WSUS Sync ESP User Guide - honeywellprocess.com...ESP. Related documents . The following list...
Transcript of WSUS Sync ESP User Guide - honeywellprocess.com...ESP. Related documents . The following list...
ICS SHIELD
R510.1
Windows Server Update Services Sync ESP
User Guide
CS-ICSE610en-510A
August 2019
DocID CS-ICSE610en-510A 2
DISCLAIMER
This document contains Honeywell proprietary information. Information contained
herein is to be used solely for the purpose submitted, and no part of this document or
its contents shall be reproduced, published, or disclosed to a third party without the
express permission of Honeywell International Sàrl.
While this information is presented in good faith and believed to be accurate,
Honeywell disclaims the implied warranties of merchantability and fitness for a
purpose and makes no express warranties except as may be stated in its written
agreement with and for its customer.
In no event is Honeywell liable to anyone for any direct, special, or consequential
damages. The information and specifications in this document are subject to change
without notice.
Copyright 2019 – Honeywell International Sàrl
DocID CS-ICSE610en-510A 3
Notices
Trademarks Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered
trademarks of Honeywell International, Inc.
ControlEdge™ is a trademark of Honeywell International, Inc.
OneWireless™ is a trademark of Honeywell International, Inc.
Matrikon® and MatrikonOPC™ are trademarks of Matrikon International. Matrikon
International is a business unit of Honeywell International, Inc.
Movilizer® is a registered trademark of Movilizer GmbH. Movilizer GmbH is a business
unit of Honeywell International, Inc.
Other trademarks Trademarks that appear in this document are used only to the benefit of the trademark
owner, with no intention of trademark infringement.
Third-party licenses This product may contain or be derived from materials, including software, of third
parties. The third party materials may be subject to licenses, notices, restrictions and
obligations imposed by the licensor.
The licenses, notices, restrictions and obligations, if any, may be found in the materials
accompanying the product, in the documents or files accompanying such third party
materials, in a file named third_party_ licenses on the media containing the product, or
at http://www.honeywell.com/ps/thirdpartylicenses.
Documentation feedback You can find the most up-to-date documents on the Honeywell Process Solutions
support website at:
http://www.honeywellprocess.com/support
If you have comments about Honeywell Process Solutions documentation, send your
feedback to:
Use this email address to provide feedback, or to report errors and omissions in the
documentation. For immediate help with a technical problem, contact your local
DocID CS-ICSE610en-510A 4
Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical
Assistance Center (TAC).
How to report a security vulnerability For the purpose of submission, a security vulnerability is defined as a software defect
or weakness that can be exploited to reduce the operational or security capabilities of
the software.
Honeywell investigates all reports of security vulnerabilities affecting Honeywell
products and services.
To report a potential security vulnerability against any Honeywell product, please
follow the instructions at:
https://honeywell.com/pages/vulnerabilityreporting.aspx
Submit the requested information to Honeywell using one of the following methods:
Send an email to [email protected].
or
Contact your local Honeywell Process Solutions Customer Contact Center (CCC) or
Honeywell Technical Assistance Center (TAC) listed in the “Support” section of this
document.
Support For support, contact your local Honeywell Process Solutions Customer Contact Center
(CCC). To find your local CCC visit the website, https://www.honeywellprocess.com/en-
US/contact-us/customer-support-contacts/Pages/default.aspx.
Training classes Honeywell holds technical training classes that are taught by process control systems
experts. For more information about these classes, contact your Honeywell
representative, or see http://www.automationcollege.com.
DocID CS-ICSE610en-510A 5
About this Guide
This document provides instructions for configuring and using the WSUS Sync ESP,
the solution for remotely managing Microsoft Windows Server Update Services
(WSUS).
Scope This guide provides step-by-step instructions for configuring, distributing, and using
WSUS Sync ESP. at all levels, from the initial settings up to the deployment in the
Security Center and the VSEs.
Intended audience This guide is for people who are responsible for the configuration and operation of
WSUS Sync ESP on the Security Center and VSEs:
• Initial Settings - Professional Services, Support, or IT personnel
• Security Center – Administrators and operators
• VSE – Administrators and operators
Prerequisite skills This guide assumes basic knowledge of the ICS Shield R510.1 modules relevant to the
Security Center, the VSE, or both, depending on your specific role.
Using this guide Use this guide as required by your role in the configuration and operation of the WSUS
Sync ESP:
• Initial Settings – Professional Services, Support, or IT personnel:
Upstream WSUS server – see section 4.2: Upstream WSUS server -
configuration for encrypted mode.
