Change Default Web site port - now clients fail to appear in Conso

Discussion in 'Update Services' started by LeaUK, Mar 15, 2010.

  1. LeaUK

    LeaUK Guest

    Using just just HTTP currently.

    I wanted to use a non-standard port for clients to connect, so uninstalled
    WSUS (leaving database etc) and reinstalled and changed option such that
    Console created two web sites. I chose port 8530 as it was the only option.

    My understanding is I can now modify the default port 80 for the 'default'
    IIS website to what I require.

    I've done this and ensured that clients have new connection string

    I've confirmed that client connectss to the WSUS server over this new port
    number using TCPView (Sysinternals). Clients can also connect to
    http://WSUSServer:1234/ and download the file OK.

    BUT, they are not showing in the console.

    I've even reset the hardware ID:

    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v
    AccountDomainSid /f
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v
    PingID /f
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v
    SusClientId /f

    @echo Triggering detection after resetting WSUS client identity
    net stop wuauserv
    net start wuauserv
    wuauclt /resetauthorization /detectnow

    But still nothing!

    What have I don't wrong?

    LeaUK, Mar 15, 2010
    1. Advertisements

  2. LeaUK

    LeaUK Guest

    Additional info:

    In IIS I see two sites: Default and WSUS Admin

    WSUS admin runs on 8531 and is used by the MMC snap-in (which needs to know
    this port) - no problem there.

    I changed the default port in IIS to 1234 (example)

    I changed the reg entries of the client to point to http://WSUS_Server:1234

    I can confirm conenction from client to WSUS_server using TCPView/Netstat
    using the new port number.

    Yet the client will NOT appear in WSUS :(

    In trying to debug I've changed the clients Hardware Credentials and run
    wuauclt.exe /detectnow (which has always worked well previously.

    Sometimes it's all too difficult!

    Any advice more than welcome.

    LeaUK, Mar 16, 2010
    1. Advertisements

  3. LeaUK

    LeaUK Guest

    For clarity:

    I changed the default site port in IIS to 1234 (example)

    I think I'm either reading the WSUS documentation incorrect or custom ports
    are just not feasible.

    The IIS log highlights the issue as it full of 404 errors to pages in the
    WSUS Admin web site.

    I changed the client's registry to use http://WSUS_Server:8530 and voila
    they appear in the console fine.

    So why does the WSUS doc say that it can run with custom can't :(

    The edge firewall needs to allow port 80 and 8530 and presumably 8531 for
    https( haven't even got there yet)

    From the docs, my confusion is this line:

    Include a custom port number in the URL directing the client computer to the
    WSUS server (for example, http://WSUSServerName:portnumber).

    'portnumber' cannot be custom, it has to be 8530!

    LeaUK, Mar 16, 2010
  4. LeaUK

    LeaUK Guest

    Perhaps this has turned into LeaUK's blog for WSUS - sorry..

    Something very interesting...

    Although WSUS requires a default IIS site on port 80, clients do NOT use it
    - I guess it's something internal to WSUS.

    Using TCPView I can see that clients only use the custom port in the
    registry (8530):


    I even removed the ISA port 80 FW policy and everything still works fine :)

    Making good progress now :)
    LeaUK, Mar 16, 2010
  5. Depending on the OS, freshly installed clients may use this port for the initial
    self-update of the Windows Update Agent. Early versions of the agent only
    supported port 80.

    My understanding is that you should be able to change the port from 8530 to
    something else, but you need to change the site that's on 8530 rather than the
    Default Web Site on port 80.

    Harry Johnston [MVP], Mar 16, 2010
  6. LeaUK

    Dave Mills Guest

    Your other thread is titled WSUS 3 SP2 so I presume this is your version. WSUS 3
    has no admin web site.
    I do not think you can do this. The self update site must be on port 80 if older
    XP clients are to self update. I don't see anywhere what client and SP level you
    are using.
    Dave Mills, Mar 16, 2010
  7. Yes it does, it just isn't human-viewable. The admin console uses HTTP(s) to
    talk to WSUS.

    Harry Johnston [MVP], Mar 17, 2010
  8. LeaUK

    LeaUK Guest

    Thanks for the clarification. The documentation is ambiguous, but my
    testing has revealed port 80 is required internally by WSUS (to enumerate
    clients into the console) but isn't used by the actual client connection
    (WUA) when running XP SP2. I cannot confirm for elder OSs or SP levels.

    I'll see if I can change the WSUS Administration IIS site to something other
    than 8530... I suspect I can ;-)

    LeaUK, Mar 17, 2010
  9. LeaUK

    LeaUK Guest

    Hi Dave, yes WSUS v3 SP2 - well spotted!

    IIS shows two distinct sites when WSUS is installed using the non-default
    IIS setting (I forget their terminology).

    Essentially it creates two Virtual web sites beneath the 'Default Web Site'
    which has to run on port 80 and creates a new web site 'WSUS Administration'
    (and by default on port 8530) but there is no web admin console as previous

    I think this port can be changed, but testing will show later..

    LeaUK, Mar 17, 2010
  10. I'm not sure what testing you've performed, but here's the factual summary
    of the use of the Default Web Site:

    The DWS is used by any AU client v5.8.3700.1000 (I vaguely recall that as
    the exact build number), but essentially anything below v5.8.x.x that is not
    capable of connecting with SSL or with a port other than port 80. The older
    AU client could only connect on port 80 using a non-SSL connection. The
    service on the Default Web Site is provided solely for the purpose of
    allowing the AU client to 'selfupdate' to the latest WUAgent (distributed by
    the WSUS server). As a secondary function of the AU client connecting to
    selfupdate, the client machine is registered with the WSUS server and
    reports as "No Status" for all updates until the selfupdate is completed and
    a subsequent detection is performed.

    It is not WSUS that requires port 80, but solely the legacy AU clients that
    shipped with Windows 2000 and Windows XP.

    For Window Server 2003 SP1 and later systems, nary a single packet of
    traffic passes across port 80 if the WSUS server is configured to use port
    8530 -- except if the Client Diagnostic Tool is used. The CDT *always*
    checks for selfupdate functionality on port 80 and never on port 8530.

    While not impossible, this requires a solid understanding of the internals
    of the operation of the WSUS server, as well as reconfiguration of some
    items not documented; furthemore, while not impossible, operating a WSUS
    server on ports other than 8530 or 80 is not a supported configuration.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)

    My Blog:
    Microsoft WSUS Website:
    My MVP Profile:
    Lawrence Garvin [MVP], Mar 17, 2010
  11. LeaUK

    Dave Mills Guest

    Thanks for the info. I thought you were referring to the web admin console. My
    own installation is on the default port and I am struggling with W2008 R2 which
    is a good bit different.
    Dave Mills, Mar 18, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.