WoodyW Posted May 17, 2016 Report post Posted May 17, 2016 Hi, Firstly, thanks Niall and all the contributors for this great website, it's been a really useful resource over the years. The Primary Site server has a DP, MP and SUP role which are set to Intranet client only using HTTP. I'm looking at setting up a Remote Site System in the DMZ for management of Internet-Based clients - Both servers are running Windows Server 2012 R2. I've duplicated the certificate templates based on the Technet Step-by-Step guide and have enrolled them. (I left the Subject blank, and entered both the Intranet and Internet FQDN, despite this server only expecting to manage Internet-Clients). The Site System Properties have been configured with both the servers Intranet FQDN and Internet FQDN (which has been registered in Public DNS)., The Default website has the Web Server certificate bound to port 443. The MP and DP roles have been installed and set to 'Allow Internet-Only Connections', and although I haven't had a chance to test with a client yet, judging by the logs they appear to be working as expected. Despite this, I have some questions over configuring WSUS and the SUP for SSL. Would someone be able to clarify the following, as the information I've found in various blogs and on Technet is useful but seems inconsistent - I understand that I can use the same Web Server certificate which is bound to Default Website on the WSUS Administration website (on port 8531), but when requesting the Web Server certificate and entering the "More information is required to enroll for this certificate", should Subject have been populated with the Internal Server FQDN, the Internet FQDN or left blank? If the SUP will only be servicing Internet Clients, what needed to go in the Alternative Name? Only Internet FQDN, or Internet FQDN and Intranet FQDN? Given that the Internet FQDN and Intranet FQDN are different, when running the WSUSUTIL CONFIGURESSL command, should internal or external FQDN be entered? Thanks. Quote Share this post Link to post Share on other sites More sharing options...
wilbywilson Posted May 19, 2016 Report post Posted May 19, 2016 Woody, It's been a couple years since I set up IBCM, but I posted a thread with some links and comments to help others: https://www.windows-noob.com/forums/topic/10630-ibcm-deployment-results/?hl=ibcm Hopefully this helps you out. I don't have direct access to the SCCM infrastructure that I helped to configure anymore, so I can't answer your questions specifically. Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted May 20, 2016 Report post Posted May 20, 2016 You can use the same web server certificate; The software update point requires the internal FQDN and the Internet FQDN, they can both be in the alternative name. They are both required, internal FQDN for configuration and the Internet FQDN for the clients; To my knowledge, the Internet FQDN. Quote Share this post Link to post Share on other sites More sharing options...
WoodyW Posted May 23, 2016 Report post Posted May 23, 2016 Thanks for the replies, much appreciated. I should get a chance to test during the week and will let you know how I get on. Quote Share this post Link to post Share on other sites More sharing options...
WoodyW Posted June 1, 2016 Report post Posted June 1, 2016 Managed to test this - Using the same Web Server Certificate I'd bound to the Default Website - Subject left blank, entered both the Intranet and Internet FQDN (Internet was first, not sure that this matters). Ran WSUSUTIL CONFIGURESSL specifying the Internet FQDN and then added the SUP role. The following was logged in the WCM.log: Attempting connection to local WSUS server SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C) System.Net.WebException: The request failed with HTTP status 401: Unauthorized.~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C) Failed to set WSUS Local Configuration. Will retry configuration in 1 minutes SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C) Attempting connection to local WSUS server SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C) System.Net.WebException: The request failed with HTTP status 401: Unauthorized.~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C) Failures reported during periodic health check by the WSUS Server servername.domain.com. Will retry check in 1 minutes SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C) Re-running the WSUSUTIL CONFIGURESSL specifying the Intranet FQDN allowed WSUS to be configured by the SUP and for a synchronisation to take place on the Internet Facing SUP. Confirmed that Internet Based Clients could scan successfully against the SUP. Thanks again for your help with this. Quote Share this post Link to post Share on other sites More sharing options...
