Configure IIS

Before installing WSUS, make sure you have Internet Information Services (IIS) installed. By default, WSUS uses the default Web site in IIS. WSUS Setup also gives you the option of creating a Web site on a custom port.

If the IIS service (W3SVC) is stopped during WSUS installation, WSUS Setup starts the service. Likewise, if you install WSUS to the default Web site and the site is stopped, WSUS Setup starts it.

To install IIS 6.0 on Windows Server 2003

  1. Click Start, point to Control Panel, and then click Add or Remove Programs.

  2. Click Add/Remove Windows Components.

  3. In the Components list, select Application Server. Click Details and make sure that ASP.NET is selected

  4. Click OK, click Next, and then follow the instructions on the screen.

noteNote
If this machine has been upgraded from Windows 2000, it may have the IIS 5.0 Isolation mode turned on. This must be turned off before installing WSUS 3.0.
To install IIS 7.0 on Windows Server 2008

  1. Start the Server Manager (click Start, click Run, and then type CompMgmtLauncher).

  2. In the tree view, select Roles, then in the Roles pane click Add Roles.

  3. In the Add Roles Wizard, click Select Server Roles, select the Web Service (IIS) check box, click Next, and then click Next again.

    At this time you may see a message box Add features required for Web Server (IIS)? Click Add Required Features.

  4. In the Select Role Services window, make sure that the following services are selected:

    • Common HTTP Features (including Static Content)
    • ASP.NET, ISAPI Extensions, and ISAPI Features (under Application Development)
    • Windows Authentication (under Security)
    • IIS Metabase Compatibility (under Management Tools, expand IIS 6 Management Compatibility)

  5. Click Next, and then review your selections.

  6. Click Install.

Configuring IIS 7.0

After installing IIS 7.0 on Windows Server 2008, you will need to update the IIS configuration file.

1. Open the IIS configuration file: %WINDIR%\system32\inetsrv\applicationhost.config

2. In the <system.webServer><modules> tag, remove <add name="CustomErrorModule">, if it is present.

3. In the <system.webServer><modules> tag, add <remove name="CustomErrorModule">.

The resulting tag should look like this:

      <system.webServer>
<modules>
<remove name="CustomErrorModule">
</modules>
</system.webServer>

Client self-update

WSUS uses IIS to update most client computers automatically to WSUS-compatible Automatic Updates software. To accomplish this, WSUS Setup creates a virtual directory named Selfupdate under the Web site running on port 80 of the WSUS server. This virtual directory, called the self-update tree, contains the WSUS-compatible Automatic Updates software.

Using the WSUS custom Web site

If you configure WSUS on a custom port, you must have a Web site running on port 80. The Web site on port 80 does not have to be dedicated to WSUS. In fact, WSUS uses the site on port 80 only to host the self-update tree.

Malicious programs can target port 80 for HTTP traffic. If WSUS is using a custom port, you can temporarily shut down port 80 throughout your network, but still be able to distribute updates to combat malicious programs.

If you already have a Web site on the computer where you intend to install WSUS, you should use the setup option for creating a custom Web site. This option puts the WSUS Web site on port 8530. This port is not configurable.

noteNote
If you change the WSUS port number after WSUS installation, you must manually restart the IIS service.

Accessing WSUS on a custom port

If WSUS is using a custom port to communicate with clients, you must use a custom URL to access the WSUS Web service. Use the following instructions to configure WSUS when it is running on port 8530.

  • Include a custom port number in the URL directing the client computer to the WSUS server (for example, http://WSUSServerName:portnumber).
  • For more information about pointing client computers to the WSUS server, see Determine a Method to Configure Clients later in this guide.
  • If you set up any WSUS servers downstream from a server that uses a custom port number, you must enter the custom port number when configuring the source server settings on the downstream WSUS server.
  • You can find instructions for connecting a downstream WSUS server to an upstream WSUS server in Set Up a Hierarchy of WSUS Servers.

Using host headers

If you decide to use host headers, you should run the configuressl command after configuring WSUS. If you do not do so, WSUS Reporters may not be able to access the WSUS server.

noteNote
If you assign host header values to the default Web site, you might interfere with Windows® SharePoint® Services and Exchange functionality.
To run the configuress1 command

  1. Open a command window.

  2. Navigate to the WSUS Tools directory:

    cdWSUSInstallDir\Tools

    where WSUSInstallDir is the directory in which WSUS is installed.