Security Center – see section 4.3, Security Center – tunnel configuration in
the database.
VSE computer – see section 4.4, VSE - Requirements and configuration.
Downstream WSUS server – see section 4.4.4, Configuring WinRM for VSE.
DocID CS-ICSE610en-510A 6
• VSE:
Administrators – see chapter 5, Configuring the WSUS Sync ESP in the VSE.
Operators – see section 6.2, Using the VSE to run .
• Security Center:
Administrators – see section 4.1, Before you start.
Operators – see section 6.3, Using the Security Center to run the WSUS Sync
ESP.
Related documents The following list identifies publications that contain information relevant to the
information in this document.
Document Name Document Number
ICS Shield R510.1 - Security Center User Guide CS-ICSE400en-510A
ICS Shield R510.1 - Virtual Security Engine – User
Guide CS-ICSE601en-510A
Revision history
Revision Supported Release
Date Description
A Release 510.1 August 2019 This software is an upgrade-only release
from Release 501.1
A Release 500.1 June 2019 First release of product to Honeywell
Enterprise customers
DocID CS-ICSE610en-510A 7
Contents 1. SECURITY CONSIDERATIONS ........................................................................................ 11
1.1 Physical security ...................................................................................................................................... 11
1.2 Secured zone ............................................................................................................................................. 11
1.3 Limiting access ........................................................................................................................................ 11 1.3.1 At the VSE level ...................................................................................................................... 11 1.3.2 At the directory or file level ............................................................................................... 12 1.3.3 Ports used by the application ........................................................................................ 12
1.4 Authorization measures ...................................................................................................................... 12
1.5 Encryption and validation .................................................................................................................. 13
1.6 WSUS- specific measures for mitigating security risks ...................................................... 13
2. TERMS AND DEFINITIONS .............................................................................................. 14
3. INTRODUCTION ................................................................................................................... 17
3.1 Understanding the WSUS Sync solution .................................................................................... 17
3.2 Exploring the WSUS Sync solution architecture ..................................................................... 20
3.3 Basic workflow of the WSUS Sync solution ............................................................................... 21
4. INITIAL SETTINGS AND REQUIREMENTS ................................................................. 23
4.1 Before you start ........................................................................................................................................ 23 4.1.1 Basic requirements for the WSUS Sync solution ................................................. 23 4.1.2 Contents of the WSUS Sync solution package...................................................... 24 4.1.3 Steps required for configuring the WSUS Sync solution ................................. 24
4.2 Upstream WSUS server - configuration for encrypted mode ........................................... 25
4.3 Security Center – tunnel configuration in the database ..................................................... 26 4.3.1 Configuring WSUS tunnels manually ........................................................................ 26
4.4 VSE - Requirements and configuration ....................................................................................... 29 4.4.1 VSE server - requirements ............................................................................................... 29 4.4.2 Configuring the tunnel on the VSE side ................................................................... 29 4.4.3 Configuring the local PowerShell execution policy for VSE ............................ 32 4.4.4 Configuring WinRM for VSE ............................................................................................ 34
4.5 Downstream WSUS server – requirements and configuration ........................................ 35 4.5.1 Downstream WSUS server – requirements ............................................................. 35 4.5.2 Configuring WinRM ............................................................................................................. 35 4.5.3 Importing the upstream WSUS certificate – encrypted mode ...................... 35 4.5.4 Configuring the update source ..................................................................................... 36 4.5.5 Editing the hosts file ........................................................................................................... 39
5. CONFIGURING THE WSUS SYNC ESP IN THE VSE ................................................ 40
DocID CS-ICSE610en-510A 8
5.1 Checking for the existence of a WSUS device .......................................................................... 40
5.2 Creating a new device for the WSUS Sync ESP ....................................................................... 41
5.3 Verifying the WSUS tunnel operation ........................................................................................... 44
5.4 Configuring the advanced parameters of the WSUS device............................................. 45 5.4.1 Configuring for a new WSUS device ........................................................................... 45 5.4.2 Configuring for upgraded WSUS device ................................................................... 47
