Configuring Software Update synchronization in System Center Configuration Manager

What does this guide do?

This guide explains the System Center Configuration Manager software update synchronization process from start to finish. Each step in the process is explained, including the various settings that control how update retrieval and synchronization are performed, common problems seen with each step in the process, as well as general troubleshooting tips. The information in this guide applies to System Center 2012 Configuration Manager, System Center 2012 R2 Configuration Manager, and all versions of Configuration Manager in the current branch (e.g. Configuration Manager 1511).

Who is it for?

This guide is for IT professionals who need to understand, implement or troubleshoot Software Update synchronization in System Center Configuration Manager or WSUS when deployed in an enterprise environment.

How does it work?

This guide walks through each step of the process, explaining the settings and configurations required for successful synchronization as well as tests to verify that a particular step is functioning. The guide also shows how the synchronization progression can be tracked via the log files and how to troubleshoot common problems that may be encountered.

Estimated time of completion:

20-30 minutes.

Getting started

When configuring Software Update synchronization in Configuration Manager for the first time, or when you’re troubleshooting a Software Update problem and you want to verify your current configuration, there are a few different areas that you will want to take a look at. 

Choose the specific area you are interested in below, or simply start at the beginning to walk through each one.

Getting started

When configuring Software Update synchronization in Configuration Manager for the first time, or when you’re troubleshooting a Software Update problem and you want to verify your current configuration, there are a few different areas that you will want to take a look at. 

Choose the specific area you are interested in below, or simply start at the beginning to walk through each one.

Configuring the proxy server settings

When there is a proxy server between the WSUS computer and the upstream update source, the proxy settings must be configured for the Site System as well as the Software Update Point role. The proxy server settings are site system specific, which means that all site system roles use the proxy server settings that you specify.

For more information, see Technical Reference for Accounts used in Configuration Manager.

Configuring the proxy settings for the Site System

  1. In the Configuration Manager console, navigate to Administration -> Site Configuration -> Servers and Site System Roles and then click on <SiteSystemName>  in the right-hand pane.
  2. In the bottom pane, right-click Site System and then click Properties.
  3. Go to the Proxy tab and specify the proxy server name, port and credentials (as required).

Configuring the proxy settings for the Software Update Point

  1. In the Configuration Manager console, navigate to Administration -> Site Configuration -> Servers and Site System Roles and click on <SiteSystemName> in the right-hand pane.
  2. In the bottom pane, right-click Software Update Point and then click Properties.
  3. Go to the Proxy and Account Settings tab, and select Use a proxy server when synchronizing software updates.
  4. (Optional) To configure ADRs to use a proxy, go to the Proxy And Account Settings tab, and select Use a proxy server when downloading content by using automatic deployment rules.

How to check the proxy settings in the WSUS console

  1. Open the WSUS console.
  2. Click Options in the tree pane, then click Update Source and Proxy Server in the display pane.
  3. Click the Proxy Server tab. The proxy settings displayed should match the settings configured for the Software Update Point. If the settings do not match, check WCM.log on the Site Server.

For more information, see the Proxy Server Settings section in the following TechNet article:

http://technet.microsoft.com/en-us/library/gg712312.aspx#BKMK_InstallSUP

How to check the proxy configuration via the command line

You can review the proxy configuration for the logged-in user by running the following command:

netsh winhttp show proxy

To review the proxy configuration for the System account, first open a command prompt by running the following command:

psexec -s -i cmd

Then in the Command Prompt window, run the whoami command to confirm that the command window is running under the System account. Run the netsh command again and review the proxy configuration for the System account.

You can also start Internet Explorer from this command window and review the proxy configured in Internet Explorer. In some cases you may have to clear the Automatically Detect Settings check box and set the correct proxy.

To force WinHTTP to use the proxy configuration from Internet Explorer, run the following command:

netsh winhttp import proxy source =ie
For more help with Netsh WinHTTP commands see the following:

http://technet.microsoft.com/en-us/library/cc731131(v=ws.10).aspx


Configuring the WSUS Server connection account for the Software Update Point

If the Software Update Point is remote to the Site Server, and if the Site Server computer account does not have permissions to connect to the WSUS computer, you must specify a WSUS connection account that Configuration Manager can use to connect to the WSUS computer. This account is used by WCM and WSyncMgr, and it must be a local administrator on the computer where WSUS is installed. Additionally, the account must be part of the local WSUS Administrators group. For more information, see Technical Reference for Accounts Used in Configuration Manager.

How to configure the WSUS Server connection account for the Software Update Point

  1. In the Configuration Manager console, navigate to Administration -> Site Configuration -> Servers and Site System Roles and then click on <SiteSystemName>  in the right-hand pane.
  2. In the bottom pane, right-click Site System and then click Properties.
  3. Go to the Proxy tab and specify the proxy server name, port and credentials (as required).
Determining the port settings used by WSUS

Port settings are configured when the Software Update Point site system role is created. These port settings must be the same as the port settings used by the WSUS website, or else WSUS Synchronization Manager will fail to connect to WSUS running on the Software Update Point to request synchronization. The following procedures provide information about how to verify the port settings used by WSUS and the Software Update Point.

How to determine the WSUS port settings in IIS 6.0

  1. On the WSUS server, open Internet Information Services (IIS) Manager.
  2. Expand Web Sites, right-click the website for the WSUS server, then click Properties.
  3. Click the Web Site tab. The HTTP port setting is displayed in TCP port and the HTTPS port setting is displayed in SSL port.

How to determine the WSUS port settings used in IIS 7.0 and above

  1. On the WSUS server, open Internet Information Services (IIS) Manager.
  2. Expand Sites, right-click the website for the WSUS server, then click Edit Bindings. In the Site Bindings dialog box, the HTTP and HTTPS port values are displayed in the Port column.

How to configure ports for the Software Update Point

  1. In the Configuration Manager console, navigate to Administration -> Site Configuration -> Servers and Site System Roles and then click on <SiteSystemName>  in the right-hand pane.
  2. In the bottom pane, right-click Site System and then click Properties.
  3. Go to the General tab and specify/verify the WSUS configuration port numbers.
Verifying Anonymous Access is enabled on the DssAuthWebService virtual directory

When WSUS Synchronization Manager on child sites receives a synchronization request from the parent site, anonymous access must be enabled on the DssAuthWebService virtual directory for the WSUS website in Internet Information Services (IIS). Use the following procedure to configure anonymous access and verify that it is enabled on the virtual directory.

How to verify anonymous access on the DssAuthWebService virtual directory

  1. On the WSUS computer, open Internet Information Services (IIS) Manager.
  2. Expand Sites, then expand the website for the WSUS server.
  3. Click on the DssAuthWebService virtual directory.
  4. In the Features view, double-click Authentication and verify that Anonymous Authentication is Enabled.
Checking permissions on the ApiRemoting30 virtual directory

When WSUS Synchronization Manager initiates synchronization, the computer and Administrator accounts must have access to the ApiRemoting30 virtual directory under the WSUS website in Internet Information Services (IIS). Use the following procedure to check the permissions for this virtual directory.

How to check permissions on the ApiRemoting30 virtual directory

  1. On the WSUS computer, open Internet Information Services (IIS) Manager.
  2. Expand Sites, expand the website for the WSUS server, right-click the ApiRemoting30 virtual directory and then select Edit Permissions.


Checking the update source settings in WSUS

When you troubleshoot software updates synchronization issues in Configuration Manager, you might have to check the update source settings in the WSUS console on the Software Update Point site system server. These settings are set automatically by WCM. If these settings do not match, review WCM.log.

How to check the update source settings in WSUS

  1. Open the WSUS console on the Software Update Point.
  2. Click Options in the console tree pane.
  3. Click Update Source and Proxy Server in the display pane.4.Verify that the settings below are configured appropriately.

Synchronize from Microsoft Update: This setting should generally be selected when you are in the WSUS console on the Software Update Point for the top-level site. Note that starting with Configuration Manager 2012 SP1 you can specify an existing WSUS server as the upstream synchronization source location for the top-level site. If you have specified an existing WSUS computer as the upstream source location then this option should not be selected.

Synchronize from another Windows Server Update Services server: This setting should generally be selected when you are in the WSUS console for:

  • Software Update Points for top-level sites if an upstream source location is specified instead of Microsoft Update
  • Software Update Points for a Primary site
  • Additional Software Update Points installed in the Primary Site
  • Internet-based Software Update Points
  • Software Update Points for a Secondary Site

Server name: The fully qualified domain name (FQDN) name of the upstream update source should be displayed.

  • For the first Software Update Point in the Primary site, this should be the Software Update Point for the parent site
  • For additional Software Update Points in the site, this should be the first Software Update Point on the same site
  • For an Internet-based Software Update Point this is the first Software Update Point on the same site

Port number: This should display the port number for the upstream WSUS computer. To determine the port number being used on the upstream WSUS computer, see the section above titled Determining the port settings used by WSUS

Use SSL when synchronizing update information: When the Software Update Point is in HTTPS mode, this setting must be selected. When using SSL for software updates, several requirements apply. For more information, see the section above titled Configuring Software Updates for Secure Sockets Layer (SSL).

This server is a replica of the upstream server: This setting should never be selected on the Software Update Point for the Top-Level site or the first Software Update Point for the Primary Site. This setting should be selected on:

  • Internet based Software Update Points
  • Additional Software Update Points for the Primary Site
  • Software Update Points for the Secondary Site
Testing connectivity from a site server to WSUS

If the WSUS computer is remote to the Site Server, the WSUS administration console must be installed on the Site Server. This is because the WSUS Administration Console installs the required APIs that are used by Configuration Manager to connect to the WSUS computer. To test whether Configuration Manager can connect to the WSUS computer, use the locally installed WSUS administration console.

How to connect to the remote WSUS computer using the WSUS administration console

  1. Start the WSUS administration console.
  2. Right-click Update Services in the tree view and select Connect to Server.
  3. Specify the Server Name and Port Number of the remote WSUS computer and then click Connect. 

