Use > Server patching > Patch management for Windows > Patch management process > Step 1 - Configure patch settings > Connect SA to a WSUS server

Connect SA to a WSUS server

Before importing patches and patch metadata from WSUS, configure SA to communicate with your WSUS server.

To connect SA to an upstream WSUS server:

  1. Configure WSUS to synchronize with Microsoft Update.

  2. Approve/decline patches in WSUS to filter which patches are visible in SA.
  3. Deploy the WSUS Web serviceto set up the communication with the SA core. SA downloads all patches and associated metadata to the SA core and then distributes them, as required, to the managed servers that you connect to WSUS.
  4. Connect SA managed servers to WSUS to make them visible for compliance scans against WSUS patches.

Deploy the WSUS Web service

SA communicates with Windows Server Update Services through a Web service installed on the WSUS server. The Web service sends the requested patches and patch metadata to the SA core which then distributes them to the appropriate SA managed severs.

WSUS Web service is deployed only in front of the WSUS upstream server visible to SA. All patches and associated metadata are retrieved from this upstream server. The WSUS administrator is responsible for keeping any downstream servers synchronized with the upstream server.

Prerequisite: Before deploying the WSUS Web service, install OpenSSL (on any other machine) if you want to allow HTTPS requests.

To install the WSUS Web service on the WSUS upstream server and enable SA client connections:

  1. ClosedDeploy the Web Service into IIS
    1. In the SA  Client, go to LibraryBy Folder > Opsware > Tools > Patching.
    2. Right-click on archived Web service file, hpsa_wsus_ws_versionnumber.zip file and select Export Software.
    3. Unpack the Web service ZIP file on the machine that holds the WSUS server, in a new folder under C:\inetpub\wwwroot.

    4. Click the Windows Start button, type IIS and open Internet Information Services.

    5. Under the Default Web Site, right-click on the folder you have created in step c and select Convert to Application.

  2. ClosedAdd a Web Service Manager user to the WSUS Administrators group
    Skip the first three steps if you are using Windows Small Business Server 2008.

    1. Click the Windows Start button and type Computer Management.

    2. Go to Local Users and GroupsUsers and create a new user that will manage the Web service.

    3. Add the new user to the WSUS Administrators group under the Groups folder.

    4. In IIS, right-click Application Pools above the Sites section and select Add Application Pool.

    5. If .NET 4.0 is not already installed on your system, install it and run the following command as Administrator: c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -iru

    6. Enter a name for your application pool, select .NET 4 or above and click OK.
  3. ClosedConfigure IIS to use the new Web Service Manager user for running the Web service
    Skip the first two steps if you are using Windows Small Business Server 2008.
    1. Right-click the newly created application pool and select Advanced Settings.

    2. Under Process Model, change the identity configuration to use a custom account and provide the credentials for your newly created Web Server Manager account.

    3. In IIS, select the Web service under the Default Web Site and click Basic Settings.

    4. Select your newly created application pool as the default one and click OK. The Web service will now use your new application pool.

  4. ClosedConfigure IIS to accept HTTP and HTTPS requests for WCF

    By default, IIS does not accept HTTP and HTTPS requests for a .NET WCF Web Service. To enable this option manually:

    1. Click the Windows Start button and type Turn Windows features on or off.
    1. Expand Features >  .NET Framework 4.5 FeaturesWCF Services and enable HTTP Activation.
    2. Click Install then click Next until you reach the end of the wizard.
  5. ClosedSetting up SSL certificates for IIS and the Web service clients (SA core and SA client)
    1. Cmd to the OpenSSL installation directory. By default OpenSSL installs under Program Files (x86)\GnuWin32\bin
    2. Type the following command to create a new system variable pointing to the openssl.cnf . Edit the command if you installed OpenSSL at a different location than the default one: 

      Set OPENSSL_CONF=C:\Program Files (x86)\GnuWin32\share\openssl.cnf

    1. Create a private and a public key using the following command:

      openssl req -x509 -newkey rsa:2048 -keyout your_private_key.pem -out your_public_key.pem -days XXX. Change XXX to the number of days you want the certificate to be valid for and give a custom name to the two .pem files.

