This is the Windows Server Update Services support team blog. We cover all things relating to WSUS and Windows Update.
Hi everyone, Joao Madureira here. I’m a Senior Support Escalation Engineer here at Microsoft on the System Center team and I wanted to take a minute and talk about installing WSUS in an Internet facing scenario. When installing WSUS, often times you want to have your WSUS server on the Internet but with a different name from the current internal WSUS server name. For example, your domain name is wsus.contoso.com internally but you want to publish the same WSUS to work on the Internet with a different name such as wsus.fabrikan.com. This post will explain that process and how to configure your SSL certificate.
When configuring WSUS, we will need a public or domain certificate that will be trusted by the clients so that they can use SSL/HTTPS. This certificate will require a Subject that will include the internal FQDN for the WSUS server as well as a Subject Alternative Name (SAN) for the external FQDN that will be published outside. Note that even if you have to use only the alternative (external) subject name for the certificate, the subject name still needs to have the internal FQDN to be able to access the Management console (MMC).
After creating the certificate (domain or public cert), add the certificate to the binding for the website in IIS:
Verify if the certificate is correct. The Subject field should contain your internal domain information:
The Subject Alternative Name should contain your internal and external domain information:
Once you’re sure that everything looks correct, test the connection in Internet Explorer to make sure you get a secure website:
Then open a command prompt and navigate to C:\program files\update services\tools and run the following command:
wsusutil configuressl <certificate name> <external FQDN>
You should see something like this:
Once you’ve created the certificate with the SAN (subject alternative name) and the subject name properly populated, you can have your WSUS server facing Internet with a different name than it uses internally.
When trying to connect to the WSUS console, you will see the reason to create a certificate with both names (the internal one and the external one). The MMC uses the internal name to authenticate to the console so the certificate must match the internal FQDN for the machine:
Have fun patching your clients on the Internet!
Joao Madureira | Senior Support Escalation Engineer
The App-V Team blog: http://blogs.technet.com/appv/ The WSUS Support Team blog: http://blogs.technet.com/sus/ The SCMDM Support Team blog: http://blogs.technet.com/mdm/ The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/ The SCVMM Team blog: http://blogs.technet.com/scvmm/ The MED-V Team blog: http://blogs.technet.com/medv/ The DPM Team blog: http://blogs.technet.com/dpm/ The OOB Support Team blog: http://blogs.technet.com/oob/ The Opalis Team blog: http://blogs.technet.com/opalis The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager The AVIcode Team blog: http: http://blogs.technet.com/b/avicode The System Center Essentials Team blog: http: http://blogs.technet.com/b/systemcenteressentials The Server App-V Team blog: http: http://blogs.technet.com/b/serverappv
Do you know if we can do the same thing using * certs instead of SAN certs? Basically, we have an existing *.fabrikam.com certificate that I have loaded on a load balancer. I was hoping to do SSL termination on that, and just pass through HTTP to the WSUS server. This has not worked. If I load the *.fabrikam.com cert on the server (in my case, let's assume fabrikam.com is both the public and private domain name), then issue the configuressl command, will that enable proper functionality?
Here are additional details:
Public DNS Name: updates.fabrikam.com
Internal DNS Name: wsus01.fabrikam.com