When a Configuration Manager 2007 site server is in native mode, or when the active software update point is configured to use Secure Sockets Layer (SSL), there are five virtual roots that must be configured to use a secured channel on the active software update point server and active Internet-based software update point server, if configured. The virtual roots are located under the Web site used by the Windows Server Update Services (WSUS) server, and they are modified by using the Internet Information Services (IIS) Manager. After the virtual roots have been configured, you must run the WSUSUtil tool to let the health monitoring component of WSUS know that it should use SSL.
Use one of the following procedures to configure SSL on the WSUS server.
To configure SSL on the WSUS server by using IIS 6.0
-
On the WSUS server, open Internet Information Services (IIS) Manager.
-
Expand Web Sites, and then expand the Web site for the WSUS server. It is recommended that the WSUS Administration custom Web site be used, but the default Web site might have been chosen when WSUS was being installed.
-
Perform the following steps on the APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService virtual directories that reside under the WSUS Web site:
- Right-click the Web site or virtual directory, and then click
Properties.
- Click the Directory Security tab, and then click
Edit in the Secure Communications section.
- Select Require secure channel (SSL), and then click
OK.
- Click OK to close the properties for the virtual
root.
- Right-click the Web site or virtual directory, and then click
Properties.
-
Close Internet Information Services (IIS).
-
Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet fully qualified domain name (FQDN) of the software update point site system)>.
ImportantThe native mode certificate requirement for an Internet-based software update point is that the Internet FQDN and intranet FQDN are both specified in the Web server certificate, even when clients on the intranet will not connect to it. If you specify the intranet FQDN with the WSUSUtil command and the same FQDN is not included in the Web server certificate, the Internet-based software update point will not be able to connect with the active software update point on the intranet, and software updates synchronization will fail. For more information, see Certificate Requirements for Native Mode.
To configure SSL on the WSUS server by using IIS 7.0
-
On the WSUS server, open Internet Information Services (IIS) Manager.
-
Expand Sites, and then expand the Web site for the WSUS server. It is recommended that the WSUS Administration custom Web site be used, but the default Web site might have been chosen when WSUS was being installed.
-
Perform the following steps on the APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService virtual directories that reside under the WSUS Web site:
- In Features View, double-click SSL Settings.
- On the SSL Settings page, select Require SSL.
- In the Actions pane, click Apply
- In Features View, double-click SSL Settings.
-
Close Internet Information Services (IIS) Manager.
-
Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet FQDN of the software update point site system>.
See Also
Tasks
How to Install Windows Server Update Services 3.0Concepts
About the Software Update PointAdministrator Checklist: Configuring Software Updates
Administrator Checklist: Planning and Preparing Software Updates
Benefits of Using Native Mode
Planning for the Software Update Point Installation
Planning for the Software Update Point Settings