    1. Type the following command in the OpenSSL installation directory to convert the two .pem files into a single .pfx file: openssl pkcs12 -inkey your_private_key.pem -in your_public_key.pem -export -out your_pkcs12_cert.pfx.
    2. Copy the .pfx file on WSUS Web service machine to import the server certificate into IIS:
      1. Go to IIS and select your server from the Connections pane.
      2. Double-click Server Certificates select your certificate and click Import.
      3. Browse to your .pfx file and type in the password you created for your public and private keys.
    3. Create a new binding for the Web service, to use HTTPS with this certificate.
      1. In the IIS, select Default Web Site from the Connections pane.

      2. Click Bindings from the Actions pane. This displays the Site Bindings dialog box.

      3. Click Add and select https from the Type drop-down menu.
      4. Pick your IP address and/or hostname from the SSL certificate drop-down menu.
      5. Click Apply to save your changes.
    1. Configure the Web service to require SSL.
      1. Select your Web service from the IIS Connections menu, under Default Web Site.
      2. Click SSL Settings.
      3. Check Require SSL checkbox and click Apply.
    2. Paste the content of your_public_key.pem at the bottom of the following file: /opt/opsware/openssl/certs/ca-bundle.crt. This copies the public certificate into the KnownCertification Authorities file on your SA core.
    Do not delete any existing certificates from the bundle.crt file.
  6. ClosedSetting up SSL certificates for securing the Web service-WSUS communication
    1. Edit the WsusConfig.config file to set secureConnection to True and change the port to WSUS's HTTPS port. For Windows Server 2012, the default port is 8531.
    2. Use a self-signed certificate generated and import it into IIS as described in step 5. When OpenSSL prompts you for the Common Name, type the FQDN or IP of your machine that holds WSUS and the Web service.

    3. In the IIS Connections pane, expand your host server > Sites and select the WSUS Administration node. Depending on your operating system, this is displayed either under Default Web Site or on the same level.

    4. Click Bindings from the Actions pane. This displays the Site Bindings dialog box.
    5. Select the https binding and click Edit.
    6. Pick your IP address and/or hostname from the SSL certificate drop-down menu.
    7. Choose your imported certificate and click OK to close the Edit Site Bindings dialog box.
    8. In the WSUS Administration node, enable the Require SSL option for the following subnodes: APIRemoting30, ClientWebService, DssAuthWebServicee, ServerSyncWebService and SimpleAuthWebService.
    9. Open the Content node and make sure the Require SSL option is disabled. The Web service does not require SSL to secure content coming from the WSUS server. WSUS updates are signed by Microsoft by default, thus they are already secure.
    10. Click Apply to save your changes.
    11. Install your generated public key on the computer that holds WSUS and the Web service.
  7. ClosedConfiguring connection and import settings for the WSUS Web service

    The Web service archive that you unpacked under C:\inetpub\wwwroot\[your folder] contains two configuration files: WsusConfig.config and Web.config. Edit these XML files to configure the connection and metadata import settings for patches for the WSUS Web service.

    1. WsusConfig.config

      Attribute Description
      serverName IP or hostname of the WSUS server. This is included in the URL of the WSUS Web service. The WSUS Web service supports both IPv6 and IPv4 hosts.
      port The port where WSUS is located on the server. Default HTTP port is 8530.
      secureConnection Set to True if you want the connection between Web Service and the WSUS server to be secure.
      ignoredProperties Specify which metadata properties to ignore when the Web service retrieves WSUS patches and associated metadata.
      includeApprovedUpdatesOnly

      Specify which type of patch metadata SA retrieves from the WSUS server:

      True - Web service imports only metadata for the patches marked as Approved in WSUS.

      False - Web service imports metadata for all patches available in WSUS:

      • Approved
      • Declined
      • Not Approved
    2. Web.config

    The following lines in this XML file define the two endpoints available for connecting the Web service to WSUS:

    • <endpoint address="" binding="webHttpBinding" bindingConfiguration="secureHttpBinding" contract="WsusREST.IWsusREST" behaviorConfiguration="web"></endpoint>
    • <endpoint address="" binding="webHttpBinding" contract="WsusREST.IWsusREST" behaviorConfiguration="web"></endpoint>

    Make sure these endpoints mirror the IIS binding settings that you have configured in step 5.

