WSUS Port 80 vs 8530

Revisiting WSUS after too many years

30 September 2020

Home —  Categories

WSUS clients weren’t reporting in

I recently had to replace a few WSUS servers that were Server 2008 R2. I went with the latest and greatest, obviously, but ran into a snafu when I couldn’t figure out why servers and workstations weren’t reporting in. The Computers tab in WSUS manager was remaining infuriatingly empty.

RSOP.msc

First, I needed to figure out what the machines were configured to do so I went onto a client machine and ran RSOP.msc - this means Resultant Set of Policy and basically just tells you what GPO the Windows box is getting. Drill down to the following: Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. RSOP is your best friend when troubleshooting anything to do with Group Policy!

Here, you might see the FQDN of your WSUS server or you might see the FQDN plus :8530. Oh, it’s important to note that when you replace a WSUS server, you want to give it the same FQDN and IP as the original if at all possible. Your client machines might not know the difference, though you might also have to do some jiggery pokery with SSL certs.

netstat

Anyways, you can also run netstat from an elevated CMD prompt to see what port your clients are trying to hit. It’ll look something like this:

PROTOCOL  DESTINATION         SOURCE                STATUS
 TCP      <local IP>:80       <client IP>:50000     ESTABLISHED
 TCP      <local IP>:8530     <client IP>:50000     ESTABLISHED

It’s important to note that the originating port will be random, somewhere in the 50,000’s to 60,000’s by default. If it looks like the first. Equally important, if you don’t see clients trying to connect, then you may have a firewall issue!

wsusutil

If you see port 80, then you need to set the “custom website” to false. If you see 8530 then you need to set it to true. This is deceptively simple. The official Microsoft documentation for WSUSutil is here.

But for your convenience:

Set it to 8530:

%ProgramFiles%\Update Services\Tools\wsusutil usecustomwebsite true

Set it to 80:

%ProgramFiles%\Update Services\Tools\wsusutil usecustomwebsite false

This change, for me, has been completely non-destructive and reversible.

Bingo

As soon as I changed the custom website to the correct setting, clients started phoning home.