WSUS, sometimes referred to as Windows Server Update Services, enables enterprise administrators to manage and distribute critical and important updates to Windows computers. A WSUS Server can be configured to pull updates from Microsoft Update Servers or from a root WSUS Server configured in an organization network.
A WSUS Server that is configured in an organization’s network as an update source is always called an Upstream Server. All other WSUS Servers that are configured to talk to upstream WSUS Server are called downstream WSUS servers.
Generally, downstream WSUS servers are located on the branch locations and become the authoritative source for distributing updates to Windows client computers.
Do I need to download WSUS from Microsoft’s Site?
In earlier versions of Windows, you had to download WSUS software directly from Microsoft’s site. But in Windows Server 2012 and later versions, WSUS ships as a server role and can be installed from the Server Manager.
WSUS on Windows Server 2012 R2 includes Windows PowerShell cmdlets that can be used to manage WSUS administrative or repeated tasks from a command prompt. Before you prepare to install WSUS Server on a Windows Server 2012 or later operating system, make sure to first install .NET Framework 4.0. It is also important to note that the account you plan to use to install WSUS Server must be a member of the local Administrators group on the server where the WSUS Server role is installed.
What all Network Ports are used by WSUS?
There are two types of WSUS communication occurring: communication between upstream and downstream WSUS Servers and communication from upstream WSUS Servers to Microsoft Update Servers. Microsoft changed the way WSUS Servers used to communicate with each other in WSUS 6.2 on Windows Server 2012.
In earlier versions or WSUS version 3.2, downstream WSUS Servers used to connect to upstream WSUS Servers over network port 80 (HTTP) and 443 (HTTPS). In WSUS 6.2, this has been changed.
Upstream and downstream WSUS Servers now communicate over port 8530 for HTTP and Port 8531 for HTTPS. In case you have a firewall configured on the WSUS Servers, make sure to allow inbound traffic on the above mentioned ports in order for WSUS Servers to communicate with each other successfully.
As for communication between upstream WSUS Servers and Microsoft Update Servers, communication takes place over network ports 80 for HTTP and 443 for HTTPS. In case you have a proxy server on the network, you might want to change WSUS to use the proxy server.
And in cases where your corporate policy does not allow HTTP and HTTPS traffic for all sites, make sure to configure your firewall to allow HTTP and HTTPS network traffic for the following Microsoft Update URLs:
-
http://windowsupdate.microsoft.com
-
http://*.windowsupdate.microsoft.com
-
https://*.windowsupdate.microsoft.com
-
http://*.update.microsoft.com
-
https://*.update.microsoft.com
-
http://*.windowsupdate.com
-
http://download.windowsupdate.com
-
http://download.microsoft.com
-
http://*.download.windowsupdate.com
-
http://wustat.windows.com
-
http://ntservicepack.microsoft.com
Next Page: What database options are available with WSUS?
Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He has specialized in Microsoft Technologies since 1994 and has followed the progression of Microsoft Operating System and software. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Solution IDs for www.Dynamic-SpotAction.com. Nirmal can be reached at nirmal_sharma@mvps.org.
Follow ServerWatch on Twitter and on Facebook