How to create an Internet facing WSUS server that uses different internal and external names

How to create an Internet facing WSUS server that uses different internal and external names

  • Comments 1
  • Likes

imageHi everyone, Joao Madureira here.  I’m a Senior Support Escalation Engineer here at Microsoft on the System Center team and I wanted to take a minute and talk about installing WSUS in an Internet facing scenario.  When installing WSUS, often times you want to have your WSUS server on the Internet but with a different name from the current internal WSUS server name. For example, your domain name is wsus.contoso.com internally but you want to publish the same WSUS to work on the Internet with a different name such as wsus.fabrikan.com. This post will explain that process and how to configure your SSL certificate.

When configuring WSUS, we will need a public or domain certificate that will be trusted by the clients so that they can use SSL/HTTPS.  This certificate will require a Subject that will include the internal FQDN for the WSUS server as well as a Subject Alternative Name (SAN) for the external FQDN that will be published outside.  Note that even if you have to use only the alternative (external) subject name for the certificate, the subject name still needs to have the internal FQDN to be able to access the Management console (MMC).

After creating the certificate (domain or public cert), add the certificate to the binding for the website in IIS:

clip_image001

Verify if the certificate is correct.  The Subject field should contain your internal domain information:

clip_image002

The Subject Alternative Name should contain your internal and external domain information:

image

Once you’re sure that everything looks correct, test the connection in Internet Explorer to make sure you get a secure website:

clip_image004

Then open a command prompt and navigate to C:\program files\update services\tools and run the following command:

wsusutil configuressl <certificate name> <external FQDN>

You should see something like this:

clip_image006

Once you’ve created the certificate with the SAN (subject alternative name) and the subject name properly populated, you can have your WSUS server facing Internet with a different name than it uses internally.

When trying to connect to the WSUS console, you will see the reason to create a certificate with both names (the internal one and the external one).  The MMC uses the internal name to authenticate to the console so the certificate must match the internal FQDN for the machine:

clip_image008

Have fun patching your clients on the Internet!

Joao Madureira | Senior Support Escalation Engineer

The App-V Team blog: http://blogs.technet.com/appv/
The WSUS Support Team blog: http://blogs.technet.com/sus/
The SCMDM Support Team blog: http://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/
The SCVMM Team blog: http://blogs.technet.com/scvmm/
The MED-V Team blog: http://blogs.technet.com/medv/
The DPM Team blog: http://blogs.technet.com/dpm/
The OOB Support Team blog: http://blogs.technet.com/oob/
The Opalis Team blog: http://blogs.technet.com/opalis
The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager
The AVIcode Team blog: http: http://blogs.technet.com/b/avicode
The System Center Essentials Team blog: http: http://blogs.technet.com/b/systemcenteressentials
The Server App-V Team blog: http: http://blogs.technet.com/b/serverappv

clip_image001 clip_image002

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Do you know if we can do the same thing using * certs instead of SAN certs? Basically, we have an existing *.fabrikam.com certificate that I have loaded on a load balancer. I was hoping to do SSL termination on that, and just pass through HTTP to the WSUS server. This has not worked. If I load the *.fabrikam.com cert on the server (in my case, let's assume fabrikam.com is both the public and private domain name), then issue the configuressl command, will that enable proper functionality?

    Here are additional details:

    Public DNS Name: updates.fabrikam.com

    Internal DNS Name: wsus01.fabrikam.com

    Certifcate: *.fabrikam.com