Remote client not connecting with 0x80072efd error

Discussion in 'Update Services' started by Paulb, Oct 6, 2005.

  1. Paulb

    Paulb Guest

    Hi all

    I have an issue where we are attempting to be able to update remote clients
    servers using an inhouse WSUS server. I have allowed access to our WSUS
    server through our firewall. This is on port 8530.

    At a client site the server is attempting to connect to our server but
    cannot. I have tried troubleshooting the issue as follows.

    Using the ClientDiag.exe I receive the following error at checking
    connection to wsus/sus server

    VerifyWUServerURL() failed with hr=0x80072efd
    A connection with the server could not be established.

    I googled the error and got the following link

    http://support.microsoft.com/default.aspx?scid=kb;en-us;555459&sd=rss&spid=3198

    I have followed all troubleshooting suggestions in this link and still
    cannot resolve the issue.

    The "Client" is a Windows 2003 SBS running ISA/Exchange/SQL.
    I have checked the Automatically detect now settings are not checked
    The server is bypassing proxy
    I have run the proxycfg -d command
    I have backed up the registry and removed the data from the specified keys
    I have flushed the DNS cache
    I have used an IP address instead of a FQDN

    and yet I still receive this error.

    With ISA running on this server could it be possible it is that stopping the
    Svchost.exe from getting out?? The default policy on the ISA firewall is set
    to allow all out.

    Any Ideas from anyone trying to set up this kind of Wsus service would be
    greatly appreciated.

    Thank you in advance

    Paul
     
    Paulb, Oct 6, 2005
    #1
    1. Advertisements

  2. Paulb

    rcu Guest

    Hi,

    I have a similiar problem as well. I am running Win2003 Std SP1, ISA 2004
    Std SP1.

    I found to get around the problem (not permanently) was to disable web proxy
    filters for the HTTP protocol. The Auto Updates service can then get through
    to my WSUS server.

    However this didn't present a permanent solution to me as i need the web
    proxy filter for other HTTP rules (ie staff internet etc)

    So i think it must be something to do with ISA filtering/rules etc.....
     
    rcu, Oct 6, 2005
    #2
    1. Advertisements

  3. Paulb

    Paulb Guest

    RCU

    Thanks for your post. Unfortunatley we are not running ISA 2004 on this
    server. And as I stated in my previous post ISA is configured to let all
    traffic out. =(. Thanks for your time though, but not much help to me. I have
    actually also tried to open port 8531 (the SSL) port on our firewall to no
    effect. Is the srvhost.exe service trying to connect to certificates??> Or
    Does this work on the same port? I seem to remember someone saying something
    about certificates in a paper I read but cannot remember fully, I will
    continue to troubleshoot again.
     
    Paulb, Oct 6, 2005
    #3
  4. The technical requirements for server synchronization is that both HTTP and
    HTTPS protocols must be available. By default, the WSUS server synchronizes
    on HTTPS (443) and transfers content on HTTP (80).

    Therefore you'll need to do one of two things to make this work,
    notwithstanding resolving the licensing question:

    (a) Configure your upstream server to allow connections on the default
    ports 80 and 443.

    (b) Configure the downstream server(s) to initiate connections on HTTP
    (8530) and HTTPS (8531). On the Synchronization Options page, you'll need to
    enable the option "Synchronize from an upstream source" and "Use SSL...";
    and the correct URL and port number. If the port number is not 443, then
    WSUS will automatically initiate HTTP cleartext connections on the port
    number one lower. (e.g. SSL port number is 8531, HTTP clear will initiate on
    8530).

    You'll also need to make sure that outbound access on those ports is
    available from the client(s)' firewall, as well as inbound access on both
    ports is available from your firewall.

    All of the above SSL configuration requirements are quite plainly documented
    in the WSUS Deployment Guide.

    In addition, you'll need some sort of methodology to ensure that you can
    show that only licensed systems are accessing your WSUS server across the
    Internet.

    In all probability, such an arrangement is a violation of the licensing
    requirement of WSUS, inasmuch as your company probably does not own the
    'CALs' assigned to those remote clients' servers.
     
    Lawrence Garvin, Oct 6, 2005
    #4
  5. Paulb

    Paulb Guest

    Hi Lawrence

    Thank you for the information about the SSL connections. I am not sure what
    you are on about with the other information though. As I stated in my first
    post the server is not being set up as a down stream server but is a client
    for WSUS updates. Also why would WSUS need CALs as it is a free product? I
    dont think you quite understood what I was asking, but the information
    regarding the SSL connection is still valid.
     
    Paulb, Oct 7, 2005
    #5
  6. My apologies.. I did assume that since you were trying to update clients'
    SERVERS, that those SERVERS were functioning as a /WSUS/ server within the
    confines of that client's Local Area Network.

    Nevertheless, excepting the information on how to configure a WSUS server,
    the remainder is still valid:
    (a) Everything you need is documented in the WSUS Deployment Guide.

    (b) The "Client" SBS server will need to have ISA2000 (I believe you
    said it was ISA2000 not ISA2004) configured to permit the "Local Host" to
    access your WSUS server, thus an outbound connection on port 8530 will be
    required. This is most likely the cause of the issue you have described. On
    ISA the default 'outbound' policy only permits outbound access for the
    /desktop/ systems connected to the SBS; it does not permit outbound access
    for the server itself. Outbound access for the server is granted by creating
    an access rule for the "Local Host" object.

    (c) Your firewall needs to be open on port 8530.

    As for why does WSUS, a free product, need CALs..... because it does. :)

    The /WSUS/ product is free. The permission to connect a desktop computer to
    your Windows Server is NOT free, and it's irrelevant as to whether WSUS is
    installed or not. Desktop systems require CALs to connect to a Windows
    Server. The CALs possessed by your client's in their SBS environments only
    authorize those desktop systems to connect to resources in the SBS Domain.


    Again, my strongest recommendation is to take this up with a Licensing
    specialist. If they determine I've misunderstood the situation, then please
    let ALL of us know, because I'm getting this information direct from the
    WSUS program managers, and a dozen other independent people, all of whom
    have arrived at the same intepretation.
     
    Lawrence Garvin, Oct 7, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.