SCCM Install WSUS Configure Firewall Exceptions

19790

Deploying SCCM 2012 Part 5 – SCCM Install WSUS Configure Firewall Exceptions – In this post we will install WSUS server role, Configure the firewall to add exceptions to allow the Client Push, Open the SQL ports 1433 and 4022.

In Part 1 we saw the installation of Active Directory Domain Services. In Part 2 we created the AD container and delegated the permissions on it. In Part 3 we installed pre-requisites for SCCM server. In Part 4 we installed SQL server, updated the service pack and cumulative update patch.

Installing WSUS 3.0 SP2

Software updates requires that WSUS 3.0 SP2 is installed on all site system servers that you configure for the software update point site system role. Additionally, when you install the active software update point on a remote site system, you must install the WSUS Administration Console on the site server computer if it is not already installed. This allows the site server to communicate with WSUS running on the active software update point. You can install WSUS by opening up the server manager, roles and by adding WSUS role. I prefer to install the WSUS by downloading the setup file from Microsoft. The WSUS 3.0 SP2 is available here:- http://www.microsoft.com/en-us/download/details.aspx?id=5216 .We will be installing WSUS role on SCCM.PRAJWAL.LOCAL machine with the user account “sccmadmin”.

Run the WSUS Setup file. Click Next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 1

Select Full server installation including the administrator console. click next

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 2

We will be storing the WSUS updates on the other drive named E. You can store the updates on C drive but it is not recommended because if the operating system crashes then you might loose the WSUS updates folder.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 3

In this case we will not be using the internal database, instead we will use the SQL database instance.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 4

The SQL server is installed on the same server so it gets connected to SQL server instance quickly. If you have a SQL server running on other server select “Using a existing database server on remote machine“. You will have to provide the machine nameinstance name to connect.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 5

Select “Use existing IIS default Web site” and click next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 6

Click finish to complete the WSUS installation.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 7

Note : Once you click finish, the WSUS configuration wizard comes up. Do not configure it as we will be using SCCM to deploy the updates. Click cancel to close the wizard.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 8

Configuring Firewall for Client installation.

To know what are the ports used in Configuration Manager 2012, please go through this link :- http://technet.microsoft.com/en-us/library/hh427328.aspx. In order to successfully use client push to install the Configuration Manager 2012 client, you must add the following as exceptions to the Windows Firewall.

  • Printer Sharing
  • Windows Management Instrumentation (WMI)

We will create an inbound and outbound rule, add File and Printer sharing service as exception to firewall . An inbound rule to allow WMI. We will perform this activity on the Domain Controller.

Click All Programs, Administrative Tools, open Group policy management console. Right Click on the domain and Create a GPO.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 9

We will create a policy named SCCM Client Push Policy. Click Okay to create the policy. Now under Default Domain policy you will find the policy that you created just now. Right the SCCM Client Push policy and click edit. A GP management editor comes up.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 10

Expand computer configuration, Windows settings, Security settings, Windows firewall with advanced security. Refer the below figure.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 11

Now right click the Inbound Rule and select New Rule. Select the Predefined and select File and Printer Sharing from the list. Click Next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 12

Make sure all the options are checked. Click Next

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 13

Check the radio button “Allow the Connection” and Click Finish.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 14

What we did is created a rule to allow the File and Printer sharing Inbound.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 15

Now we will create an outbound rule for the same.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 16

Make sure all the options are checked. Click Next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 17

Select Allow the Connection. Click Finish.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 18

We have created a rule to allow the File and Printer sharing Outbound.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 19

Now we will create an Inbound Rule to allow Windows Management Instrumentation. Create an inbound rule selecting “Windows Management Instrumentation” from predefined. Click next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 20

Check all the rules and click next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 21

Allow the connection. Click Next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 26

Next we will open TCP port 1433 and 4022 for SQL replication. By default, Microsoft Windows enables the Windows Firewall, which closes port 1433 to prevent Internet computers from connecting to a default instance of SQL Server on your computer. Connections to the default instance using TCP/IP are not possible unless you reopen port 1433. We will now create a group policy to open TCP ports 1433 and 4022.

Open the Group Policy Management console. Create a new policy and name it as “SQL Ports for SCCM 2012″. Right Click the policy “SQL Ports for SCCM 2012″ and edit it. In the Windows GP management console, expand computer configuration, Windows settings, Security settings, Windows firewall with advanced security.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 23

Create an Inbound Rule and select Port. Click next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 24

Select TCP, and specify port 1433 in specific local ports.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 25

click “Allow connection” and Next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 26

The firewall rule will be applied for all the 3 profiles.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 32

Provide a name to identify the rule. Click Finish.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 28

We will now open the TCP port 4022. Create an Inbound Rule and select Port. Click Next

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 29

Specify the port number as 4022. Click Next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 30

Choose Allow the connection.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 31

This rule applies to all the 3 profiles, click next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 32

Specify the name to identify the rule and click finish.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 33

The rules that we created can be seen in the inbound rules section.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 34

  • Zak

    Does port 1433 and 4022 need to be open for the entire domain? Or just for the SCCM/SQL server? I see the need for WMI and File and Print sharing but not the SQL replication ports.

    • I would recommend to open the ports using group policy for entire domain. SQL replication ports TCP 1433 and 4022 must be opened because these are required to access SQL and for SQL to replicate to other SQL servers. WMI and File and Print sharing services must be enabled. Both the steps are shown in the post.

  • raj

    we have a test lab where we have only one primary server and and windos 8 client now my requirement is
    Requirements
    1. As part of patching, we will not create a package for windows updates and deploy it to collections.
    2. Also we didn’t want to download the updates and save it locally in our WSUS Server. Windows clients will download the updates from Microsoft directly, but we have to keep track/record of updates installed to client machines using SCCM server.

    • I don’t think you can generate reports of windows updates installed on client computers through SCCM if the updates have been pushed through WSUS server and not through SCCM server. There is a way to check whether a specific update has been installed on client computer and that is through creating a DCM rule (SCCM 2007) or configuration baseline in SCCM 2012. Let me try this in my lab setup and i will get back to you soon..

  • Art

    I have configured updates with SCCM, here is my problem:

    1) Clients not getting updates
    2) SCCM is not getting updates from Microsoft. Sync failing.

    How can I determined whether the problem is the WSUS server (not configured correctly, writes issue, incorrect ports used, group policy wrong etc…..) or the Clients ?

    Background: I am a tech (responsible only for pc’s in my company) I did not setup the WSUS or SCCM server. I need to prove to our Network Admin that the problem is with the server not my pc’s. I have verified that SCCM is setup for updates correctly. Your help appreciated.

  • Akram

    can i make all this firewall rules in sccm2012 server only or must be put in group policy ? why?
    and if group policy what ou does the sccm 2012 server hosted and the client machine also what ou they will be hosted and if this group policy applied also in ou hosted client machine
    thank you

    • The firewall exceptions must be configured through a group policy. It’s done on a domain controller and the policy is created at the domain level so that all the domain computers are enforced with this policy.

  • Akram

    what steps for Configuring Firewall for Client installation on windows 8.1 ?
    thank you

  • Akram

    please cloud you tell my the steppes in order to Configuring Firewall for Client installation on windows 8.1 ?
    thank you