6. RUNNING THE WSUS SYNC ESP ................................................................................... 50
6.1 Understanding the operation and output of WSUS Sync .................................................. 50
6.2 Using the VSE to run the WSUS Sync ESP ................................................................................. 52 6.2.1 Running the WSUS Sync ESP ........................................................................................ 52 6.2.2 Stopping and restarting the WSUS scheduler ....................................................... 57
6.3 Using the Security Center to run the WSUS Sync ESP ........................................................ 58 6.3.1 Running the WSUS Sync ESP from the Security Center .................................. 58 6.3.2 Opening connection without syncing ........................................................................ 59 6.3.3 Opening WSUS connection and syncing ................................................................. 61 6.3.4 Initiating synchronization ................................................................................................ 61 6.3.5 Terminating the WSUS connection ............................................................................. 62
A TROUBLESHOOTING ......................................................................................................... 64
B CONFIGURATION CHECKLIST ....................................................................................... 65
C CHANGES INTRODUCED IN VERSION 3.5.9 ............................................................. 67
DocID CS-ICSE610en-510A 9
List of Figures FIGURE 3-1. WSUS ARCHITECTURE ................................................................................................. 20
FIGURE 4-1. RUN DISTRIBUTE SOFTWARE ACTIVITY DIALOG BOX ................................. 30
FIGURE 4-2. CURRENT EXECUTION POLICY ............................................................................... 33
FIGURE 4-3. CONFIRMING THE POLICY CHANGE .................................................................... 33
FIGURE 4-4. UPDATE SOURCE AND PROXY SERVER OPTION ........................................... 36
FIGURE 4-5. UPDATE SOURCE AND PROXY SERVER DIALOG BOX ................................. 37
FIGURE 4-6. SOURCE UPDATED WITH ALL RELEVANT DETAILS...................................... 38
FIGURE 4-7. HOSTS FILE EDITED ...................................................................................................... 39
FIGURE 5-1. EDIT WSUS DEVICE ........................................................................................................ 45
FIGURE 5-2. EDIT PROTOCOL SETTINGS OF DEVICE DIALOG BOX ................................ 47
FIGURE 5-3. SETTINGS OF AN EXISTING DEVICE ...................................................................... 48
FIGURE 5-4. SETTINGS OF AN EDITED DEVICE .......................................................................... 49
FIGURE 6-1. LIST OF AVAILABLE ACTIONS FOR THE WSUS DEVICE .............................. 52
FIGURE 6-2. ONE-TIME EXECUTION OF AN ACTION ............................................................... 55
FIGURE 6-3. CURRENT EXECUTION TAB ....................................................................................... 56
FIGURE 6-4. VIEW DATA TAB ................................................................................................................. 56
FIGURE 6-5. EXECUTION RESULT – VIEW PANE ....................................................................... 57
FIGURE 6-6. DIAGNOSIS ROUTINE DROP-DOWN LIST .......................................................... 58
FIGURE 6-7. DATA VIEWER PANE ....................................................................................................... 60
DocID CS-ICSE610en-510A 10
List of Tables TABLE 1-1. LIST OF PORTS .................................................................................................................... 12
TABLE 5-1. PROPERTIES OF A WSUS DEVICE ............................................................................. 41
TABLE 5-2. PARAMETERS SPECIFIED IN PROTOCOL SETTINGS ...................................... 42
TABLE 5-3. ADVANCED PARAMETERS FOR WSUS DEVICE .................................................. 46
SECURITY CONSIDERATIONS
DocID CS-ICSE610en-510A 11
1. Security Considerations
This chapter outlines the security measures for WSUS Sync ESP.
1.1 Physical security
CAUTION
WSUS Sync ESP is a mission-critical component.
Take all necessary physical measures to prevent attacks or disasters.
Ensure that the server where the product is installed is located in an approved
physically secure location that is accessible only to authorized personnel.
1.2 Secured zone WSUS Sync ESP contains sensitive information, the loss of which could have severe
consequences. Therefore, there is a need to protect the sensitive information and
prevent attacks against the product. To do that, the VSE software, as well as its related
extensions, must be installed in an internally secured zone such as the site’s layer 3
network, with strict access control lists and appropriate firewall/routing rules.
Ensure that WSUS Sync ESP is installed in a directory that is only accessible to
authorized personnel responsible for the product.
CAUTION
If WSUS Sync ESP is installed on one or more servers that are exposed to untrusted networks such as the Internet, protection against denial-of-service (DoS) attacks must be implemented.
1.3 Limiting access It is highly recommended to follow regulatory, industry, and enterprise standards for
limiting access to sensitive information as specified below.
1.3.1 At the VSE level The user management at the host running the VSE must follow the principles of need
to know and least privilege: Only users who absolutely must have access to the
computer are granted access, and these users are assigned the minimal set of
permissions allowing them to perform their job.
SECURITY CONSIDERATIONS
DocID CS-ICSE610en-510A 12
1.3.2 At the directory or file level Access to directories and files should also be granted in accordance with the principles
of need to know and least privilege: Only Users who absolutely must have access to the
requested directory and file are granted access, and these Users are assigned the
minimal set of permissions allowing them to perform their job.
Use the built-in file access audit logging of the OS to monitor unauthorized changes to
sensitive files.
1.3.3 Ports used by the application The ports used for WSUS Sync ESP are listed in the table below, relative to the VSE.
Table 1-1. List of Ports
Port Number Inbound/Outbound Used for
18530 Inbound Connecting from the WSUS to the VSE
18529 Inbound Connecting from the WSUS to the VSE
in SSL mode
8530 Outbound to the WSUS
Connecting from the VSE to the WSUS
(default value in version 3.4 and
higher versions)
80 Outbound to the WSUS
Connecting from the VSE to the WSUS
(default value in versions up to – and
including – 3.3)
1.4 Authorization measures It is strongly recommended to implement the following security measures:
• Change the default administrative password and delete/disable the default service
accounts as soon as new administrative accounts are created
• Disable any default Administrator/Root user on the computer
• Disable any default Guest user on the computer
• Disable any unauthenticated access to the computer via shared directories etc.
• Ensure that the OS is up to date with the latest security patches provided by the OS
vendor
SECURITY CONSIDERATIONS
DocID CS-ICSE610en-510A 13
1.5 Encryption and validation All cryptographic keys generated for the encrypted communication must follow the
current industry standards, including key size, encryption suites, certificate swapping
etc.
Operators and other personnel who have a low authorization level are advised to
ensure that they only run software provided from the Headquarters as a code-signed
execution file, such as Hyper Tunnel installer. A code-signed software displays the
signed by notification when it starts to run.
It is recommended to use a valid certificate issued by a trusted Certificate Authority
(CA), either the organization’s internal CA or an external CA.
1.6 WSUS- specific measures for mitigating security risks
To mitigate these possible security risks, you are advised to take the following
preventive measures:
• Follow Microsoft’s best practices for defining the WSUS Admin role
• Allow the upstream WSUS server port used for connection to accept only
connections from the RAG
• Limit the RAG connections to specific servers only
TERMS AND DEFINITIONS
DocID CS-ICSE610en-510A 14
2. Terms and definitions
NOTE
The terms and definitions are listed in alphabetical order
Term Definition
add-on An umbrella term for product lines and ESPs
asset Any site component that is connected to the network and is
accessible from the VSE
Communication Server (CS)
The Communication Server provides secure communication
between the Security Center and the VSEs
compliance Whether the device meets the organization policy
corrective action An execution profile that performs an action to correct a
problem detected by other execution profiles; for example, if a
monitoring profile detected a low disk space issue, a corrective
action will delete obsolete and large temporary files
DB Database server component
device A representation of a physical or virtual server or machine in the
VSE
diagnose routine (DR)
An execution profile that runs on demand when an issue is
encountered, and is intended to collect in-depth diagnostic
data
discovery engine A VSE utility that represents the ICS Shield Active Discovery
ESP, which detects and classifies network assets, and,
optionally, adds them as devices to the VSE
Essential security policy (ESP)
Essential Security Policy: A collection of scripts related to one
logical area, such as machine security status, hardware
information, event logs, or storage information; these scripts
can either be run on demand (Diagnose Routine or Corrective
Action) or based on a predefined schedule.
TERMS AND DEFINITIONS
DocID CS-ICSE610en-510A 15
Term Definition
ESP Essential Security Policy: A collection of scripts related to one
logical area, such as machine security status, hardware
information, event logs, or storage information; these scripts
can either be run on demand (Diagnose Routine or Corrective
Action) or based on a predefined schedule.
execution profile A collection of scripts related to one logical area, such as
machine security status, hardware information, event logs, or
storage information; these scripts can either be run on demand
(Diagnose Routine or Corrective Action) or based on a
predefined schedule.
exposure level The extent to which the specific device is critical to ongoing site
operation; the predefined value options for the exposure levels
are one of the following:
• High
• Medium
• Low
HQ Headquarters; the physical location of the Security Center
monitoring profile (MP)
An execution profile configured to run at set time intervals, such
as Every day at 18:00
product line A set of actions and scripts that together instruct the VSE to
perform certain procedures on devices that are defined in the
VSE
Remote Access Bridge (RAB)
Remote Access Bridge is part of the ICS Shield’s remote access
architecture
Remote Access Gateway (RAG)
The Remote Access Gateway is part of the ICS Shield’s remote
access solution.
When initiated, the Remote Access Gateway automatically pulls
the connection details from the Security Center database.
reverse tunnel A secured connection initiated by the VSE to the Security
Center.
scan config Scan configuration; contains a set of network vulnerability tests
(NVTs) used to scan a machine in order to detect vulnerabilities
TERMS AND DEFINITIONS
DocID CS-ICSE610en-510A 16
Term Definition
Security Center (SC)
ICS Shield component that is installed at the corporate data
center. The security center is composed of various software
components, which enable to remotely collect, analyze, view,
manage, and store data retrieved from the VSEs. This data
refers to the monitored network assets and devices found at the
VSE’s sites.
site A remote physical location, such as an industrial plant, which
includes one or more network environments and has at least
one VSE
tunnel A secure connection established from the Security Center to the
VSE
VSE Virtual Security Engine; the ICS Shield component that is
installed at the remote site, monitors the devices at the site, and
provides additional functionalities such as remote access
WSUS Windows Server Update Services, a Microsoft product that
allows administrators to deploy to multiple servers, which are
configured so that each server synchronizes its content from
Microsoft Update.
WSUS device The VSE device used for applying the WSUS policy; the device
can be assigned any name
INTRODUCTION
DocID CS-ICSE610en-510A 17
3. Introduction
This chapter provides information about basic concepts of the ICS Shield WSUS Sync
solution, its architecture, and configuration.
3.1 Understanding the WSUS Sync solution Windows Server Update Service (WSUS) is computer software developed by Microsoft.
Using WSUS, administrators can manage the distribution of updates and hotfixes
released for Microsoft products to computers in a corporate environment.
When new Microsoft updates are released, WSUS server downloads the updates from
Microsoft Update website and then distributes them to computers on a network. The
WSUS server can also be configured to download the updates from another WSUS
server.
The most common implementation of WSUS in industrial companies is that of a main
WSUS server (upstream WSUS server) configured at the headquarters, and a sub-
WSUS server (downstream WSUS server) configured at each of the company’s sites.
This type of WSUS implementation poses the following challenges:
• The WSUS updates and hotfixes should be distributed from the upstream WSUS
server to the downstream WSUS server, when both network environments have
private addresses and are protected by firewalls. This requires establishing a
secure connection between the WSUS servers.
• New updates are constantly being released, and therefore the downstream WSUS
servers must constantly be synchronized with the most recent updates, even when
there is no continuous communication between the headquarters and the sites.
This means that some mechanism should be implemented to manage and monitor
the WSUS synchronization process, to verify that the downstream WSUS servers
are up-to-date and contain all required updates.
ICS Shield WSUS Sync solution addresses these challenges by providing a secure way
to transfer updates between the upstream and downstream WSUS servers. The
solution also guarantees that within a certain time interval, the downstream WSUS
server is always synchronized with the most recent updates of the upstream WSUS
server, even when there is no continuous communication between the two WSUS
servers.
INTRODUCTION
DocID CS-ICSE610en-510A 18
The way that the WSUS Sync solution secures the connection between the upstream
WSUS server and the downstream WSUS server and ensures the transfer of updates,
even when there is no constant connection, is by using a reverse tunnel. A reverse
tunnel is a secure communication connection between the Security Center and the
VSEs, which is initiated by the VSEs when the need for a certain type of communication
arises. By connecting the upstream WSUS server to the RAG and configuring the
downstream WSUS server to synchronize against the VSE, the WSUS updates can be
distributed to the downstream WSUS server without compromising the site security,
while overcoming periodic disconnections.
The architecture of the WSUS Sync solution also enables the management and
monitoring of the WSUS synchronization process and state. The VSE regularly checks
the current synchronization state of the downstream WSUS server. When exceeding a
certain period since the last WSUS synchronization, the VSE instructs the downstream
WSUS server to request recent updates from the upstream WSUS server.
Simultaneously, the VSE opens the reverse tunnel that is dedicated for the WSUS sync
task, to allow the transfer of the request and the transfer back of the recent updates.
Thus, recent updates are sent from the upstream WSUS server to the downstream
WSUS server on a regular basis. This management and monitoring procedure of the
WSUS synchronization is activated by default on a scheduled basis, once a day at
23:30 (local site time) and can also be activated on demand at any given time.
After the WSUS Sync ESP is distributed to a VSE, it needs to be represented as a
specific device in the VSE. Without such a device, this policy cannot be configured or
run. If the VSE already has a device for the WSUS Sync ESP, you only need to ensure
that the device’s configuration meets the requirements specified in this document.
Once the required configuration changes are implemented, it is possible to distribute
the policy.
If no device dedicated to WSUS Sync is configured in a VSE, such a device can be
created. Once the WSUS Sync ESP is represented as a device, several parameters
should be set for it. These parameters mainly consist of the connectivity credentials
that are required for the solution and the time interval that needs to pass after a
successful sync before a new sync is initiated automatically. The WSUS Sync ESP can
then start running, and the WSUS sync process is monitored and managed on a
scheduled basis.
INTRODUCTION
DocID CS-ICSE610en-510A 19
ATTENTION
The WSUS Sync solution is not responsible for updating the workstations at
the remote site, with the updates that are received by the downstream WSUS
server. The update routine of the workstations at the site is the responsibility
of the site manager. In addition, the WSUS Sync is not responsible for
configuring the updated download policies on the upstream WSUS server.
INTRODUCTION
DocID CS-ICSE610en-510A 20
3.2 Exploring the WSUS Sync solution architecture The following diagram illustrates the architecture of the WSUS Sync solution:
1. The Remote Access Gateway (RAG) is started and automatically pulls data from
the Security Center database. The data that the RAG pulls specifies the
connection details of the upstream WSUS side of the tunnels. To configure the
Security Center database for the WSUS tunnels, see section 4.3, Security Center –
tunnel configuration in the database.
2. When the tunnel specification is received from the database, the RAG opens two
segments of the tunnel designated for the WSUS Sync solution. One part of the
tunnel is opened between the RAG and the upstream WSUS server, and the other
between the RAG and the Remote Access Bridge (RAB).
3. When the WSUS Sync solution is activated on the VSE (either following the
predefined scheduler or on demand), the VSE opens another segment of the
tunnel designated for the WSUS Sync solution, between itself and the RAB. To
configure the VSE for the WSUS tunnels, see section 4.4.2, Configuring the tunnel
on the VSE side.
Figure 3-1. WSUS architecture
INTRODUCTION
DocID CS-ICSE610en-510A 21
4. When the WSUS Sync solution is activated, the VSE also sends a query to the
downstream WSUS server, checking its current synchronization state. Upon
finding that a new synchronization is needed, the VSE instructs the downstream
WSUS server to synchronize with the upstream WSUS server. For additional details
about the way the WSUS Sync ESP determines if a new WSUS Sync should be
initiated, see section 6.1, Understanding the operation and output of WSUS Sync .
5. When the downstream WSUS server receives the instruction to synchronize, it
sends a request to the upstream WSUS server via the open dedicated tunnel,
asking for updates. To configure the downstream WSUS server to connect to the
upstream WSUS server and to properly respond to the VSE instructions, see
section 4.4.4, Configuring WinRM for VSE.
6. Once the upstream WSUS server receives the update request from the
downstream WSUS server, it sends back its most recent updates to the
downstream Server.
3.3 Basic workflow of the WSUS Sync solution The basic workflow of the configuration, execution, and operation of the WSUS Sync
solution is as follows:
1. One-time configuration:
Upstream WSUS server – configuring for encrypted mode only
RAG – configuring one side of the tunnels that are used for transferring
WSUS updates
VSE computer
i. Configuring the other side of the tunnels used for transferring WSUS
updates
ii. Configuring the execution policy of the local PowerShell to allow the
WSUS Sync ESP scripts to run
Downstream WSUS server
i. Enabling and configuring Windows Remote Management to allow the
operation of the WSUS Sync ESP, if the downstream Server is installed on
a separate computer
ii. Importing the upstream WSUS server certificate to the downstream
WSUS server – for encrypted mode only
INTRODUCTION
DocID CS-ICSE610en-510A 22
iii. Editing of the hosts file – for encrypted mode only.
iv. Configuring the update source of the downstream WSUS server.
2. Security Center
a. Importing the WSUS Sync ESP to the Security Center
b. Distributing the WSUS Sync ESP from the Security Center into the required
VSEs
3. VSEs
Locating the existing device for the WSUS Sync ESP,
—or, if this device does not exist—
Creating a specific device for the WSUS Sync ESP in the VSEs
Configuring the device used for WSUS Sync based on the specific
parameters and the required synchronization interval
4. VSEs and Security Center
Running the WSUS Sync ESP, either manually or automatically, in
accordance with the built-in schedule
The WSUS Sync ESP starts the synchronization process. The downstream
WSUS server receives the most recent updates from the upstream WSUS
server.