    HTTP connection:

    If your IIS configuration specifies an HTTP binding, remove the bindingConfiguration="secureHttpBinding line from this file, otherwise the Web service call fails.

    HTTPS connections:

    If your IIS configuration specifies an HTTPS binding, keep the bindingConfiguration="secureHttpBinding line

    HTTTP and HTTPS connections:

    If your IIS configuration specifies both HTTP and HTTPS bindings, keep both lines.

  8. ClosedHide IIS version information

    For security reasons, HPE recommends limiting the information that the WSUS Web service provides to remote clients. To hide the IIS version that the WSUS Web service is using:

    1. Install UrlScan from the Microsoft website. This security extension enables you to filter IIS connection requests.

    2. Navigate to %WINDIR%/System32/inetsrv/urlscan and open the UrlScan.ini file.

    3. Search for the RemoveServerHeader attribute and change it from 0 to 1. This stops sending the HTTP server header to remote clients.

    4. Save the UrlScan.ini file and close it.
  9. ClosedAccess the deployed Web service

    1. Enter the following URL in your browser to test the WSUS-Web service connection. This downloads a JSON file containing all the languages enabled on your WSUS Server.

        • secure binding: https://<hostNameOrIP>/<your_folder_name>/WsusREST/Locales
        • non-secure binding: http://<hostNameOrIP>/<your_folder_name>/WsusREST/Locales
    1. Check that each Windows managed server is able to access this WSUS Web service URL. SA cannot patch servers that do not have direct access to WSUS as these connections are not routed through the SA gateway mesh.

Connect SA managed servers to WSUS

To be able to scan for and deploy required WSUS patches, connect your Windows managed servers to WSUS. This enables WSUS to communicate with the Windows Update Agent available on the managed servers.

Prerequisites

  • Make sure each SA managed server can access the WSUS URL set for it as a custom attribute at the Facility/Customer/Device group/Server level. SA cannot patch servers that do not have direct access to WSUS as these connections are not routed through the SA gateway mesh.

  • Check that the managed servers you want to connect to WSUS are using SA Agent version 10.51 or later.

You can connect managed servers to WSUS either:

ClosedWhen installing the SA Agent
  1. Go to the Administration > Patch Settings and make sure that the Microsoft WSUS patching mode is enabled.
  2. Add the following custom attribute at Facility or Customer level: 
    NameValue
    WSUS_URL <protocol>://<WSUShostnameOrIP>:<portNumber>
  1. Go to Devices > SA Agent installation and select the servers on which you want to install the SA agent.

Optionally, you can specify extra installer options:

Flag

Arguments

Enclose multiple arguments in double quotes.
--wsus_cfg_args

--setupConnection. Mandatory argument.

--wsusURL - specifies a WSUS URL that overrides any custom attributes already set for the selected managed servers. Optional argument.

--ignoreWSUSModeCheck - ignores that WSUS patching mode is not enabled on the core. Optional argument.
--wsus_cfg_skip Does not run the WSUS configuration script.
ClosedWhen upgrading the SA Agent
  1. Go to Administration > Patch Settings and make sure that the Microsoft WSUS patching mode is enabled.
  2. Add the following custom attribute at Facility, Customer, Device Groups or Servers level: 
    NameValue
    WSUS_URL <protocol>://<WSUShostnameOrIP>:<portNumber>
  3. Go to Devices > All Managed servers, right-click on the servers on which you want to upgrade the SA Agent and select RunAgent Upgrade.

Optionally, you can specify extra installer options:

Flag

Arguments

Enclose multiple arguments in double quotes.
--wsus_cfg_args

--setupConnection. Mandatory argument.

--wsusURL - specifies a WSUS URL that overrides any custom attributes already set for the selected managed servers. Optional argument.

