Blog on Microsoft and Other Technologies.

SCCM Install WSUS Configure Firewall Exceptions

10 21,389

Deploying SCCM 2012 Part 5 – SCCM Install WSUS Configure Firewall Exceptions – In this post we will install WSUS server role, Configure the firewall to add exceptions to allow the Client Push, Open the SQL ports 1433 and 4022.

In Part 1 we saw the installation of Active Directory Domain Services. In Part 2 we created the AD container and delegated the permissions on it. In Part 3 we installed pre-requisites for SCCM server. In Part 4 we installed SQL server, updated the service pack and cumulative update patch.

Installing WSUS 3.0 SP2

Software updates requires that WSUS 3.0 SP2 is installed on all site system servers that you configure for the software update point site system role. Additionally, when you install the active software update point on a remote site system, you must install the WSUS Administration Console on the site server computer if it is not already installed. This allows the site server to communicate with WSUS running on the active software update point. You can install WSUS by opening up the server manager, roles and by adding WSUS role. I prefer to install the WSUS by downloading the setup file from Microsoft. The WSUS 3.0 SP2 is available here:- http://www.microsoft.com/en-us/download/details.aspx?id=5216 .We will be installing WSUS role on SCCM.PRAJWAL.LOCAL machine with the user account “sccmadmin”.

Run the WSUS Setup file. Click Next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 1

Select Full server installation including the administrator console. click next

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 2

We will be storing the WSUS updates on the other drive named E. You can store the updates on C drive but it is not recommended because if the operating system crashes then you might loose the WSUS updates folder.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 3

In this case we will not be using the internal database, instead we will use the SQL database instance.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 4

The SQL server is installed on the same server so it gets connected to SQL server instance quickly. If you have a SQL server running on other server select “Using a existing database server on remote machine“. You will have to provide the machine nameinstance name to connect.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 5

Select “Use existing IIS default Web site” and click next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 6

Click finish to complete the WSUS installation.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 7

Note : Once you click finish, the WSUS configuration wizard comes up. Do not configure it as we will be using SCCM to deploy the updates. Click cancel to close the wizard.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 8

1 Configuring Firewall for Client installation.

Configuring Firewall for Client installation.

To know what are the ports used in Configuration Manager 2012, please go through this link :-

We will create a policy named SCCM Client Push Policy. Click Okay to create the policy. Now under Default Domain policy you will find the policy that you created just now. Right the SCCM Client Push policy and click edit. A GP management editor comes up.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 10

Expand computer configuration, Windows settings, Security settings, Windows firewall with advanced security. Refer the below figure.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 11

Now right click the Inbound Rule and select New Rule. Select the Predefined and select File and Printer Sharing from the list. Click Next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 12

Make sure all the options are checked. Click Next

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 13

Check the radio button “Allow the Connection” and Click Finish.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 14

What we did is created a rule to allow the File and Printer sharing Inbound.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 15

Now we will create an outbound rule for the same.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 16

Make sure all the options are checked. Click Next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 17

Select Allow the Connection. Click Finish.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 18

We have created a rule to allow the File and Printer sharing Outbound.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 19

Now we will create an Inbound Rule to allow Windows Management Instrumentation. Create an inbound rule selecting “Windows Management Instrumentation” from predefined. Click next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 20

Check all the rules and click next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 21

Allow the connection. Click Next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 26

Next we will open TCP port 1433 and 4022 for SQL replication. By default, Microsoft Windows enables the Windows Firewall, which closes port 1433 to prevent Internet computers from connecting to a default instance of SQL Server on your computer. Connections to the default instance using TCP/IP are not possible unless you reopen port 1433. We will now create a group policy to open TCP ports 1433 and 4022.

Open the Group Policy Management console. Create a new policy and name it as “SQL Ports for SCCM 2012″. Right Click the policy “SQL Ports for SCCM 2012″ and edit it. In the Windows GP management console, expand computer configuration, Windows settings, Security settings, Windows firewall with advanced security.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 23

Create an Inbound Rule and select Port. Click next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 24

Select TCP, and specify port 1433 in specific local ports.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 25

click “Allow connection” and Next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 26

The firewall rule will be applied for all the 3 profiles.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 32

Provide a name to identify the rule. Click Finish.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 28

We will now open the TCP port 4022. Create an Inbound Rule and select Port. Click Next

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 29

Specify the port number as 4022. Click Next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 30

Choose Allow the connection.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 31

This rule applies to all the 3 profiles, click next.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 32

Specify the name to identify the rule and click finish.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 33

The rules that we created can be seen in the inbound rules section.

Deploying SCCM 2012 Part 5 – Installing WSUS Snap 34