Thank you for posting in Microsoft Q&A forum.
When we using TLS/SSL, all the metadata that is sent over the network are encrypted. Other files in SUP (such as software update data) do not need to be encrypted, we download content from the Internet. Could we know what files we want to be encrypted?
Have a good day!
If the response is helpful, please click "Accept Answer" and up vote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Its not that I want to encrypt additional content, and I am aware that the clients will download the content from the internet.
We are attempting to use SSL bridging for all communication between the IBCM MP/DP/SUP which is described as the preferred method in the documentation from Microsoft.
It just doesn't seem to be possible from our testing. Like I stated in the previous post, we are able to use SSL bridging for all other communications with the server, with the exception of the SUP. When attempting an windows update scan we get an error. But when switching to SSL tunneling everything works as expected.
To us it appears that the SUP is not using SSL for all traffic between the client and the server, and this is causing a communication error when using SSL Bridging.
Thank you for the quickly reply.
When you use SSL tunneling, there are no certificate requirements for the proxy web server (If used).
Assuming you have implemented primary site which accept Internet/intranet clients and all roles are published (MP, DP, SUP). WSUS is also installed inside default web site (subfolders Content and Selfupdate have disabled usage of SSL). WSUSutil configuresssl SCCM local server was used. Based on this, all roles are working except SUP role on internet. Because clients from internet side didn't have possibility to check meta data on WSUS, because they didn't have access to content and Self update folder on WSUS server.
Maybe we could check if a certificate is required to complete client authentication or check the WUAHandler.log on client side to see if the details of update scan process record in it.
Have a good day!
We have a primary site that accepts internet/intranet clients. We have setup a site server that has the MP,DP, and SUP roles that only accepts internet clients.
WSUS is configured to use the default web site and port 443.
The SUP role is configured to use ports 80/443, and to require SSL communication to the WSUS server.
The WSUSUtil configuressl command was run with the local server FQDN.
The virtual directories APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService are configured to require SSL.
The default web site is using the correct certificate for it's binding to port 443.
The client computer has an appropriate client certificate to allow it to communicate with this server.
When using ssl tunneling we do not have any issues, wsus scans complete without errors.
When attempting to use ssl Bridging we receive an error in the WUAHandler log.
OnSearchComplete - failed to end search job. Error = 0x80240437
Scan failed with error = 0x80240437
All other communication required for the other roles works as expected when using SSL Bridging.
Can SSL bridging work if the client needs access to the content and Self update folders if they are not using SSL for communincation with these folders?
Sign in to comment