Possible to use SSL to connect clients of one domain to a WSUS server on a different domain?

Zachary Kalous 0 Reputation points

Hello, We have a WSUS server in a DMZ between our local and corporate networks. The WSUS server is configured to use SSL for gathering updates directly from Microsoft and uses a corporate CA signed SSL certificate to do so. We're having trouble getting our windows clients on our local network to connect to the WSUS server and I'm wondering how to go about doing so. The clients also need to use SSL to connect to the WSUS server for policy reasons and are not able to communicate with the DMZ systems except for dedicated internally facing interfaces. Is it possible to configure the WSUS server to use one SSL certificate for gathering updates from Microsoft on the corporate facing interface and another certificate for client server communication on the internal interface OR is there a better way to do this? Any advice or documentation is appreciated, thank you! Zachary K.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,749 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 29,606 Reputation points


    No certificate required to let WSUS download updates from Microsoft urls. You need just open network flows for http and https protocols. For more information please refer to the following link:


    WSUS clients use http protocol to download updates from WSUS server and https is recommended only for metadata as mentioned in the link below:


    Please don’t forget to accept helpful answer

    0 comments No comments

  2. Adam J. Marshall 8,026 Reputation points MVP

    Yes, You can use SSL with WSUS and use a multi-domain or even a NO DOMAIN strategy.

    The SSL Certificate must be trusted by each of the clients. WSUS itself doesn't care what domain the computer belongs to, or even if it is part of a domain (Workgroup environment).

    As long as the client systems TRUST the SSL Certificate, the computers will be added to WSUS and will work.

    You have 2 choices

    1. A PUBLIC SSL Certificate, which is trusted by every client and it will 'just work' if you do it this way, but you must use a public SSL certificate either at a cost or free with Let's Encrypt.
    2. A privately generated SSL Certificate - either self-generated or from an Internal CA. In this case you MUST install the ROOT CERTIFICATE (or self-signed certificate) into the client BEFORE the client will be able to communicate with the WSUS Server. Normally this is done through GPO on a domain because it's easier, but can also be done ad-hoc (especially for workgroup systems) by importing the certificate into the trusted root certificate stores.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-7-ssl-setup-for-wsus-and-why-you-should-care/ https://www.ajtek.ca/wsus/client-machines-not-reporting-to-wsus-properly/

    0 comments No comments