Before creating the active software update point site system role in Configuration Manager 2007, there are several requirements that must be considered depending on your Configuration Manager infrastructure. When the Configuration Manager 2007 active software update point will be configured to communicate using Secure Sockets Layer (SSL), or when the site server is in native mode, this section is especially important to review because additional steps must be taken before the software update points in the hierarchy will work properly. This section provides information about each step that is required to successfully plan and prepare for the software update point installation. The software update point infrastructure should be determined before installing the software update points in the hierarchy. For more information, see Determine the Software Update Point Infrastructure.
Important |
---|
When the site server is in native mode, make sure all native mode requirements have been met before implementing the steps described in this section. For more information, see How to Configure Native Mode. |
Software Update Point System Requirements
The software update point site system role must be installed on a computer that meets the Windows Server Update Services (WSUS) 3.0 minimum requirements. For more information about the minimum requirements, see the WSUS 3.0 installation requirements on TechNet (http://go.microsoft.com/fwlink/?LinkId=99233).
Note |
---|
Configuration Manager 2007 Service Pack 1 (SP1) requires WSUS 3.0 SP1 or WSUS 3.0 Service Pack 2 (SP2). WSUS 3.0 SP2 is required to support Configuration Manager 2007 SP2 software update management for the Windows 7 and Windows Server 2008 R2 operating systems. |
Install WSUS on Servers
The software updates feature requires that WSUS 3.0 is installed on the all site system servers that are configured for the software update point site system role. Additionally, when the active software update point is remote from the site server, the WSUS 3.0 Administration Console is required on the site server computer when WSUS 3.0 is not already installed.
WSUS 3.0 Administration Console
The WSUS 3.0 Administration Console must be installed on the site server if the software update point is going to be installed on a remote site system server. This allows the site server to communicate with the WSUS components on the active software update point site system computer. For the step-by-step procedures for installing the WSUS 3.0 Administration Console, see How to Install the Windows Server Update Services 3.0 Administration Console.
WSUS 3.0 Full Installation
Before the software update point site system role can be successfully added to a site system server, WSUS 3.0 must be installed. When a Network Load Balancing (NLB) cluster is used as the active software update point or active Internet-based software update point, the full installation of WSUS 3.0 is required on all site system servers defined in the cluster. For more information about the software update point, where in the hierarchy to install this site system role, and whether to use an NLB cluster for an active software update point, see Determine the Software Update Point Infrastructure. For the step-by-step procedures for installing WSUS 3.0 for software updates, see How to Install Windows Server Update Services 3.0.
Use a WSUS 3.0 Web Site
During the WSUS 3.0 installation, you can choose to use the default Web site used by Internet Information Services (IIS) or create a WSUS 3.0 Web site. It is recommended that a WSUS 3.0 Web site is created so that IIS hosts the WSUS 3.0 services in a dedicated Web site instead of sharing the same Web site used by the other Configuration Manager 2007 site systems or other applications. This is especially true when installing the software update point on the site server. When using a custom Web site for WSUS 3.0, the default port numbers are port 8530 for HTTP protocol and port 8531 for HTTPS protocol (SSL). These port settings will need to be specified when creating the active software update point for the site.
Store Software Updates Locally on the WSUS Server
During the WSUS 3.0 installation, you should select Store updates locally so that any license terms associated with software updates are downloaded and stored on the local hard drive for the WSUS server during the synchronization process. When this setting is not selected, client computers might fail to scan for software updates compliance for updates that have a license terms. When the active software update point is installed, the Store updates locally setting in WSUS is automatically configured, and WSUS Synchronization Manager will verify that the setting is enabled every 60 minutes by default.
Using an Existing WSUS Server for a Software Update Point
You can use a WSUS server that was active in your environment before installing Configuration Manager 2007, but client computers connecting to the WSUS server will scan for all software updates in the WSUS database. This might result in client computers returning compliance state information for software updates outside of the configured classifications, categories, and languages. Before using an existing WSUS server as an active software update point site system, it is recommended that the software updates metadata is deleted from the WSUS database if possible. The WSUS server will be synchronized with new software updates metadata based on the settings configured for the active software update point.
