administration" website. Next, require SSL in the following places (*NOT* at the Web Sites themselves, just the sub directories):
-Default Website
-Selfupdate
-ClientWebService
-WSUS Administration
-ApiRemoting30
-ClientWebService
-DssAuthWebService
-ServerSyncWebService
-SimpleAuthWebService
The above settings (which are more or less the SSL directories defined by Microsoft) imply that you need to open ports 8530, 8531 and 443 (all TCP - it's web traffic) on your firewall to any machines that you want to update with WSUS.

No comments: