In this post we will see the steps for installing WSUS for SCCM, configuring firewall exceptions, opening ports for SQL replication.
So far in this deployment series of SCCM 2012 SP1, in the first post we saw the steps to install and configure active directory domain services.
WSUS is Microsoft’s separate, stand-alone server-based product for distributing updates to Windows systems. It also uses the WUA to scan for patch applicability and subsequently install updates delivered by WSUS.
WSUS 3.0 Service Pack 2 is required for System Center 2012 Configuration Manager. SCCM 2012 SP1 supports only 64-bit site systems, you must use the 64-bit version of WSUS on one of the supported 64-bit editions of Windows Server.
You can install WSUS by opening up the server manager, roles and by adding WSUS role. I prefer to install the WSUS by downloading the setup file from Microsoft.
We will be installing WSUS role on SCCM.PRAJWAL.LOCAL machine with the user account sccmadmin.
Installing WSUS 3.0 SP2 for SCCM
Using the below steps, you can install WSUS for SCCM. Double click the setup file to begin the installation. On the welcome page click on Next.
On the Installation Mode Selection, Choose Full server installation including Administrator Console. Hit Next.
Accept the license agreement and click on Next.
It is recommended to store the updates on a different drive instead of storing it on C: drive. In our example we will be storing the updates locally on E:WSUS path. Click on Next.
For Database Options we will not be using the internal database, instead we will use the SQL database instance. Choose Use an existing database server on this computer and click on Next.
The SQL server is installed on the same server so it gets connected to SQL server instance quickly. If you have a SQL server running on other server select Using a existing database server on remote machine. You will have to provide the machine nameinstance to connect.
If you are planning to create a dedicated IIS site, then choose Create a Windows Server Update Services 3.0 SP2 Web Site, the port numbers for a dedicated site are 8530 and 8531 for Secure Socket Layer (SSL) connections. If you are planning to use a IIS default Website then Select “Use the existing IIS Default Web site” and click on Next.
We have successfully completed the WSUS installation for SCCM. Click on Finish.
Once you click complete installing WSUS 3.0 SP2, the WSUS configuration wizard comes up. Do not configure it as we will be using SCCM to deploy the updates. This is an important step because most of you would configure this.Click Cancel to close the wizard.
After cancelling the WSUS configuration wizard, as a prerequisite you must install 2 updates for WSUS 3.0 SP2. Downloads are available for 32 bit and 64 bit systems.
Configuring Firewall for SCCM
To know what are the ports used in Configuration Manager 2012 SP1 , please go through this link :- http://technet.microsoft.com/en-us/library/hh427328.aspx. In order to successfully use client push to install the Configuration Manager 2012 SP1 client, you must add the following as exceptions to the Windows Firewall.
- Printer Sharing
- Windows Management Instrumentation (WMI)
We will create an inbound and outbound rule, add File and Printer sharing service as exception to firewall and an Inbound rule to allow WMI. We will perform this activity on the Domain Controller.
Click on All Programs, Administrative Tools, open Group policy management console. Right Click on the domain and Create a GPO. Provide a name to the GPO and click on OK.
Right click on the policy that you created and click on Edit.
Expand computer configuration, Windows settings, Security settings, Windows firewall with advanced security. Right click on Inbound rules and click on New Rule..
Click on Predefined and select File and Printer Sharing. Click on Next.
Click on Next.
Click on Allow the connection. Click Finish.
We have created an inbound rule to allow file and printer sharing, similarly right click on the Outbound Rule and click on New Rule. select File and Printer Sharing. Click on Next.
Click on Next.
Click on Allow the connection and click on Finish.
We need to create an Inbound Rule to allow the WMI service on our Firewall. So right click on Inbound Rule and click on New Rule. Click on Predefined and select Windows Management Instrumentation (WMI). Click on Next.
Click on Next.
Click on Allow the connection. Click on Finish.
Opening Ports for SQL Replication
Why should you open port 1433 and 4022 ??
Port 1433 – SQL Server listens for incoming connections on a particular port. The default port for SQL Server is 1433. It applies to routine connections to the default installation of the Database Engine, or a named instance that is the only instance running on the computer.
Port 4022 – This is SQL Service Broker, Though there is no default port for SQL Server Service Broker, but this is the port that we allow inbound on our firewall.
Script to Open the ports for SQL Replication
If you are looking for a script to open the ports for SQL replication here it is. Copy this script in the notepad and save it as opensqlports.bat. Right click on the batch file and run as administrator.
@echo off echo ========= SQL Server Ports for SCCM =================== echo. echo. echo **Right click on the batch file and Run As Administrator** echo. echo. echo Adding SQL Firewall Exceptions for SCCM echo. echo Adding TCP 1433 netsh advfirewall firewall add rule name = "SCCM SQL (TCP 1433)" dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = DOMAIN echo. echo Adding TCP 4022 netsh advfirewall firewall add rule name = "SCCM SQL (TCP 4022)" dir = in protocol = tcp action = allow localport = 4022 remoteip = localsubnet profile = DOMAIN echo. echo Done adding firewall exceptions echo..
By default, Microsoft Windows enables the Windows Firewall, which closes port 1433 to prevent Internet computers from connecting to a default instance of SQL Server on your computer.
Connections to the default instance using TCP/IP are not possible unless you reopen port 1433. Therefore we will now create a group policy to open TCP ports 1433 and 4022.
Create a GPO to open TCP ports 1433 and 4022.
In case you choose to create a rule manually in firewall then open the Group Policy Management console. Create a new policy and name it as SQL Ports. Right Click the policy SQL Ports and edit it. In the Windows GP management console, expand computer configuration, Windows settings, Security settings, Windows firewall with advanced security.
Right click on Inbound Rule and create an Inbound Rule and select Port. Hit Next.
Select TCP, and specify port 1433 in specific local ports.
On the Action page, click Allow connection and hit Next.
The firewall rule will be applied for all the 3 profiles. Hit Next.
Name the rule as TCP Inbound 1433. Finally click Finish.
Similarly, Create an Inbound Rule for allow port 4022, choose TCP and specify the port number as 4022. Click on Next.
Click on Allow the connection and then click Next.
Select Domain, Private and Public and click on Next.
Provide the name as TCP Inbound 4022 to identify the rule. When you are done, hit Finish.
We have allowed TCP inbound ports 1433 and 4022 on our firewall.
On the client machine, launch the command prompt and type the command gpupdate /force and hit enter. In the same command prompt, type the command rsop.msc.
This will show the resultant set of policies, group policies that are applied to this client. Expand Administrative Templates and click on Extra Registry Settings.
On the right side pane you will find two ports 1433 and 4022 which are allowed in the firewall. This step is just to check if the policy has been pushed to the client machine or not.