Click OK to close the Enable client-side targeting policy and return to the Windows Update details pane. I have checked each of the items above and my server is set as such, but i am still seeing the Red X on the WSUS server and it says “computer has not reported status in 90 days.” The computer being the WSUS server itself. For example, if you specify that there should be four synchronizations per day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M. After selecting the appropriate synchronization options for your deployment, click Next to continue. The maximum amount of private memory a worker process can consume before causing the application pool to recycle. On the Connect to Upstream Server page, click start Connecting. Configure computer groups in this topic. When you have the answers for these questions, you can start configuring the following WSUS network settings: Updates Specify the way this server will obtain updates (from Microsoft Update or from another WSUS server). Click OK to close the Configure Automatic Updates policy and return to the Windows Update details pane. For example, if you are using HTTP, you should type http://servername:8530. An IIS Worker Process was using over 2GB of RAM when the problem would occur. These settings are found in IIS Manager > Application Pools > choose WsusPool and then click the Advanced Settings link in the right side pane of IIS manager. Type the following command: wsusutil ConfigureSSLproxy [< proxy_server proxy_port>] -enable, where: proxy_server is the name of the proxy server that supports HTTPS. So, I was planning to have 30,000 clients under that SUP. On the Update Source page, select Synchronize from another Windows Server Update Services server. This is a manual execution only. For more information about IPsec, see Creating and Using IPsec Policies. The WSUS database can be local or a remote SQL 2008/2012 server. You can use any port for SSL. We need to open the IIS console and locate the Application pools branch. After selecting the appropriate language options for your deployment, click Next to continue. In the Proxy port number text box, type the port number of the proxy server. 2. This post will help you get some details about a couple of Best Practices Related to IIS for SCCM SUP WSUS Setup. Review the features checked below. In the right pane, expand the server name. The certificate should be imported into the local computer Trusted Root CA store or into the Windows Server Update Service Trusted Root CA store. In the Set computer Group Membership dialog box, select the test group that you created, and then click OK. WSUS Setup automatically configures IIS to distribute the latest version of Automatic Updates to each client computer that contacts the WSUS server. * Make the following "Advanced Settings" for WSUS Application Pool in IIS: - Queue Length: 25000 from 10000 - Limit Interval (minutes): 15 from 5 - "Service Unavailable" Response: TcpLevel from HttpLevel * Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS (Stop the IIS first): To add the proxy server that uses the HTTP protocol to the WSUS configuration, use the following procedure: In the left pane, expand the server name, and then click Options. The steps that are required to set up a certification authority, bind the certificate to the WSUS website, and establish a trust between the client computers and the certificate are beyond the scope of this guide. He is a Solution Architect on enterprise client management with more than 17 years of experience (calculation done on the year 2018) in IT. WSUS Configuration Manager will not be able to configure WSUS Server "CMServerName.domain.local" as the WSUS Server remoting API's of version 3.0 SP2 or greater are not installed on this site server. Clients and downstream servers that are configured to use Transport Layer Security (TLS) or HTTPS must also be configured to use a fully qualified domain name (FQDN) for their upstream WSUS server. Use Internet Information Services (IIS) throttling to limit throttling to one or more web services. If the certificate is imported to the Local User's Trusted Root CA store only, Automatic Updates will fail server authentication. The best way to configure Automatic Updates depends on the network environment. 2.2. In Start Search, type Command prompt. Click Next if you want to read more about additional settings, or you can click Finish to conclude this wizard and finish the initial WSUS setup. Set the time for the First synchronization, and then specify the number of Synchronizations per day that you want this server to perform. If you have set up active directory in your network, you can configure one or multiple computers simultaneously by including them in a Group Policy Object (GPO), and then configuring that GPO with WSUS settings. Computer groups permit you to test and target updates to specific computers. Or you can create and apply the GPO to a specific OU (containing your computers). Shavlik does not provide support for Microsoft products such as Configuration Manager, WSUS, or IIS. To remove a proxy server from the WSUS configuration, clear the check box for Use a proxy server when synchronizing. Because WSUS initiates all the network traffic, it is not necessary to configure Windows Firewall on the WSUS server. We need to open the IIS console and locate the Application pools branch. Certificate Updates/Revocation. I’ve just checked your screenshot and that is correct, though. Then click Next to proceed. Step 10: On the Web Server Role (IIS) page, click Next Step 11: Leave all selections as default on the Role Services page and click Next Step 12: Click Next on this screen Step 13: On the Role Services page, make sure WID Database and WSUS Services are selected (They should be selected by default). Configure the WSUS web services to require SSL. In this section, locate the parameter named Private Memory Limit (KB). DESCRIPTION: Comprehensive Windows Server Update Services (WSUS) configuration and optimization script. Go to start, type CMD, right-click Command prompt, and then click Run as administrator. A value of 0 means there is no limit. Can this computer connect to the upstream server (such as the server that is designated to download updates from Microsoft Update)? Log on to the computer by using a user account that is a member of the local Administrators group or the WSUS Administrators group. if you choose Synchronize automatically, the WSUS server will synchronize at set intervals. When you all the site system roles on a single server then, you should be very careful with private memory limit setting of WSUS Application pool. Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port. Find the WSUS pool and choose the Advanced settings. The default limit is set to 1843200KB or 1.8GB. Click Enabled, and then select one of the following options under the Configure automatic updating setting: Notify for download and notify for install. Select product categories, such as Windows, or specific products, such as Windows Server 2012. I'll see if i can locate any related event logs, but not real sure what i would be looking for if would be WSUS side or IIS side IIS crashing so thinking IIS … On the Choose Classifications page, select the update classifications that you want to obtain. The steps below show how to configure IIS on the WSUS Server to use SSL. We use cookies to ensure that we give you the best experience on our website. Windows Server Update Services Wizard Select Role Services to Install WSUS. You must re-initialize ClientServicingProxy if the server name, SSL configuration, or port number has changed. Comprehensive Windows Server Update Services (WSUS) configuration and optimization script.. Expand Web Sites, right-click the website for the WSUS server, and then click Properties. This is the same way that Microsoft Update distributes updates. If you use any port other than 443 for SSL, you must include that port in the URL also. If you want to update Group Policy sooner, you can open a Command prompt window on the client computer and type gpupdate /force. Use computer groups to control the rollout. – Maximum number of requests that HTTP .sys will queue for the application pool. Use the following options to modify the existing proxy server configuration: Select the check box for Use a proxy server when synchronizing. When the queue is full, new requests receive a 503 “Service Unavailable” response. Microsoft already released a fix for the issue explained in the KB 4039396. WSUS uses SSL to authenticate client computers and downstream WSUS servers to the WSUS server. If you want to participate in the program. In this case, one proxy server is configured to use HTTP, and the other proxy server is configured to use HTTPS. At the top of the start menu, right-click Command prompt, and then click Run as administrator. The support engineer was helpful, and she helped to setup the best practices for IIS settings required for remote WSUS/SUP. These procedures also assume that you are familiar with Group Policy and you use it to manage the network. A client computer identifies itself as a member of a particular computer group when it sends information to the WSUS server. WSUS has the ability to publish custom update packages to update Microsoft and non-Microsoft products. The private key must be installed on the WSUS server, and the public key must be explicitly installed in the trusted certificate store on all client PCs and servers which are to receive custom-signed updates. Modify IIS WSUS Application Pool Settings Launch Server Manager – Launch IIS Manager; IIS Console – Click on Application Pools; Right-click ‘WsusPool’ and select ‘Advanced Settings’ Change the value of 'Queue Length’ under the General section to 30,000; Change 'Service Unavailable' Response Type from default HTTPlevel to TcpLevel To set up two proxy servers, each of which will handle one protocol for WSUS, use the following procedure: Log on to the computer that is to be the WSUS server by using an account that is a member of the local Administrators group. Secure WSUS with the Secure Sockets Layer Protocol, Enabling Anonymous Authentication (IIS 6.0). If there is a corporate firewall between WSUS and the Internet, you might have to configure that firewall to ensure WSUS can obtain updates. If this has occurred, you must re-enable the anonymous read access before you can successfully install and operate WSUS. If you begin detection manually, you do not have to wait 20 minutes for the client computer to contact WSUS. The HTTP port setting is displayed in TCP port, and the HTTPS port setting is displayed in SSL port. Now our Next Step is to change the Bindings and assign a different port number to the HTTP Connection for WSUS, so that the clients are unable to scan against it, thereby freeing up the memory for us. Firewall If you identified that WSUS is behind a corporate firewall, there are some additional steps that must be done at the edge device to properly allow WSUS traffic. Expand the WSUS Administration site so you see the list of web services and virtual directories for WSUS. Save my name, email, and website in this browser for the next time I comment. Best Practice – IIS – WSUS App Pool – Queue Length for SCCM CB SUP? Before realizing what the issue was, I attempted to re-install WSUS and IIS from scratch numerous times … If you use WSUS with a remote SQL Server database, the connection between the WSUS server and the database server is not secured by SSL. WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. Otherwise, you should be careful about this settings. If the IIS website or application pool are not working properly then client devices may have scan errors, or report an unknown scan status. Link this WSUS GPO to an active directory container that is appropriate for your environment. Selecting a subset of languages will save disk space, but it is IMPORTANT to choose all of the languages that are needed by all the clients of this WSUS server. If a computer attempts to retrieve update files on the HTTPS port, the transfer will fail. Proxy If you identified that WSUS needs to use a proxy server to have Internet access, you need to configure proxy settings in the WSUS server. Think your Private Memory Limit is missing a zero. To obtain updates from Microsoft Update, the WSUS server uses port 443 for HTTPS protocol. By default, when each client computer first contacts the WSUS server, the server adds that client computer to both of these groups. The group policy settings will be used to obtain automatic updates from Windows Server Update Services (WSUS). If your server requires a Proxy server to connect to the internet, check Use a proxy server when synchronizing.Then enter the details of the proxy server and click Next. Removal of device drivers from WSUS repository (greatly improves speed, reliability, and reduces storage space needed). In the add computer Group dialog box, in Name, specify the name of the new group, and click then add. When an update is downloaded, WSUS checks the digital signature and hash. 9. IIS Configuration validation and optimization. For a local database it will use Windows Internal Database (WID) which is a limited version of SQL Express that doesn’t have a GUI or management interface. If the database connection must be secured, consider the following recommendations: Move the WSUS database to the WSUS server. Private memory limit is set in KB. Expand Web Sites, right-click the website for the WSUS server, and then click Properties. Then click Next. Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. Then click Next to proceed. Enter a local or remote path to store updates. There are several considerations associated with custom update signing. If you face trouble in setting up these prerequisites to installing the Shavlik Patch plugin it would be best to work directly with Microsoft support. so weird. Open IIS; Expand the Server Name; Click in Application Pools; Click in WsusPool This is primarily for Server 2012 WSUS, and is a manual execution only. Anoop is Microsoft MVP and Veeam Vanguard ! If the corporate network uses proxy servers, the proxy servers must support HTTP and SSL protocols and use basic authentication or Windows authentication. WSUS is a local Windows Updates repository. After selecting the proper options for your deployment, click Next to proceed. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. Note the information in the Windows Server Update Services page. Removal of device drivers from WSUS repository (greatly improves speed, reliability, and reduces storage space needed). Log on to the WSUS server by using an account that is a member of the WSUS Administrators group or the local Administrators group. Best Practices Related to IIS for SCCM SUP WSUS Setup. Open a command prompt (Cmd.exe) as an administrator. You can create the group policy and apply it at domain level. Click Options, and then click Update Source and Proxy Server. You must create the group on the WSUS server, and add domain-member computers to that group. This site uses Akismet to reduce spam. On the Before you Begin page, review the information, and then click Next. Select your server from the server pool. Notify me of follow-up comments by email. In the Windows Update details pane, double-click Specify intranet Microsoft update service location. To enable custom update signing, you must install a package signing certificate on your WSUS server. If you use any port other than 443 for HTTPS traffic, WSUS will send clear HTTP traffic over the port that numerically comes before the port for HTTPS. This option notifies a logged-on administrative user before you download and install the updates. If you do not select this option, you need to use WSUS Management Console to perform the initial synchronization. The default ports are the same as those specified in the preceding section Connection between WSUS servers , and the firewall on the WSUS server must also be configured to allow inbound traffic on these ports. This post will help you get some details about a couple of Best Practices Related to IIS for SCCM SUP WSUS Setup. Retain the default selection, or clear the check box, and then click Next. The following instructions configure a downstream server to synchronize to an upstream server that uses SSL. You must consider the following limitations when you use SSL to secure a WSUS deployment: Using SSL increases the server workload. after discovering that it expired), WSUS offered no functionality to enable this. I have seen some things saying IIS settings need adjustment, but not seeing much if these settings also need to be changed in server 2019 also. Accomplishing this turned into a manual task that was very hard to either do by hand or automate successfully. Expiration. Description . The following is a summary of recommended changes, and a related screenshot. The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. Choose all the classifications or a subset of them, and then click Next. We recommend that you create a new GPO that contains only WSUS settings. On the WSUS server, open Internet Information Services (IIS) Manager. Review the features checked below. Enable client-side targeting enables client computers to add themselves to target computer groups on the WSUS server, when Automatic Updates is redirected to a WSUS server. Is that showing 400MB? To determine the WSUS port settings in IIS 6.0 1. Correct config is likely not both but WSUS pool only. In an environment without active directory, use the Local Group Policy editor to configure Automatic Updates, and then point the client computers to the WSUS server. Some applications, notably Windows SharePoint Services, may remove anonymous access. WSUS uses SSL for metadata only, not for update files. WSUS requires two ports for SSL: one port that uses HTTPS to send encrypted metadata, and one port that uses HTTP to send updates. WSUS also uses SSL to encrypt update metadata. When you configure SSL on client computers, you should consider the following issues: You must include a URL for a secure port on the WSUS server. All the servers referring to this post are running with Server 2012 R2 OS. You can create as many custom computer groups as you need to manage updates in your organization. You can find the detailed information in this post. In the Proxy server name text box, type the name of the proxy server. Before you start the configuration process, be sure that you know the answers to the following questions: Is the server's firewall configured to allow clients to access the server? After installing the WSUS server role on your server, you need to properly configure it. WSUS encrypts update metadata only. When you configure WSUS to use SSL, consider the following: You cannot configure the whole WSUS website to require SSL because all traffic to the WSUS site would have to be encrypted. In this case, set one channel to use HTTP and the other channel to use HTTPS. This setting indicates to the WSUS server which group the client computer will use. If you use the Local Publishing feature from a remote WSUS console, after you apply the update to your WSUS Server, the remote WSUS consoles must also be updated so that the API versions match. You can set up one proxy server that handles both protocols for WSUS during the WSUS server software installation.