WSUS Configured as a Replica Server
When creating the active software update point site system role on a primary site server, you cannot use a WSUS server that is configured as a replica of the upstream server. When the WSUS server is configured as a replica, Configuration Manager will fail to configure the WSUS server and WSUS synchronization will fail. When an active software update point is created on a secondary site, the WSUS server is configured to be a replica server for WSUS running on the active software update point at the parent primary site. For troubleshooting information, see Troubleshooting Software Update Point Configuration Issues.
Add the Web Server Certificate to the Custom Web Site
When the Configuration Manager 2007 site server is in native mode or when the active software update point is configured to use SSL, a Web server signing certificate must be assigned to the Web site used by WSUS. When the WSUS server uses a custom Web site, which is the recommended configuration, the WSUS Web site must be assigned a Web server certificate where the Subject Name or Subject Alternate Name contains the Internet fully qualified domain name (FQDN). The upstream WSUS server must be provisioned with the same certificate or SSL communication will fail between the servers. The certificate must also reside in Trusted Root Certification Authorities in the Computer certificate store on each client computer before they will able to access the WSUS Web site.
When the site server is in native mode, the Web server certificate that is used for Configuration Manager site systems can be assigned to the WSUS Web site. Alternatively, when WSUS uses the same Web site as the Configuration Manager 2007 site server, and the site server is configured for native mode, the default Web site might already be assigned an appropriate Web server certificate. The certificate would still need to be provisioned on the upstream WSUS server, but it should already reside in the local store on client computers.
For the step-by-step procedure to add the Web server certificate to the WSUS Web site, see How to Add the Web Server Certificate to the Custom WSUS Web Site. For more information about adding the Web server certificate to Configuration Manager 2007 site systems, see Deploying the Web Server Certificates to Site System Servers.
Configure SSL on the WSUS Server
When the site server is in native mode, or when the active software update point is configured to use SSL, the IIS settings must be configured on the WSUS server for the active software update point and the active Internet-based software update point, if configured. You must configure each of the following virtual directories to use SSL:
- APIRemoting30
- ClientWebService
- DSSAuthWebService
- ServerSyncWebService
- SimpleAuthWebService
Software Updates requires that the following virtual directories not be configured to use SSL:
- Content
- Inventory
- ReportingWebService
- SelfUpdate
After the virtual directories have been configured, you must run the WSUSUtil tool to let the health monitoring component of WSUS know that it should use SSL. The command that must be run on the WSUS server is: WSUSUtil.exe configuressl <Name in Web server signing certificate>. For the step-by-step procedures for configuring the virtual roots to use a secured channel, see How to Configure the WSUS Web Site to Use SSL.
Certificates on Client Computers
When the site is in native mode, or when the active software update point is configured to use SSL, client computers must have the certificate that was configured for the WSUS Web site in the local Trusted Root Certification Authorities store. If the certificate is not located in the Trusted Root Certification Authorities store, client computers will fail to scan for software update compliance. For more information, see Deploying a Trusted Root Certification Authority to Configuration Manager Computers.
Configure Firewalls
Software updates on a Configuration Manager 2007 central site communicate with WSUS running on the active software update point site system, which in turn communicates with Microsoft Update to synchronize software updates metadata. The child sites communicate with the active software update point configured for the parent site. When there is an active Internet-based software update point on a site, the site server must communicate with the active Internet-based software update point, and the Internet-based software update point must communicate with the site's active software update point for synchronization to be successful.
When there is a firewall between the Configuration Manager 2007 active software update point and the Internet, an active software update point and its upstream server, or an active Internet-based software update point and the active software update point for the site, the firewall might need to be configured to accept the HTTP or HTTPS ports used by the WSUS Web site. The Internet-based software update point connects to the active software update point by using HTTPS during the synchronization process. When your security policy does not allow an HTTPS connection from the Internet-based software update point to the active software update point on the intranet, you must use the export and import synchronization method. For more information, see How to Synchronize Updates Using Export and Import. By default, a WSUS server that is configured for the default Web site uses port 80 for HTTP and port 443 for HTTPS. By default, the WSUS server uses port 8530 for HTTP and port 8531 for HTTPS if it is using the WSUS custom Web site. For more information, see How to Determine the Port Settings Used by WSUS.