--ignoreWSUSModeCheck - ignores that WSUS patching mode is not enabled on the core. Optional argument.
--wsus_cfg_skip Does not run the WSUS configuration script.
ClosedWhen provisioning a server
  1. Go to the Administration > Patch Settings and make sure that the Microsoft WSUS patching mode is enabled.
  2. Add the following custom attribute at Facility or Customer level: 
    NameValue
    WSUS_URL <protocol>://<WSUShostnameOrIP>:<portNumber>
  3. Start the provisioning process. See Perform SA provisioning.
ClosedBefore running compliance scans

If you have not connected your Windows servers to the WSUS server during Agent installation or upgrade, you can run an SA script to manually make your servers available for WSUS patching.

  1. Go to the Administration > Patch Settings and make sure that the Microsoft WSUS patching mode is enabled.
  2. Add the following custom attribute at Facility, Customer, Device Groups or Servers level: 
    NameValue
    WSUS_URL <protocol>://<WSUShostnameOrIP>:<portNumber>
  3. Go to DevicesServers > All Managed Servers and right-click on a server that you want to connect to WSUS.
  4. Select Run ScriptConfigure Server With WSUS from the context menu. This launches the Configure Server With WSUS.bat script file from LibraryBy FolderOpswareTools > Patching.
  5. On the Run Server Script wizard, click Next and specify any custom options for the script.
  6. Click Start Job then click Close when the import is complete.

Parameters for the Configure Server With WSUS script

The following parameters enable you to change the default behavior for running the Configure Server With WSUS .bat file on the selected servers.

  • --wsusURL - specifies a WSUS URL that overrides any custom attributes already set for the selected managed servers.

  • --ignoreWSUSModeCheck - ignores that WSUS patching mode is not enabled on the core.

Related topics

Disconnect SA managed servers from WSUS

Change configuration settings for the WSUS Web service

As part of deploying the WSUS Web service on a WSUS server, you define how SA connects and imports patches from WSUS via the WSUS Web service.

You can change your settings at any time, from the two WSUS Web service configuration files: WsusConfig.config and Web.config. These XML files are available on the machine that holds the WSUS server, under C:\inetpub\wwwroot\[your folder].

To change metadata import settings

By default, SA imports metadata only for patches that the WSUS Administrator marked as Approved. You can edit this filter to import Declined and Not Approved patches as well.

You cannot change the list of patch products and patch locales that SA reads from WSUS. This list is defined by the WSUS administrator on the WSUS side.
  1. On the WSUS machine, go to C:\inetpub\wwwroot\<folder_where_you_deployed_the WSUS_Web_service> and open WsusConfig.config.
  2. Find the includeApprovedUpdatesOnly attribute and set it to False.
  3. Save your changes and close the XML file.
  4. Restart the IIS site that holds the WSUS Web service.

To change connection settings

The WsusConfig.config XML file defines the IP, port number and specifies whether the connection between the WSUS server and your WSUS Web service is secure or not. To change the connection or the URL of the WSUS Web service:

  1. On the WSUS machine, go to C:\inetpub\wwwroot\<folder_where_you_deployed_the WSUS_Web_service> and open WsusConfig.config.
  2. Find the serverName attribute and change it to use the new hostname or IP of your WSUS Web service.
  3. Change the port number if required.

  4. Set the secureConnection to True if you want to create an SSL HTTPS connection between the Web service and the WSUS server.

  5. Save your changes and close the WsusConfig.config XML file.
  6. Open the XML file Web.configand remove the bindingConfiguration="secureHttpBinding line if you want to create an HTTP connection. To create an HTTPS or both an HTTP and HTTPS connection, make sure the following line is available in the XML file: <endpoint address="" binding="webHttpBinding" bindingConfiguration="secureHttpBinding" contract="WsusREST.IWsusREST" behaviorConfiguration="web"></endpoint>.
  7. Go to IIS and ensure that the connection endpoints defined in the Web.config XML file mirror your current IIS binding settings. For secure HTTPS connections, make sure the Require SSL option is enabled for the following pages of the WSUS Administration node in the Connections pane: APIRemoting30, ClientWebService, DssAuthWebServicee, ServerSyncWebService and SimpleAuthWebService.
  8. Restart the IIS site that holds the WSUS Web service.

Send Help Center feedback