  3. Type the following command:

    Wsusutil configuressl

noteNote
The configuressl command sets both the host header name and the server certificate name.
Tags :


Community Content

Thomas Lee
Configuring IIS 7.0...
Topic: Editing the application.config file...<br /><br />Found that at <mtps:InstrumentedLink NavigateUrl="http://www.eggheadcafe.com/software/aspnet/32171676/configuring-iis-7-on-serv.aspx" runat="server" xmlns:mtps="http://msdn2.microsoft.com/mtps">http://www.eggheadcafe.com/software/aspnet/32171676/configuring-iis-7-on-serv.aspx</mtps:InstrumentedLink><mtps:InstrumentedLink NavigateUrl="http://www.eggheadcafe.com" runat="server" xmlns:mtps="http://msdn2.microsoft.com/mtps">,<br />contributed by<br />Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP, Senior Data Architect, APQC, Houston, Texas<br />Microsoft MVP - Software Distribution (2005-2008)<br /><br />......<br />this is not an issue (editing the application.config file - Ann. by C.G.) that affects any normal operation of WSUS. It ensures that the module "CustomErrorModule" is *not* loaded for this application.<br />...<br />=IF= an error is thrown by the WSUS services (which use ASP.NET v2.0), the 'client' would get the "Custom" error messages -- which are pretty useless to a services-based client. Net total effect, the IIS Server sends a bunch of "information" back across the wire that is totally useless to the Windows Update Agent.<br />...<br />The "CustomErrorModule" is designed for interactive applications, where a human would read the error information in the browser, and be able to respond accordingly.<br />...<br />(Simplify file modification - Ann. by C.G.) ...change the word "add" to "remove", and you're done.<br /></mtps:InstrumentedLink>

Thomas Lee
Configuring IIS 7.0, editing application.config file
Topic: Editing the application.config file...<br /><br />Found that at <mtps:InstrumentedLink NavigateUrl="http://www.eggheadcafe.com/software/aspnet/32171676/configuring-iis-7-on-serv.aspx" runat="server" xmlns:mtps="http://msdn2.microsoft.com/mtps">http://www.eggheadcafe.com/software/aspnet/32171676/configuring-iis-7-on-serv.aspx</mtps:InstrumentedLink><mtps:InstrumentedLink NavigateUrl="http://www.eggheadcafe.com/" runat="server" xmlns:mtps="http://msdn2.microsoft.com/mtps">,<br />contributed by<br />Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP, Senior Data Architect, APQC, Houston, Texas<br />Microsoft MVP - Software Distribution (2005-2008)<br /><br />...<br />this is not an issue (editing the application.config file - Ann. by C.G.) that affects any normal operation of WSUS. It ensures that the module "CustomErrorModule" is *not* loaded for this application.<br />...<br />=IF= an error is thrown by the WSUS services (which use ASP.NET v2.0), the 'client' would get the "Custom" error messages -- which are pretty useless to a services-based client. Net total effect, the IIS Server sends a bunch of "information" back across the wire that is totally useless to the Windows Update Agent.<br />...<br />The "CustomErrorModule" is designed for interactive applications, where a human would read the error information in the browser, and be able to respond accordingly.<br />...<br />(Simplify file modification - Ann. by C.G.) ...change the word "add" to "remove", and you're done.<br /></mtps:InstrumentedLink>

Stians
You need to add...
Install IIS 7 with the server manager and this role features:<br /> - Common HTTP Features<br /> - ASP.NET, ISAPI Extensions, ISAPI Filters<br /> - Windows Authentication<br /> - IIS 6 Metabase Compatibility<p> </p><p>You don't need to edit the applicationhost.config file<br /></p>
Tags : contentbug

Thomas Lee
Another Typo....
<li> <b>ASP.NET</b>, <b>ISAPI Extensions</b>, and <b>ISAPI <i>Features</i></b> (under <b>Application Development</b>)<br /></li> <p>should read....</p> <li> <b>ASP.NET</b>, <b>ISAPI Extensions</b>, and <b>ISAPI <i>Filters</i></b>(under <b>Application Development</b>)<br /></li>
Tags : contentbug

Freekv
config file in the config directory
<p>On Windows Server 2008 x64 I found the applicationhost.config file in the following directory: </p> <p>C:\Windows\System32\inetsrv\config</p> <p>Enjoy</p>
Tags :

Thomas Lee
typo
<p>In "Using host headers" section the line "To run the configuress1 command" should be "To run the configuressl command" with lowercase "L", not numeral "1".</p>
Tags : contentbug

Page view tracker