WSUS 3.0 SSL help!

subl1m1nal

Hello all!

I'm having an issue setting up SSL on WSUS 3.0. I get the required virtual directories set for SSL.

However, I get an error message when running wsusutil.exe configuressl myserver.mydomain.local. The error states "Fatal Error: Object reference not set to an instance of an object."

Any ideas? I should mention I didn't use a SQL instance. I just used the built in database. Is this a problem?

I did some google searching, but am not finding much. I'm hoping the smart people of TechExams can point me in the right direction.

Thanks to anybody who can help,
Subl1m1nal

earweed

I found a couple things. Hope it helps. WSUS uses windows internal database which is actually SQL 2005 embedded and the first article talks about it. The second article just talks about using management studio to manage the database.
sql solace: Management Studio Error : "Object reference not set to an instance of an object. (SQLEditors)"
Administering your Windows Internal Database (MICROSOFT##SSEE) instance

anujsharma85

Hey thanks for the link i am also facing the same problem


Anuj
MCSE,CCNAE,NETWORK+
Web:-http://www.systechblog.com

subl1m1nal

Anybody have any more ideas? I'm trying to install SQL 2005 SP3 to see if that fixes it per earweeds first article. Also checking out the managment studio. Will keep this posted as google has let me down.

subl1m1nal

No go on SQL 2005 SP3. This is frustrating. I'd like to use SSL if at all possible. If not, I'll just leave it unencrypted. I can't believe nobody has ran into this before.

Pash

Which version of IIS are you using?

Explain your steps prior to running configuressl as well please.

Cheers,

Pash

Claymoore

Try running the command from the WSUS server without the server name in the command line.
%installdir%\wsusutil configuressl

subl1m1nal

Thanks for helping out Pash! Using IIS 6 on Server 2003 SP2

Following the instructions from TechNet

To configure SSL on the WSUS server by using IIS 6.0

On the WSUS server, open Internet Information Services (IIS) Manager.

Expand Web Sites, and then expand the Web site for the WSUS server. It is recommended that the WSUS Administration custom Web site be used, but the default Web site might have been chosen when WSUS was being installed.

Perform the following steps on the APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService virtual directories that reside under the WSUS Web site:

Right-click the Web site or virtual directory, and then click Properties.

Click the Directory Security tab, and then click Edit in the Secure Communications section.

Select Require secure channel (SSL), and then click OK.

Click OK to close the properties for the virtual root.

Close Internet Information Services (IIS).

Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet fully qualified domain name (FQDN) of the software update point site system)>.

Claymoore

Those are the instructions for integrating WSUS with SCCM in native mode. Are you setting up a SUP in SCCM or are you configuring a standard WSUS implementation?

subl1m1nal

Just standard WSUS.

subl1m1nal

No FQDN in the command is the same result. However, if I uncheck the "Require SSL" box in IIS from the directories, the command returns http://servername:80.

Claymoore

Start with these two links:
Secure WSUS 3.0 SP2 Deployment
Managing WSUS 3.0 SP2 from the Command Line

Does the server certificate you installed use the FQDN or just the single NetBIOS name?

subl1m1nal

Thanks for the help guys. I knew I could count on the guys (and gals) of TE to point me in the right direction!

Yeah, I knew it was going to be something stupid on my part. The problem is I needed a certificate assigned to my default website in IIS.

Followed the instructions here to create a self signed certificate and the command started working.

Hopefully google will index this thread so it will be useful to somebody else out there.

Claymoore

Your clients won't trust that self-signed certificate and will be unable to connect to the server to download metadata. You will need to either:

1. Import and install that certificate to the computer store on every PC
2. Add the WSUS server as a trusted root through group policy so that clients will trust certificates signed by the server
3. Use a differenet certificate from a provider that clients already trust, such as something from your enterprise PKI or an external provider like GoDaddy.

You are only encrypting the metadata and not the transmission of the updates. This is really a lot of work for a negligible benefit, which is one of the reasons I have never set up WSUS to require SSL.

subl1m1nal

Claymoore wrote: »

Your clients won't trust that self-signed certificate and will be unable to connect to the server to download metadata. You will need to either:

1. Import and install that certificate to the computer store on every PC
2. Add the WSUS server as a trusted root through group policy so that clients will trust certificates signed by the server
3. Use a differenet certificate from a provider that clients already trust, such as something from your enterprise PKI or an external provider like GoDaddy.

You are only encrypting the metadata and not the transmission of the updates. This is really a lot of work for a negligible benefit, which is one of the reasons I have never set up WSUS to require SSL.

Good point. I was going to either push it out through GP or install the cert manually (only about 40 PCs). You're absolutely correct about the encryption of only the metadata. I may switch it back to standard http. It was good practice with IIS for 70-643 though.