Unable to install/extend Software Update Point

[wilbywilson]

I've been working on installing/configuring an SCCM site server in our DMZ for the past couple weeks. I've now got the necessary certificates installed on the DMZ server (I think), as well as auto-enrolled certs the client machines. One of the last steps is to install the SUP role into this DMZ server, but I'm having problems doing that. WSUS is already installed on the DMZ server (which is fully patched.) It is configured for SSL according to the TechNet articles. However, shortly after I attempt to install the role, I see this on the SCCM Primary monitoring console:

 

"WSUS Control Manager failed to configure proxy settings on the WSUS server" (I don't have any proxy settings configured, nor required.)

 

I also see "WSUS Control Manager failed to monitor WSUS Server"

 

On the DMZ server, the WSUSCrtl.log reads:

 

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host~~ at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)~~ --- End of inner exception stack trace ---~~ at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)~~ at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)~~ at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)~~ at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)~~ at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)~~ at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)~~ at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)~~ at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)~~ at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)~~ at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)~~ at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)~~ at System.Net.ConnectStream.WriteHeaders(Boolean async)~~ --- End of inner exception stack trace ---~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)

 

I don't believe it's a firewall issue (we've temporary opened things up between the Primary and the DMZ server while troubleshooting.) Any ideas on what else could be going wrong? All servers are Windows 2012 R2, SCCM version is 2012 R2 CU1.

 

Thanks!

[wilbywilson]

I think I got it figured out. If you're using/requiring SSL on the Software Update Point (as I am for this DMZ server), you have to bind an SSL certificate to port 8531.

 

I had already bound the SSL cert to port 443 as part of the documentation on configuring the DMZ's IIS site for SSL communications, but I overlooked the SSL binding for port 8531 for the "WSUS Administration Site." Once I put that binding in and rebooted the DMZ server, I got past this error. The same IIS/SSL certificate is being used for both bindings, which works since all of this authentication is taking place on the same server (identical DNS names).

 

Hope this info helps someone that is requiring SSL on their Software Update Point.