WSUS and HTTPS

Hi all

as usual, what I think is a pretty non-standard question (sorry) This comes from a customer with some pretty specific security requirements, so please bear with this, and only respond to it rather than question the rationalle behind it

So the ideal design from the security authority is 

Windows Server 2012 R2 , SCCM 2012 R2

MS Updates -HTTPS-> WSUS workgroup Server in DMZ- HTTPS -> WSUS on  SCCM primary site server (not DMZ) - HTTP->Clients

We really dont want to use certificates for clients so is the above actually possible ?

They may accept this as an alternative 

MS Updates -HTTPS> WSUS workgroup Server in DMZ- HTTP -> WSUS  on  SCCM primary site server - HTTP->Clients

would that work ?  my obvious gut feel is that once you use HTTPs on one WSUS, it can only communicate with another WSUS server over HTTPS  ??

HUGE thanks for your time 

Nick B

May 20th, 2015 12:45pm

If you require HTTPS on the top-level WSUS, you basically require HTTPS on all the lower-level WSUS. Once HTTPS is required, everything needs to connect via HTTPS. Clients and servers.

Using HTTPS, means using certificates.

Free Windows Admin Tool Kit Click here and download it now
May 20th, 2015 2:21pm

Why? Who cares if the publically available update catalog is downloaded securely or not?
May 20th, 2015 3:31pm

point of clarification..............

HTTP/HTTPS- is catalogue metadata download only ?

Free Windows Admin Tool Kit Click here and download it now
May 21st, 2015 3:58am

WSUS is only used for it's catalogue metadata.
May 21st, 2015 5:03am

sorry - folks - got it now -  HTTPS is only metadata, not used for file downloads............ of course!

thanks - sorry to waste your time


Free Windows Admin Tool Kit Click here and download it now
May 21st, 2015 5:29am

Even it were file downloads though, who cares? The update binaries are also publically available. They are signed by Microsoft (just like the catalog is) to prevent tampering.
May 21st, 2015 10:11am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics