This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I am in the process of setting up IBCM for my org, and am running into an issue where SSL bridging is not working on the SUP. I wanted to verify that this is even possible before I proceed to troubleshoot this. It appears that not all traffic required for the client to communicate to the SUP is encrypted, even though WSUS is configured to use SSL.
When attempting a windows update scan on a client I receive an error "Scan Failed with error = 80240437."
All other communication between the MP and DP on the same server works as expected.
I have verified the SUP is working, as I can switch to SSL tunneling and everything works as expected.
I would prefer to have all traffic bridged as it requires the client cert to communicate to the server.
If anyone can provide some insight on this I would appreciate this.
Thanks
Thank you for posting in Microsoft Q&A forum.
When we using TLS/SSL, all the metadata that is sent over the network are encrypted. Other files in SUP (such as software update data) do not need to be encrypted, we download content from the Internet. Could we know what files we want to be encrypted?
Have a good day!
If the response is helpful, please click "Accept Answer" and up vote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
May we know the current status of the question? If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you.
It seems that the issue is more related to the network. Could we result the network engineer to see which request was blocked when we enable the SSL authentication?
Have a good day!
If the response is helpful, please click "Accept Answer" and up vote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
If the issue was related to the network I would expect all traffic to not be passed when using SSL bridging. The only thing that is not working is the SUP scan.
Is this even possible? Can you use SSL bridging with an internet biased client where it can communicate with a SUP and complete a scan cycle.
If the client needs access to the Content and Self Update folders on the server to complete this action, and communication with those folders cannot be configured to require SSL. I don't see how this will work.
I would like to be able to use SSL bridging for all communication between the client and the server, but it doesn't seem possible with how it works.
Either the Microsoft documentation is incomplete or just wrong.
Can anyone confirm that this is possible to do, and if so how.
Thank you for the reply.
Please click the following link to see if we could download from WSUS website when we under SSL environment: https://fqdn/selfupdate/wuident.cab. If we could not reach it, this may related the network issue.
Thank you for your understanding.
Yes I can download that file from the server.
But note that because are using SSL Bridging this requires us to import the client cert into the personal certificate store so the browser can use it.
Thank you for the update.
For troubleshooting the update scan failed under the SSL environment, there are two ways we could have a try:
In the windows update log we can see the following
WS error: There was an error communicating with the endpoint at 'https://redacted-FQDN:443/SimpleAuthWebService/SimpleAuth.asmx'.
WS error: An Error occurred in the secure channel support
FAILED [80240437] Web service call
If we look at packet captures you can see that there is a handshake failure.
If the traffic is not attempting to use the client cert, I would expect there to be a handshake failure like we are seeing in the packet captures.
Thank you for the update.
This seems the problem is more complex, i need some time to research. At such situation, if we are urgent, I suggest you call Professional Support Services so that a dedicate engineer will help you solve this issue in a more efficient way. Thank you for your understanding.
To obtain the phone numbers for specific technology request please take a look at the web site listed below:
https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers
Thank you very much for your kind understanding.
Its not that I want to encrypt additional content, and I am aware that the clients will download the content from the internet.
We are attempting to use SSL bridging for all communication between the IBCM MP/DP/SUP which is described as the preferred method in the documentation from Microsoft.
https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/plan-internet-based-client-management
It just doesn't seem to be possible from our testing. Like I stated in the previous post, we are able to use SSL bridging for all other communications with the server, with the exception of the SUP. When attempting an windows update scan we get an error. But when switching to SSL tunneling everything works as expected.
To us it appears that the SUP is not using SSL for all traffic between the client and the server, and this is causing a communication error when using SSL Bridging.
@David Henderson
Thank you for the quickly reply.
When you use SSL tunneling, there are no certificate requirements for the proxy web server (If used).
Assuming you have implemented primary site which accept Internet/intranet clients and all roles are published (MP, DP, SUP). WSUS is also installed inside default web site (subfolders Content and Selfupdate have disabled usage of SSL). WSUSutil configuresssl SCCM local server was used. Based on this, all roles are working except SUP role on internet. Because clients from internet side didn't have possibility to check meta data on WSUS, because they didn't have access to content and Self update folder on WSUS server.
Maybe we could check if a certificate is required to complete client authentication or check the WUAHandler.log on client side to see if the details of update scan process record in it.
Have a good day!
We have a primary site that accepts internet/intranet clients. We have setup a site server that has the MP,DP, and SUP roles that only accepts internet clients.
WSUS is configured to use the default web site and port 443.
The SUP role is configured to use ports 80/443, and to require SSL communication to the WSUS server.
The WSUSUtil configuressl command was run with the local server FQDN.
The virtual directories APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService are configured to require SSL.
The default web site is using the correct certificate for it's binding to port 443.
The client computer has an appropriate client certificate to allow it to communicate with this server.
When using ssl tunneling we do not have any issues, wsus scans complete without errors.
When attempting to use ssl Bridging we receive an error in the WUAHandler log.
OnSearchComplete - failed to end search job. Error = 0x80240437
Scan failed with error = 0x80240437
All other communication required for the other roles works as expected when using SSL Bridging.
Can SSL bridging work if the client needs access to the content and Self update folders if they are not using SSL for communincation with these folders?
Sign in to comment