NOTE
For a checklist of the one-time settings, which can assist you in
verifying that the all configurations required for your WSUS Sync
solution are set, see Appendix B, Configuration checklist.
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 23
4. Initial Settings and Requirements
The settings and requirements described in this chapter apply to all network
environments. They are needed for enabling the WSUS Sync solution, and should be
configured and verified once, before the solution can start running. These settings
should be configured by Professional Services, Support, or IT personnel.
NOTE
When all requirements are met, the WSUS Sync solution needs additional
configuration at the VSE level. For details, see chapter 5, Configuring the WSUS Sync
ESP in the VSE.
4.1 Before you start Before configuring the required settings for WSUS Sync solution, it is important to
become familiar with the following:
• Basic requirements for the WSUS Sync solution
• The contents of WSUS Sync solution package
• The steps required for configuring the WSUS Sync solution
4.1.1 Basic requirements for the WSUS Sync solution Before you can start configuring and using the WSUS Sync ESP, you need to verify the
following:
• ICS Shield has been installed.
• The WSUS Sync ESP exists in the Security Center and has been distributed to the
appropriate VSEs.
NOTE
For details about importing product lines to the Security Center and distributing
them to VSEs, see the Security Center Getting Started Guide.
• Upstream WSUS server – installed at the Security Center and is accessible from the
RAG
• Installed VSEs - at least one VSE installed at a remote site
• Downstream WSUS server - Installed at the remote site, and can access the VSE
and be accessed by the VSE on that site
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 24
4.1.2 Contents of the WSUS Sync solution package The WSUS Sync solution package contains the following files, which are required for
the implementation and configuration of the policy:
• WSUS_3.0.12.nnz – contains the WSUS Sync ESP. This file should be imported
into the Security Center Builder, and then distributed to the VSEs.
• SQL_Insert.sql – contains the definitions of the reverse tunnels from the Security
Center side; these tunnels are required for the operation of the WSUS Sync
solution. This file should be run on the Security Center database. See section 4.3,
Security Center – tunnel configuration in the database.
NOTE
The contents of the sql_insert.sql file must match the contents of the file
Sync_RRA.zip file.
• Sync_RRA.zip – contains the definitions of the reverse tunnels from the VES side;
this file should be imported to the Security Center and then distributed to the VSEs
and run on them. See section 4.4.2,: Configuring the tunnel on the VSE .
4.1.3 Steps required for configuring the WSUS Sync solution The configurations required for the WSUS Sync solution are the following:
• Upstream WSUS server – see section 4.2,.Upstream WSUS server - configuration
for encrypted mode.
• Security Center – configuration of the Security Center side of the tunnels that are
used for transferring WSUS updates; for details, see section 4.3, Security Center –
tunnel configuration in the database.
• VSE Computer
a. Configuring the VSE side of the tunnels used for transferring WSUS updates;
for details, see section 4.4.2, Configuring the tunnel on the VSE .
b. Configuring the execution policy of the local PowerShell to allow the WSUS
Sync ESP scripts to run; for details, see section 4.4.3, Configuring the local
PowerShell execution policy for VSE.
c. Enabling and configuring Windows Remote Management (WinRM) to allow
the operation of the WSUS Sync ESP; for details, see section .4.4.4
,Configuring WinRM for VSE.
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 25
• Downstream WSUS server
a. Enabling and configuring WinRM – only for a downstream WSUS that is
installed on a separate machine; for details, see section 4.5.2, Configuring
WinRM.
b. Importing the upstream WSUS certificate to the downstream WSUS – for
encrypted mode only; for details, see section 4.5.3, Importing the upstream
WSUS certificate – encrypted mode.
c. Configuring the update source – namely, creating a connection between the
downstream WSUS server and the upstream WSUS server, and defining from
where to receive WSUS updates; for details, see section 4.5.4, Configuring the
update source.
d. Editing the hosts file to bypass DNS lookup – map the upstream WSUS server
hostname to the IP address of the VSE; for details, see section 4.5.5, Editing
the hosts file.
4.2 Upstream WSUS server - configuration for encrypted mode The upstream WSUS server should be located at the headquarters, on a separate
server from the one that runs the Security Center.
