Microsoft 70-411 Exam – Q46

You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Windows Server Update Services server role installed.

You need to configure Windows Server Update Services (WSUS) to support Secure Sockets Layer (SSL).
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

A. From Internet Information Services (IIS) Manager, modify the connection strings of the WSUS website.
B. Install a server certificate.
C. Run the wsusutil.exe command.
D. Run the iisreset.exe command.
E. From Internet Information Services (IIS) Manager, modify the bindings of the WSUS website.

Correct Answer: B, C, E

Explanation:

Configure SSL on the WSUS server
WSUS requires two ports for SSL: one port that uses HTTPS to send encrypted metadata, and one port that uses HTTP to send updates. When you configure WSUS to use SSL, consider the following:

You cannot configure the whole WSUS website to require SSL because all traffic to the WSUS site would have to be encrypted. WSUS encrypts update metadata only. If a computer attempts to retrieve update files on the HTTPS port, the transfer will fail.

The certificate of the certification authority (CA) must be imported into the local computer Trusted Root CA store, or the Windows Server Update Service Trusted Root CA store on downstream WSUS servers. If the certificate is only imported to the Local User Trusted Root CA store, the downstream WSUS server will not be authenticated on the upstream server.

You must import the certificate to all computers that will communicate with the WSUS server. This includes all client computers, downstream servers, and computers that run the WSUS Administration Console. The certificate should be imported into the local computer Trusted Root CA store or into the Windows Server Update Service Trusted Root CA store.

You can use any port for SSL. However, the port that you set up for SSL also determines the port that WSUS uses to send clear HTTP traffic.

Consider the following examples:
– If you use the industry standard port of 443 for HTTPS traffic, WSUS uses the industry standard port 80 for clear HTTP traffic.
– If you use any port other than 443 for HTTPS traffic, WSUS will send clear HTTP traffic over the port that numerically comes before the port for HTTPS. For example, if you use port 8531 for HTTPS, WSUS will use port 8530 for HTTP. You must re-initialize ClientServicingProxy if the server name, SSL configuration, or port number are changed.

To configure SSL on the WSUS root server
1. Log on to the WSUS server by using an account that is a member of the WSUS Administrators group or the local Administrators group.
2. Go to Start, type CMD, right-click Command Prompt, and then click Run as administrator.
3. Navigate to the %ProgramFiles%\Update Services\Tools\ folder.
4. In the Command Prompt window, type the following command:
wsusutil configuressl certificateName (Where certificateName is the DNS name of the WSUS server.)

Associate a server certificate with the SSL port/protocol binding in IIS
In Server 2012 R2 you need to launch IIS manager and go to the root of the WSUS site. Choose Edit Bindings and edit the HTTPS binding. If you have a valid certificate you’ll be able to select it from the drop down list in here.