Installing WSUS, Configuring Firewall Exceptions, Opening Ports for SQL Replication – SCCM 2012 SP1

14095

So far in this deployment series of sccm 2012 SP1, In the first post we saw the steps to install and configure active directory domain services, in the second post we saw the steps to install SCCM 2012 SP1 prerequisites and in the third post we saw the steps to install SQL server for SCCM 2012 SP1. In this post we will see the steps for installing WSUS, configuring firewall exceptions, opening ports for SQL replication. WSUS is Microsoft’s separate, stand-alone server-based product for distributing updates to Windows systems. WSUS also uses the WUA to scan for patch applicability and subsequently install updates delivered by WSUS. WSUS 3.0 Service Pack 2 is required for System Center 2012 Configuration Manager. SCCM 2012 SP1 supports only 64-bit site systems, you must use the 64-bit version of WSUS on one of the supported 64-bit editions of Windows Server. You can install WSUS by opening up the server manager, roles and by adding WSUS role. I prefer to install the WSUS by downloading the setup file from Microsoft. The WSUS 3.0 SP2 is available here:- http://www.microsoft.com/en-us/download/details.aspx?id=5216 .We will be installing WSUS role on SCCM.PRAJWAL.LOCAL machine with the user account “sccmadmin”.

Installing WSUS 3.0 SP2

Download WSUS 3.0 SP2 from here. Double click the setup file to begin the installation. On the welcome page click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 1

On the Installation Mode Selection, Choose Full server installation including Administrator Console. Click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 2

ConfigMgr looks for applicable license terms in the content folder. If it cannot find the license terms, it will not synchronize the update. Accept the license agreement and click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 3

It is recommended to store the updates on a different drive instead of storing it on C: drive. In our example we will be storing the updates locally on E:\WSUS path. Click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 4

For Database Options we will not be using the internal database, instead we will use the SQL database instance. Choose Use an existing database server on this computer and click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 5

 

The SQL server is installed on the same server so it gets connected to SQL server instance quickly. If you have a SQL server running on other server select “Using a existing database server on remote machine“. You will have to provide the machine name\instance to connect.

Installing WSUS Configuring Firewall Exceptions Snap 6

If you are planning to create a dedicated IIS site, then choose Create a Windows Server Update Services 3.0 SP2 Web Site, the port numbers for a dedicated site are 8530 and 8531 for Secure Socket Layer (SSL) connections. If you are planning to use a IIS default Website then Select “Use the existing IIS Default Web site” and click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 7

Click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 8

We have successfully completed the WSUS 3.0 SP2 installation. Click on Finish.

Installing WSUS Configuring Firewall Exceptions Snap 9
Once you click complete installing WSUS 3.0 SP2, the WSUS configuration wizard comes up. Do not configure it as we will be using SCCM to deploy the updates. Click cancel to close the wizard.

Installing WSUS Configuring Firewall Exceptions Snap 10

After cancelling the WSUS configuration wizard, as a prerequisite you must install 2 updates for WSUS 3.0 SP2. Downloads are available for 32 bit and 64 bit systems.

Update for Windows Server Update Services 3.0 SP2 (KB2720211)

Update for Windows Server Update Services 3.0 SP2 (KB2734608)

 

Configuring Firewall for SCCM 2012 SP1 Client installation

To know what are the ports used in Configuration Manager 2012 SP1 , please go through this link :- http://technet.microsoft.com/en-us/library/hh427328.aspx. In order to successfully use client push to install the Configuration Manager 2012 SP1 client, you must add the following as exceptions to the Windows Firewall.

  • Printer Sharing
  • Windows Management Instrumentation (WMI)

We will create an inbound and outbound rule, add File and Printer sharing service as exception to firewall and an Inbound rule to allow WMI. We will perform this activity on the Domain Controller.

Click on All Programs, Administrative Tools, open Group policy management console. Right Click on the domain and Create a GPO. Provide a name to the GPO and click on OK.

Installing WSUS Configuring Firewall Exceptions Snap 11

Right click on the policy that you created and click on Edit.

Installing WSUS Configuring Firewall Exceptions Snap 12

Expand computer configuration, Windows settings, Security settings, Windows firewall with advanced security. Right click on Inbound rules and click on New Rule..

 

Installing WSUS Configuring Firewall Exceptions Snap 13

Click on Predefined and select File and Printer Sharing. Click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 14

Click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 15

Click on Allow the connection. Click Finish.

Installing WSUS Configuring Firewall Exceptions Snap 16

We have created an inbound rule to allow file and printer sharing, similarly right click on the Outbound Rule and click on New Rule. select File and Printer Sharing. Click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 17

 

Click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 18

Click on Allow the connection and click on Finish.

 

Installing WSUS Configuring Firewall Exceptions Snap 19

We need to create an Inbound Rule to allow the WMI service on our Firewall. So right click on Inbound Rule and click on New Rule. Click on Predefined and select Windows Management Instrumentation (WMI). Click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 20

Click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 21

Click on Allow the connection. Click on Finish.

 

Installing WSUS Configuring Firewall Exceptions Snap 22

  Opening Ports for SQL Replication

 

Why port 1433 and 4022 ??

Port 1433 – SQL Server listens for incoming connections on a particular port. The default port for SQL Server is 1433. It applies to routine connections to the default installation of the Database Engine, or a named instance that is the only instance running on the computer.

Port 4022 – This is SQL Service Broker, Though there is no default port for SQL Server Service Broker, but this is the port that we allow inbound on our firewall.

Script to Open the ports for SQL Replication

If you are looking for a script to open the ports for SQL replication here it is. Copy this script in the notepad and save it as opensqlports.bat. Right click on the batch file and run as administrator.

 

@echo off
echo =========  SQL Server Ports for SCCM  ===================
echo.
echo.
echo         **Right click on the batch file and Run As Administrator**
echo.
echo.
echo Adding SQL Firewall Exceptions for SCCM
echo.
echo Adding TCP 1433
netsh advfirewall firewall add rule name = “SCCM SQL (TCP 1433)” dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = DOMAIN
echo.
echo Adding TCP 4022
netsh advfirewall firewall add rule name = “SCCM SQL (TCP 4022)” dir = in protocol = tcp action = allow localport = 4022 remoteip = localsubnet profile = DOMAIN
echo.
echo Done adding firewall exceptions
echo..

 

 

By default, Microsoft Windows enables the Windows Firewall, which closes port 1433 to prevent Internet computers from connecting to a default instance of SQL Server on your computer. Connections to the default instance using TCP/IP are not possible unless you reopen port 1433. We will now create a group policy to open TCP ports 1433 and 4022.

In case you choose to create a rule manually in firewall then open the Group Policy Management console. Create a new policy and name it as “SQL Ports”. Right Click the policy “SQL Ports″ and edit it. In the Windows GP management console, expand computer configuration, Windows settings, Security settings, Windows firewall with advanced security.

Installing WSUS Configuring Firewall Exceptions Snap 23

Right click on Inbound Rule and create an Inbound Rule and select Port. Click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 24

Select TCP, and specify port 1433 in specific local ports.

Installing WSUS Configuring Firewall Exceptions Snap 25

click on Allow connection and click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 26

The firewall rule will be applied for all the 3 profiles. Click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 27

Name the rule as TCP Inbound 1433. Click on Finish.

Installing WSUS Configuring Firewall Exceptions Snap 28

Similarly, Create an Inbound Rule for allow port 4022, choose TCP and specify the port number as 4022. Click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 29

Click on Allow the connection. Click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 30

Select Domain, Private and Public  and click on Next.

Installing WSUS Configuring Firewall Exceptions Snap 31

Provide the name as TCP Inbound 4022 to identify the rule. Click on Finish.

Installing WSUS Configuring Firewall Exceptions Snap 32

We have allowed TCP inbound ports 1433 and 4022 on our firewall.

Installing WSUS Configuring Firewall Exceptions Snap 33

On the client machine, launch the command prompt and type the command gpupdate /force and hit enter. In the same command prompt, type the command rsop.msc. This will show the resultant set of policies, group policies that are applied to this client. Expand Administrative Templates and click on Extra Registry Settings. On the right side pane you will find two ports 1433 and 4022 which are allowed in the firewall. This step is just to check if the policy has been pushed to the client machine or not.

Installing WSUS Configuring Firewall Exceptions Snap 34

 

  • Bar

    Hi,

    I have a server that has SCCM 2012 SP1 installed, and the operating system has used is Windows Server 2012 platform.
    I unable to install WSUS 3.0 SP2 on my SCCM server. When I installing the WSUS, then show the following error message :

    “This program has compatibility issues”
    “Windows Server Update Services Microsoft”

    Why the problem? And how I can to install WSUS on Windows 2012 Server?

    Thanks,
    Bar Welah

    • The WSUS 3.0 SP2 is not compatible with server 2012. Go to Server Manager -> Manage -> Add Roles and Features and install WSUS.

  • Bar

    I have install WSUS form Server Manager -> Manage -> Add Roles and Features.
    So, what the next step must I do to configure WSUS?

    Thanks

    • Bar

      on the Windows 2012 Server?

    • If you installed WSUS, then do not configure it, the deployment of software updates is taken care by SCCM. SCCM just needs WSUS to be installed.

  • arshad hussain

    Hi Prajawal,

    Event id 1020 & Task Category: SMS_EXCHANGE_CONNECTOR

    My Sytem : os windows 2008 R2, SCCM 2012 SP1 , MS Exchange 2010 sp1, wsus 3.0 with sp1 & with updated patches

    Please find the Below Details.

    On 01/26/14 13:57:44, component SMS_SITE_COMPONENT_MANAGER on computer xxxxxxxxxxxxxx reported: Site Component Manager failed to reinstall this component on this site system.

    Solution: Review the previous status messages to determine the exact reason for the failure. Site Component Manager will automatically retry the reinstallation in minutes. To force Site Component Manager to immediately retry the reinstallation, stop and restart Site Component Manager using the Configuration Manager Service Manager.

    Task Category: SMS_EXCHANGE_CONNECTOR

    Event id 1020

    Please give me the feedback as Mobile devices not working. Any role to be uinstall