Step 3: Configure the network connections

 

Applies To: Windows Server Update Services, Windows Small Business Server 2011 Standard, Windows Server 2008 R2, Windows Server 2003 with SP2, Windows Server 2008 R2 with SP1

After Step 2: Install WSUS Server or Administration Console, where you installed WSUS 3.0 SP2, the configuration wizard will launch automatically. You can also run the wizard later through the Options page of the WSUS Administration Console.

Before you start the configuration process, be sure that you know the answers to the following questions:

  1. Is the server's firewall configured to allow clients to access the server?

  2. Can this computer connect to the upstream server (such as Microsoft Update)?

  3. Do you have the name of the proxy server and the user credentials for the proxy server, if you need them?

By default, WSUS 3.0 SP2 is configured to use Microsoft Update as the location from which to obtain updates. If you have a proxy server on the network, you can configure WSUS to use the proxy server. If there is a corporate firewall between WSUS and the Internet, you might have to configure the firewall to ensure that WSUS can obtain updates.

Note

Although Internet connectivity is required to download updates from Microsoft Update, WSUS offers you the ability to import updates onto networks that are not connected to the Internet.

Step 3 contains the following procedures:

  • Configure your firewall.

  • Specify the way this server will obtain updates (either from Microsoft Update or from another WSUS server).

  • Configure proxy server settings, so that WSUS can obtain updates.

To configure your firewall

  • If there is a corporate firewall between WSUS and the Internet, you might have to configure that firewall to ensure WSUS can obtain updates. To obtain updates from Microsoft Update, the WSUS server uses port 80 for HTTP protocol and port 443 for HTTPS protocol. This is not configurable.

  • There are still some firewalls in the market which require access rules to be configured using IP addresses rather than DNS names. Due technical and security reason we don’t release the IP address range and therefore our official recommendation is to create exclusion list using the names that are specified in the KB 896226. If your firewall does not support exception list with DNS name the other option that you have is to use two WSUS servers. Place one server inside the corporate firewall and place the other server in the perimeter network. Configure the firewall to allow the server located in the perimeter network to communicate with the internal WSUS server. As the perimeter WSUS server can receive updates from the Windows Update domains, the internal WSUS server can receive updates from the perimeter WSUS server, and the client computers (and any other WSUS servers) can receive updates from the internal server.

  • If your organization does not allow the required ports and protocols to be open to all Internet addresses, you can restrict access to specific domains. For more information, see the following Microsoft Support articles:

Note

These instructions about how to configure the firewall are meant for a corporate firewall positioned between WSUS and the Internet. Because WSUS initiates all of its network traffic, you do not have to configure Windows Firewall on the WSUS server.

Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port.

The next two procedures assume that you are using the Configuration Wizard. In a later section in this step, you will learn how to start the WSUS Administration snap-in and configure the server through the Options page.

To specify the way this server will obtain updates

  1. From the configuration wizard, after joining the Microsoft Improvement Program, click Next to select the upstream server.

  2. If you choose to synchronize from Microsoft Update, you are finished with the Options page. Click Next, or select Specify Proxy Server from the navigation pane.

  3. If you choose to synchronize from another WSUS server, specify the server name and the port on which this server will communicate with the upstream server.

  4. To use SSL, select the Use SSL when synchronizing update information check box. In that case the servers will use port 443 for synchronization. (Make sure that both this server and the upstream server support SSL.)

  5. If this is a replica server, select the This is a replica of the upstream server check box.

  6. At this point, you are finished with upstream server configuration. Click Next, or select Specify proxy server from the left navigation pane.

To configure proxy server settings

  1. On the Specify Proxy Server page of the configuration wizard, select the Use a proxy server when synchronizing check box, and then type the proxy server name and port number (port 80 by default) in the corresponding boxes.

  2. If you want to connect to the proxy server by using specific user credentials, select the Use user credentials to connect to the proxy server check box, and then type the user name, domain, and password of the user in the corresponding boxes. If you want to enable basic authentication for the user connecting to the proxy server, select the Allow basic authentication (password is sent in cleartext) check box.

  3. At this point, you are finished with proxy server configuration. Click Next to go to the next page, where you can start to set up the synchronization process.

The following two procedures assume that you are using the WSUS Administration snap-in for configuration. These two procedures show how to start the WSUS Administration snap-in and configure the server from the Options page.

To start the WSUS Administration Console

  • To start the WSUS Administration Console, click Start, point to All Programs, point to Administrative Tools, and then click Windows Server Update Services 3.0.

Note

In order to use all the features of the console, log on as a member of either the WSUS Administrators or the Local Administrators security groups on the server on which WSUS is installed. Members of the WSUS Reporters security group have read-only access to the console.

To specify an update source and proxy server

  1. On the WSUS console, click Options in the left pane under the name of this server, and then click Update Source and Proxy Server in the middle pane.

    A dialog box will be displayed with Update Source and Proxy Server tabs.

  2. In the Update Source tab, select the location from which this server will obtain updates. If you choose to synchronize from Microsoft Update (the default), you are finished with this wizard page.

  3. If you choose to synchronize from another WSUS server, you have to specify the port on which the servers will communicate (the default is port 80). If you select a different port, you should ensure that both servers can use that port.

  4. You may also specify whether to use SSL when synchronizing from the upstream WSUS server. In that case, the servers will use port 443 to synchronize from the upstream server.

  5. If this server is a replica of the second WSUS server, select the This is a replica of the upstream server check box. In this case all updates must be approved on the upstream WSUS server only.

  6. In the Proxy server tab, select the Use a proxy server when synchronizing check box, and then type the proxy server name and port number (port 80 by default) in the corresponding boxes.

  7. If you want to connect to the proxy server by using specific user credentials, select the Use user credentials to connect to the proxy server check box, and then type the user name, domain, and password of the user in the corresponding boxes. If you want to enable basic authentication for the user connecting to the proxy server, select the Allow basic authentication (password in cleartext) check box.

  8. Click OK to save these settings.

Next step

Step 4: Configure updates and synchronization