• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Publishing Internal WSUS to DMZ & External

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Publishing Internal WSUS to DMZ & External Page: [1]
Login
Message << Older Topic   Newer Topic >>
Publishing Internal WSUS to DMZ & External - 26.Mar.2008 4:22:14 PM   
BlakeD

 

Posts: 22
Joined: 8.Mar.2004
From: Okmulgee, OK
Status: offline
I have WSUS 3.0 SP1 installed on an internal server, utilizing the alternate port config (HTTP-8530 and SSL-8531).  It is utilizing an SSL cert with Subject Alternative Names for it's internal and external naming identities (Update.Foo.Org and WSUS.Foo.Local). 

I  am utilizing ISA 2004 SP3 with a split DNS structure.  The ISA Server itself can update without any issues.  I can connect to / update from WSUS internally using either the external or internal names.

I have two DMZ's (public IP range) off of ISA, in addition to the external "external" range.  I want to publish the WSUS server so that I can have DMZ-segment servers update from it, as well as laptops that are "on the road."  I have followed a whitepaper for the second half of that statement, but it was focused on utilizing a WSUS server published on the standard 80/443 ports.

Can someome help me figure out how to properly publish this?
Post #: 1
RE: Publishing Internal WSUS to DMZ & External - 26.Mar.2008 8:51:19 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
How far did you get and what didn't work?



_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to BlakeD)
Post #: 2
RE: Publishing Internal WSUS to DMZ & External - 27.Mar.2008 10:22:32 AM   
BlakeD

 

Posts: 22
Joined: 8.Mar.2004
From: Okmulgee, OK
Status: offline
I have created a routed network relationship between the Internal (10.x.x.x) and DMZ (1/8 Public Class C) networks.  This did not exist prior to the start of this project.

I have also created two publishing rules using the Secure Web Server publishing wizard per the Microsoft whitepaper.  However, since I used the "Publish a Secure Web Server" wizard, it created the rules with HTTP and HTTPS - 80/443 respectively.  Since I am using the WSUS default alternative ports (HTTP 8530 & SSL 8531), this is obviously not working.  I am forwarding the original host header, as well as have set the option to proxy requests so they appear from the original client.

One rule does not require use of HTTPS, but it is limited to the /Content/* and /SelfUpdate/* internal & external paths.  HTTP requests are redirected to 8530 for this rule also.

The second rule is also forwarding the original host header, and proxying requests to appear to come from the original client.  It is set to notify HTTP users to use HTTPS instead, but does not require 128-bit encryption.  It is utilizing the /* path internally and externally.  Lastly, it is set to redirect SSL to port 8531.

The Web Listener I created is listening on specific IP's in the External and the DMZ network segments and is utilizied for both rules.  It has HTTP and HTTPS enabled on ports 8530 and 8531 respectively.  I have exported the certificate from the WSUS server and imported it to ISA's store.  The web listener is using this cert.  I have no authentication methods enabled, as the whitepaper said to only allow anonymous.  I have Cookies set to always expire after 15 minutes.

If there's anything more I can list to help, please let me know.

(in reply to Jason Jones)
Post #: 3
RE: Publishing Internal WSUS to DMZ & External - 27.Mar.2008 10:28:10 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
So how is the WSUS client configured? What URL etc? What public names are you using in your publishing rules?

< Message edited by Jason Jones -- 27.Mar.2008 10:30:17 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to BlakeD)
Post #: 4
RE: Publishing Internal WSUS to DMZ & External - 27.Mar.2008 10:30:19 AM   
BlakeD

 

Posts: 22
Joined: 8.Mar.2004
From: Okmulgee, OK
Status: offline
https://update.foo.org:8531 for the WUServer and WUStatServer reg keys.

(in reply to Jason Jones)
Post #: 5
RE: Publishing Internal WSUS to DMZ & External - 27.Mar.2008 10:31:19 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
So what happens when you put this into a browser?

I assume your public names on the publishing rule match this URL?

What do you get in the ISA logs?

How are you determining when it is or isn't working?

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to BlakeD)
Post #: 6
RE: Publishing Internal WSUS to DMZ & External - 27.Mar.2008 11:56:01 AM   
BlakeD

 

Posts: 22
Joined: 8.Mar.2004
From: Okmulgee, OK
Status: offline
I have an entry in the DMZ test server's HOSTS file defining Update.Foo.Org as the ISA server's DMZ interface (also the def. gateway for the server). 