If your organization does not allow those ports and protocols to be open to all addresses on the firewall between the active software update point and the Internet, you can restrict access to the following domains so that WSUS and Automatic Updates can communicate with Microsoft Update:
- http://windowsupdate.microsoft.com
- http://*.windowsupdate.microsoft.com
- https://*.windowsupdate.microsoft.com
- http://*.update.microsoft.com
- https://*.update.microsoft.com
- http://*.windowsupdate.com
- http://download.windowsupdate.com
- http://download.microsoft.com
- http://*.download.windowsupdate.com
- http://test.stats.update.microsoft.com
- http://ntservicepack.microsoft.com
When there is an active Internet-based software update point or when there are child sites with an active software update point, the following addresses might also need to be added to any firewall that is between the servers:
Child site active software update point
- http://<FQDN for active software update
point on child site>
- https://<FQDN for active software
update point on child site>
- http://<FQDN for active software update
point on parent site>
- https://<FQDN for active software
update point on parent site>
Active Internet-based software update point
- http://<FQDN for active software update
point for site>
- https://<FQDN for active software
update point for site>
- http://<FQDN for active Internet-based
software update point>
- https://<FQDN for active Internet-based
software update point>
Verify Connectivity to Remote WSUS Servers
Before installing the software update point site system role, you should verify that connectivity to the remote WSUS server is successful when using SSL. From the site server, you can open the WSUS Administration Console and connect to the remote WSUS server. Alternatively, you can check SSL communication to the remote WSUS server by using a Web browser and typing https://WSUSServerName. If the connection succeeds, a Web page displaying Under Construction appears.
Note |
---|
During software updates operations, connection from the site server to the WSUS server is in the context of the computer account. The tests in this section verify that the connection can be made to the WSUS server in the user context. |
Install Software Update Point Site System
The software update point site system role is required before software updates can be synchronized, assessed for compliance on clients, and deployed. There can be multiple site system servers with the software update point site system role, but only one site system server can be configured as the active software update point. When the site is in native mode, the active software update point can be configured to accept communication from all client computers. Alternatively, an active Internet-based software update point can be assigned to a remote site system server that accepts communication from only Internet-based client computers and the active software update point accepts communication from client computer on the intranet. Additionally, if the active software update point is configured as an NLB cluster, a site system server with the software update point site role should be created for each server in the NLB.
Important |
---|
Each site system server must have WSUS 3.0 installed and configured before the software update point site role is assigned or the software update point component installation will fail. |
For each of the following scenarios, use the link to the associated procedure about how to install the active software update point:
Software Update Point Scenario | Link to Procedure |
---|---|
Create a non-active software update point site role. |
How to Add the Software Update Point Site Role to a Site System |
Create and configure an active software update point. |
|
Create and configure an active Internet-based software update point, if required. |
How to Create and Configure an Active Internet-Based Software Update Point |
Create an active software update point configured as an NLB cluster, if required. |
How to Configure the Active Software Update Point Component to Use an NLB Cluster |
See Also
Tasks
How to Add the Software Update Point Site Role to a Site SystemHow to Add the Web Server Certificate to the Custom WSUS Web Site
How to Configure the Active Software Update Point Component to Use an NLB Cluster
How to Configure the WSUS Web Site to Use SSL
How to Create and Configure an Active Internet-Based Software Update Point
How to Create and Configure an Active Software Update Point
How to Install the Windows Server Update Services 3.0 Administration Console
How to Install Windows Server Update Services 3.0
Troubleshooting Software Update Point Configuration Issues
Concepts
About the Software Update PointAdministrator Checklist: Configuring Software Updates
Administrator Checklist: Planning and Preparing Software Updates
Benefits of Using Native Mode
Deploying a Trusted Root Certification Authority to Configuration Manager Computers
Deploying the Web Server Certificates to Site System Servers
Determine the Software Update Point Infrastructure
Planning for the Software Update Point Settings
Other Resources
Configuring Internet-Based Client ManagementHow to Configure Native Mode
Software Update Point Component Properties