WSUS 3.0 SP1 introduces a new command line tool to help admins set different upstream proxies (one for HTTP and one for SSL). You could set the same proxy server, but running different proxies for HTTP and SSL on different ports.

Currently there is a problem with either one of the following components:

  • WSUS application does not assume that because you have set multiple proxies that it should use a different proxy for SSL
  • the utility wsusutil does not set an extra value in a table to indicate to WSUS that it should use multiple proxies.

In either case, the result is the same: WSUS will always only use the proxy specified for HTTP.

The work-around is to add the extra value to the SUSDB database. WSUS looks to this value, and if configured, will use the separate SSL proxy.

So here’s the procedure:

  1. Install WSUS
  2. Cancel out of the configuration wizard. Do not open the WSUS GUI yet.
  3. Run this command from C:\Program Files\Update Services:
    1. wsusutil.exe configuresslproxy <ssl_proxy_ip_or_name> <port> –enable
  4. Run this SQL Query against the database server used by WSUS:

      USE SUSDB

      GO

      UPDATE dbo.tbConfigurationA SET UpstreamServerUseSSL = 1

      GO

  5. Open the WSUS GUI, open ‘Options’, click on the proxy settings and set your HTTP proxy and port
  6. Check that your SSL proxy settings are still in the database correctly by running:
    1. wsusutil.exe configuresslproxy –show
    2. If they have become “lost” then rerun the command in step 4.

Remember that Product Support doesn’t like WSUS databases which have been “tweaked” with external commands, so use this sparingly.

There is a fix on the way, but until then I hope this helps anyone else out there who stumbles on this problem.

 

UPDATE:

WSUS 3.0 SP2 has fixed this. You can get this here.