I've been fiddling and I am now able to browse to the site, although I am getting a warning about the cert being untrusted.  Going to try and fix that, and see if the computer will show up in WSUS's console then.

Thanks for the questions, Jason... It's helped me focus my thoughts for troubleshooting.  I'll let you know if it works after I get the Cert chain installed.

(in reply to Jason Jones)
Post #: 7
RE: Publishing Internal WSUS to DMZ & External - 27.Mar.2008 1:11:58 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
No probs, just trying to braindump things I would think about or check

So I assume you issued the certs from a private/internal CA?

Your publishing rules sound ok, so hopefully this is just a trusted roots problem which is easy to solve!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to BlakeD)
Post #: 8
RE: Publishing Internal WSUS to DMZ & External - 27.Mar.2008 1:36:27 PM   
BlakeD

 

Posts: 22
Joined: 8.Mar.2004
From: Okmulgee, OK
Status: offline
LOL - You replied as I was typing this!

Yes, I'm using an internal CA.  Okay, I've published the enrollment site now (=P)  and have installed the cert-chain.  I can browse to the WSUS site (Update.Foo.Org:8531) and the page is displayed properly.  Problem is now that the server isn't appearing in WSUS's console, so I don't think everything is kosher just yet...

The back of my brain says there's a WSUS tool for helping determine client connectivity... I'll look it up and see what I get from it.  When I run a WUAUCTL.EXE /DetectNow - I see a fair bit of traffic on 8531 headed for my WSUS box... I also see some traffic of another form that has me concerned (1029/1030UDP to subnet broadcast). 

Oh the joys of inheritting systems!!

Going to back up and do some cleaning / checking... Should finish in a few hours.  Pick up then, Jason?

(in reply to Jason Jones)
Post #: 9
RE: Publishing Internal WSUS to DMZ & External - 27.Mar.2008 1:51:37 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hmmm...so the publishing rules seem to correctly passing traffic then?

I lab'd the setup described in the whitepaper, but this was using the default 80/443 configuration...however, I envisaged that using the custom ports wouldn't involve a lot of extra work (as you appear to have done too).

Don't forget that the paper was written fo WSUS 2.0, but the concepts should be similar I guess...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to BlakeD)
Post #: 10
RE: Publishing Internal WSUS to DMZ & External - 28.Mar.2008 9:37:11 AM   
BlakeD

 

Posts: 22
Joined: 8.Mar.2004
From: Okmulgee, OK
Status: offline
Okay, I can browse the WSUS site via HTTP and HTTPS without errors or cert warnings.  I've even gotten the test server to register with in the WSUS console.  But when I run the WSUS Client Diagnostic, I'm getting an error.

At this point, I think the issue is more WSUS than it is ISA.  But - If Jason or any of the rest of you have suggestions, I'm all ears!  I've posted a description of the issue over at WSUS.Info -  http://www.wsus.info/forums/index.php?showtopic=11502.

Hopefully these guys are as helpful as you have been!

(in reply to Jason Jones)
Post #: 11
RE: Publishing Internal WSUS to DMZ & External - 28.Mar.2008 9:40:42 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Let us know how you get on...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to BlakeD)
Post #: 12
RE: Publishing Internal WSUS to DMZ & External - 28.Mar.2008 1:06:16 PM   
BlakeD

 

Posts: 22
Joined: 8.Mar.2004
From: Okmulgee, OK
Status: offline
Okay, something happened last night that I don't understand.  I'd imported the root CA cert into the Trusted CA store for the test server.  I check today, and that cert is no longer there.

Anyways, I have re-imported it.  I am getting a new error from the WSUS client diagnostic, but the server is patching.  I have since repeated the process for a second DMZ server, and it too is patching from the internal WSUS.  So, WOOT! =)

Now, on to post my next server publishing / access problem.... Post inc shortly!

Thanks Jason!
--Blake

(in reply to Jason Jones)
Post #: 13
RE: Publishing Internal WSUS to DMZ & External - 28.Mar.2008 1:12:41 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: BlakeD

Okay, something happened last night that I don't understand.  I'd imported the root CA cert into the Trusted CA store for the test server.  I check today, and that cert is no longer there.



Likely story!

Glad things are moving forward...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to BlakeD)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Publishing Internal WSUS to DMZ & External Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts