Overview

This guide provides detailed steps for configuring SSL on a standalone (non-domain-joined) WSUS (Windows Server Update Services) server. 

It covers two scenarios: using a public SSL certificate from a trusted Certificate Authority, and using a self-signed certificate with automated PowerShell configuration.

Assuming Public SSL Certificate

Environment Details

• Full Computer Name (hostname): winserverabc
• Public FQDN: wsus.domain.com
• Public SSL Certificate: Issued by a trusted Certificate Authority (CA)
• Intended Audience: System Administrators

Step 1: Plan SSL Configuration and Certificate Requirements

1. Confirm SSL Certificate Details:
   • Common Name (CN): wsus.domain.com
   • Subject Alternative Names (SANs): Include both the FQDN (wsus.domain.com) and the hostname (winserverabc) if needed.
2. Network Configuration:
   • Ensure a public DNS entry is configured for wsus.domain.com that points to the WSUS server's IP.
   • Verify that firewall rules permit inbound traffic on port 8531 (HTTPS) and port 8530 (optional, for HTTP).

Step 2: Install the SSL Certificate

1. Import the SSL Certificate:
   • Open MMC (Microsoft Management Console).
   • Add the Certificates snap-in for the Local Computer.
   • Navigate to Personal > Certificates and import the SSL certificate file provided by the CA.
     • Ensure the certificate includes the private key and is trusted on the server.
2. Bind the SSL Certificate in IIS:
   • Open IIS Manager and select the WSUS Administration site.
   • Click Bindings in the Actions pane.
   • Select Add and configure as follows:
     • Type: https
     • Port: 8531
     • SSL Certificate: Select the imported certificate (wsus.domain.com)

• Click OK to apply the binding.

Step 3: Enforce SSL in IIS for WSUS Web Services

1. Open IIS Manager and navigate to the WSUS Administration site under the Sites tree.
2. Under WSUS Administration, follow these steps for each web service:
3. Click on the following services in the WSUS Administration tree:
   • ClientWebService
   • DssAuthWebService
   • ServerSyncWebService
   • SimpleAuthWebService
4. For each service, double-click SSL Settings in the center pane.
   • In SSL Settings:
   • Check Require SSL.
   • Optionally, select Require or Accept under Client Certificates (typically Accept for WSUS).
5. Click Apply to save the SSL requirement for each web service.
6. Close IIS Manager once all four services are configured to require SSL.

Step 4: Configure WSUS for SSL Communication

• Enable SSL in WSUS:
• Open a Command Prompt as Administrator.
• Execute the following command to configure WSUS to operate over SSL: 

wsusutil configuressl 

wsus.domain.com 

wsusutil configuressl wsus.domain.com

Step 5: Configure WSUS Console and Client Group Policy for HTTPS Access

1. Update WSUS Console:
   • Open the WSUS Administration Console.
   • Go to Options > Update Source and Proxy Server.
   • Update the server address to https://wsus.domain.com:8531.
   • Confirm and save settings.
2. Configure Group Policy for Client Connections:
   • In Group Policy Management (or directly on client systems if not using Group Policy), navigate to: Computer Configuration > Administrative Templates > Windows Components > Windows Update.
   • Set the Specify intranet Microsoft update service location to:
     • Set the intranet update service for detecting updates: https://wsus.domain.com:8531
     • Set the intranet statistics server: https://wsus.domain.com:8531
3. Apply Group Policy:
   • Run gpupdate /force on client systems to apply the new configuration.

Step 6: DNS and Firewall Configuration

1. DNS Records:
   • Ensure wsus.domain.com points to the WSUS server's IP in both internal and external DNS systems.
2. Firewall Rules:
   • Ensure inbound traffic is permitted on port 8531 for HTTPS.
   • Optionally, allow port 8530 if needed for legacy HTTP connections.

Step 7: Verification and Testing

1. Test SSL Connection:
   1. Open a web browser and navigate to:  https://wsus.domain.com:8531/selfupdate/iuident.cab
      • If SSL is correctly configured, you will see a prompt to download iuident.cab without any certificate errors.
2. Check Client Connectivity:
   • Review the WindowsUpdate.log on client systems and SoftwareDistribution.log on the WSUS server to ensure updates and reporting occur without SSL errors.
3. Verify WSUS Console Access:
   • Ensure that the WSUS Console can be accessed using the public FQDN (wsus.domain.com) over HTTPS.

Assuming Self-Signed Certificate

1. Preparation of Automation Script

• Download the Script:
  • Access the following link to download the automation PowerShell script.
• Script Placement
  • Save the downloaded script on the WSUS server for execution.

2. Executing the PowerShell Script

• Open PowerShell in Admin Mode: On the WSUS server, launch PowerShell with administrative privileges.
• Run the Script: Execute the downloaded PowerShell script. 
• When prompted, input the server's IPv4 address. 
• Ensure that the script runs successfully and verify the output.

The script performs the following steps to secure WSUS with SSL:

1. Creates a self-signed certificate using the Fully Qualified Domain Name (FQDN) of the server and an optional IP address.
2. Exports the certificate's public key to the local user's Documents folder.
3. Imports the public key into the Trusted Root Certificate Authorities store.
4. Configures SSL bindings in IIS for the WSUS website.
5. Requires SSL for specific WSUS virtual roots.
6. Configures WSUS to use SSL by invoking the WsusUtil.exe tool with SSL parameters.

EXAMPLE:

• Execute the script with an optional IP address parameter for Subject Alternative Names (SAN)
• To include IP Address (v4) as a SAN, specify the IP when prompted and press ENTER
• To have Hostname/FQDN as the only SAN, leave blank when prompted for IP and press ENTER

3. Certificate Management

• Locate the Exported Certificate: 
  • Find the exported certificate's public key within the "Documents" folder on the user's system.
• Import the Certificate: 
  • Copy and import the WSUS public key into the client's "Trusted Root Certification Authorities" store/vault.

4. Client Configuration to Connect to WSUS

• WSUS Connection via IP: 
  • Configure client systems to connect to the WSUS server using the IP address through Local Group Policy Object (GPO) or an alternative method of your preference. 
  • Use the following format for the WSUS connection: https://IPAddress:8531.

5. Client Update and Synchronization

To ensure that the client settings are updated and initiate a synchronization with the WSUS server, execute the following commands in sequence on the client system:

1. gpupdate /force /target: computer - Forces an immediate update of group policies.
2. USOClient.exe RefreshSettings - Refreshes the settings for the update client.
3. USOClient.exe StartScan - Initiates a scan for updates.
4. To search for and list available updates, use the following PowerShell command:

Examples of Different Configuration Scenarios (WSUS Management Console is accessible and running on Local/SSL TCP 8531)

1. Clients can connect to the WSUS Server via the web service URL: https://wsus-server:8531
   • Certificate Common Name: wsus-server
   • Certificate Subject Alternative Name (SAN) | DNS Name: wsus-server
2. Clients can connect to the WSUS Server via the following web service URLs: https://wsus-server:8531 & https://10.0.0.123:8531
   • Certificate Subject Alternative Name (SAN) | IP address (v4): 10.0.0.123