Configure IIS
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server Update Services
Before installing WSUS, make sure you have Internet Information Services (IIS) installed. By default, WSUS uses the default Web site in IIS. WSUS Setup also gives you the option of creating a Web site on a custom port.
If the IIS service (W3SVC) is stopped during WSUS installation, WSUS Setup starts the service. Likewise, if you install WSUS to the default Web site and the site is stopped, WSUS Setup starts it.
To install IIS 6.0 on Windows Server 2003
Click Start, point to Control Panel, and then click Add or Remove Programs.
Click Add/Remove Windows Components.
In the Components list, select Application Server. Click Details and make sure that ASP.NET is selected
Click OK, click Next, and then follow the instructions on the screen.
Note
If this machine has been upgraded from Windows 2000, it may have the IIS 5.0 Isolation mode turned on. This must be turned off before installing WSUS 3.0.
To install IIS 7.0 on Windows Server 2008
Start the Server Manager (click Start, click Run, and then type CompMgmtLauncher).
In the tree view, select Roles, then in the Roles pane click Add Roles.
In the Add Roles Wizard, click Select Server Roles, select the Web Service (IIS) check box, click Next, and then click Next again.
At this time you may see a message box Add features required for Web Server (IIS)? Click Add Required Features.
In the Select Role Services window, make sure that the following services are selected:
Common HTTP Features (including Static Content)
ASP.NET, ISAPI Extensions, and ISAPI Features (under Application Development)
Windows Authentication (under Security)
IIS Metabase Compatibility (under Management Tools, expand IIS 6 Management Compatibility)
Click Next, and then review your selections.
Click Install.
Configuring IIS 7.0
After installing IIS 7.0 on Windows Server 2008, you will need to update the IIS configuration file.
1. Open the IIS configuration file: %WINDIR%\system32\inetsrv\applicationhost.config
2. In the <system.webServer><modules>
tag, remove <add name="CustomErrorModule">
, if it is present.
3. In the <system.webServer><modules>
tag, add <remove name="CustomErrorModule">
.
The resulting tag should look like this:
<system.webServer>
<modules>
<remove name="CustomErrorModule">
</modules>
</system.webServer>
Client self-update
WSUS uses IIS to update most client computers automatically to WSUS-compatible Automatic Updates software. To accomplish this, WSUS Setup creates a virtual directory named Selfupdate under the Web site running on port 80 of the WSUS server. This virtual directory, called the self-update tree, contains the WSUS-compatible Automatic Updates software.
Using the WSUS custom Web site
If you configure WSUS on a custom port, you must have a Web site running on port 80. The Web site on port 80 does not have to be dedicated to WSUS. In fact, WSUS uses the site on port 80 only to host the self-update tree.
Malicious programs can target port 80 for HTTP traffic. If WSUS is using a custom port, you can temporarily shut down port 80 throughout your network, but still be able to distribute updates to combat malicious programs.
If you already have a Web site on the computer where you intend to install WSUS, you should use the setup option for creating a custom Web site. This option puts the WSUS Web site on port 8530. This port is not configurable.
Note
If you change the WSUS port number after WSUS installation, you must manually restart the IIS service.
Accessing WSUS on a custom port
If WSUS is using a custom port to communicate with clients, you must use a custom URL to access the WSUS Web service. Use the following instructions to configure WSUS when it is running on port 8530.
Include a custom port number in the URL directing the client computer to the WSUS server (for example, https://WSUSServerName:portnumber).
For more information about pointing client computers to the WSUS server, see Determine a Method to Configure Clients later in this guide.
If you set up any WSUS servers downstream from a server that uses a custom port number, you must enter the custom port number when configuring the source server settings on the downstream WSUS server.
You can find instructions for connecting a downstream WSUS server to an upstream WSUS server in Set Up a Hierarchy of WSUS Servers.
Using host headers
If you decide to use host headers, you should run the configuressl command after configuring WSUS. If you do not do so, WSUS Reporters may not be able to access the WSUS server.
Note
If you assign host header values to the default Web site, you might interfere with Windows® SharePoint® Services and Exchange functionality.
To run the configuress1 command
Open a command window.
Navigate to the WSUS Tools directory:
cd WSUSInstallDir \Tools
where WSUSInstallDir is the directory in which WSUS is installed.
Type the following command:
Wsusutil configuressl
Note
The configuressl command sets both the host header name and the server certificate name.