It is important that you specify the FQDN of the server and the correct port number for the connection. If you do not know the port number, see the section above titled Determining the port settings used by WSUS.

Checking the WSUS version

To check the WSUS server version, start the WSUS console and then click on the server name. You will find the server version under Overview -> Connection -> Server Version.

Below is the current list of WSUS versions:

 WSUS 3.0 SP1  3.1.6001.65
 WSUS 3.0 SP2  3.2.7600.226
 WSUS 3.0 SP2 + KB2530678  3.2.7600.236
  WSUS 3.0 SP2 + KB2720211 3.2.7600.251
WSUS 3.0 SP2 + KB2734608
 3.2.7600.256
 WSUS 3.0 SP2 + KB2828185 3.2.7600.262
 WSUS on Server 2012 6.2.9200.16384
 WSUS on Server 2012 + KB2838998 6.2.9200.16384 (does not increment)
 WSUS on Server 2012 + KB28194846.2.9200.16553
 WSUS on Server 2012 R2  6.3.9600.16384

NOTE If you review the version in WSUS Console via Help-> About Update Services, the version may not reflect the installed updates. See the steps above to determine the actual WSUS version.

Configuring the Software Update Point for Secure Sockets Layer (SSL)

When the site is configured in “HTTPS only” mode, the Software Update Point is automatically configured to use SSL. When the site is in “HTTPS or HTTP” mode, you can chose to configure the Software Update Point to use SSL. When the Software Update Point is configured to use SSL, the WSUS computer must be explicitly configured to use SSL as well. Before you configure SSL, review the certificate requirements and make sure that a Server Authentication certificate is installed on the Software Update Point server.

How to verify that the Software Update Point is configured for SSL

  1. In the Configuration Manager console, navigate to Administration -> Site Configuration -> Servers and Site System Roles and then click on <SiteSystemName>  in the right-hand pane.
  2. In the bottom pane, right-click Site System and then click Properties.
  3. On the General tab, click Require SSL communication to the WSUS Server.

How to verify that the WSUS computer is configured for SSL

  1. Open the WSUS console on the Software Update Point for the site.
  2. Click Options in the console tree pane.
  3. Click Update Source and Proxy Server in the display pane.
  4. Verify that Use SSL when synchronizing update information is selected.

How to add the Server Authentication certificate to the WSUS Administration website

  1. On the WSUS computer, open Internet Information Services (IIS) Manager.
  2. Expand Sites, right-click Default Web Site, or WSUS Administration website if WSUS is configured to use a custom website, then select Edit Bindings.
  3. Click the HTTPS entry and then click Edit.
  4. In the Edit Site Binding dialog box, select the Server Authentication certificate and then click OK.
  5. Click OK in the Edit Site Binding dialog box and then click Close.
  6. Close Internet Information Services (IIS) Manager. 

IMPORTANT Make sure that the FQDN specified in the site system properties matches the FQDN specified in the certificate. If the Software Update Point accepts connections from the Intranet only, the Subject Name or Subject Alternative Name must contain the intranet FQDN. When the Software Update Point accepts client connections from the Internet only, the certificate must still contain both the Internet FQDN and the intranet FQDN because WCM and WSyncMgr still use the intranet FQDN to connect to the Software Update Point. If the Software Update Point accepts connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN must be specified by using the ampersand (&) symbol delimiter between the two names.

How to configure SSL on the WSUS computer

The following link applies to System Center Configuration Manager 2007, however the same steps can be used to configure SSL on WSUS in ConfigMgr 2012 or ConfigMgr 2012 R2:

How to Configure the WSUS Web Site to Use SSL

IMPORTANT You cannot configure the whole WSUS website to require SSL because then all traffic to the WSUS site would have to be encrypted. WSUS encrypts update metadata only. If a computer tries to retrieve update files on the HTTPS port, the transfer will fail.

Additional resource

We're sorry for that this guide is not helpful. For additional information regarding how to configure software updates in Configuration Manager, please see the following:

You can also post a question in our Configuration Manager 2012 support forum for security, updates and compliance here:

https://social.technet.microsoft.com/Forums/en-US/home?forum=configmanagersecurity

Visit our blog for all the latest news, information and tech tips on Microsoft System Center Configuration Manager:

https://blogs.technet.microsoft.com/configurationmgr

Done with the guide

Now you have done the steps to configure System Center Configuration Manager software update synchronization.


Is this information helpful?  


Congratulations!

We are glad you have succeeded to configure System Center Configuration Manager software update synchronization process by this guide.

For additional information regarding how to configure software updates in Configuration Manager, please see the following:

You can also post a question in our Configuration Manager 2012 support forum for security, updates and compliance here:

https://social.technet.microsoft.com/Forums/en-US/home?forum=configmanagersecurity

Visit our blog for all the latest news, information and tech tips on Microsoft System Center Configuration Manager:

https://blogs.technet.microsoft.com/configurationmgr

Vlastnosti

ID článku: 10329 - Poslední kontrola: 29. 2. 2016 - Revize: 26

Váš názor