The configuration of the upstream WSUS server depends on the security mode to be
used for the WSUS deployment – either the encrypted or non-encrypted mode. WSUS
update files are transferred via HTTP protocol in both modes. Only the metadata files
are transferred via a secure protocol.
In an encrypted mode, the metadata of WSUS updates is transferred via HTTP over
SSL/TLS protocol. In a non-encrypted mode, the metadata is transferred via HTTP
protocol. Therefore, when using an encrypted mode, you need two protocols, and two
reverse tunnels – one for each protocol. When using the non-encrypted mode, you
need one protocol and one reverse tunnel for all WSUS data.
The configuration of the upstream WSUS server depends on the requested security
mode:
• Non-encrypted mode – no specific configuration of the upstream WSUS server is
required.
• Encrypted mode (SSL/TLS enabled) - configure your upstream WSUS server based
on the instructions specified in Microsoft documentation for WSUS 3.0 SP2 and
WSUS 2016.
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 26
4.3 Security Center – tunnel configuration in the database The Security Center database should be configured to enable the connection from the
downstream WSUS server to the upstream WSUS server. This connection is set by
defining one or two reverse tunnels in the database for the WSUS synchronization.
A reverse tunnel is defined by a set of entries, which needs to be added to the Security
Center database. When using an encrypted mode, two sets of entries need to be
entered, one for each tunnel. These entries define one side of the tunnels – the
upstream WSUS server/Security Center side. Providing the communication tunnel ID
used by the gateway as one of the entries allows the Remote Access Gateway to funnel
the communication between the VSEs and the upstream WSUS server.
The required entries with the appropriate values for opening the WSUS tunnels from
the Security Center side are defined in the SQL_Insert.sql file, which is part of the
WSUS Sync solution package and includes the entries for both non-encrypted and
encrypted modes. These entries should be added to the RMA_INBOUND_SERVICE_T table.
NOTE
Completing the tunnel configuration requires adding entries for the other side of
the tunnels, namely, on the VSE side. The RMA_SVC_ID and ALLOCATED_PORT
values entered in the Security Center database must be identical to the values of
these parameters in the DefaultRRAConfiguration.xml file in the VSE. See Section
4.4.2, Configuring the tunnel on the VSE .
You can configure the WSUS tunnels in the Security Center database manually, by
entering the required entries into the database; see section 4.3.1, Configuring WSUS
tunnels manually.
This procedure is a one-time configuration done by Support personnel. To set this
configuration, you need the IP address or hostname of the upstream WSUS server.
4.3.1 Configuring WSUS tunnels manually Depending on your security mode, enter one or two of the following entries sets into
the database:
• For the non-encrypted mode – enter only the entries in the column: Value for a
Non-Encrypted Mode. These entries define a reverse tunnel via HTTP.
• For the encrypted mode – enter the entries in BOTH columns: Value for a Non-
Encrypted Mode and Value for an Encrypted Mode. These entries define two
reverse tunnels for the HTTP over SSL/TLS protocol and HTTP protocol.
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 27
To manually configure WSUS tunnels in the Security Center database:
Regardless if non-encrypted or encrypted mode are used, add the following entries to
the RMA_INBOUND_SERVICE_T table in the Security Center database:
Entry Name Value for a Non-Encrypted Mode
Value for an Encrypted Mode
RMA_SVC_ID
This is the tunnel ID.
4
444
RMA_SVC_NAME WSUS WSUS Encrypted
ACCESS_TYPE 3 3
APPLICATION_NAME Http Https
ALLOCATED_PORT
The allocated port number
must be 20000 and
higher. Usually, ports
20000, 20001, and 20002
are already in use.
20003
20004
DESTINATION <IP address/ hostname>: port no.
• Enter the IP address or hostname of the upstream WSUS server.
• The port number depends on your WSUS server version:
• For Windows
versions earlier
than Windows
Server 2012 - enter
port number 80.
• For Windows
Server 2012 and
up – enter port
number 8530.
<IP address/ hostname>: 443
• Enter the IP address or hostname of the upstream WSUS server.
• The port number is 443.
DESCRIPTION WSUS Sync – Non-Encrypted
WSUS Sync - Encrypted
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 28
Entry Name Value for a Non-Encrypted Mode
Value for an Encrypted Mode
EXECUTION_COMMAND @echo Windows Update Non-Encrypted {0}:{1} & pause
@echo Windows Update Encrypted {0}:{1} & pause
EXEC_FILE_EXTENSION bat bat
SESSION_TIMEOUT_MIN
The value of the session
timeout, in minutes
360
360
AUDIT_TYPE 2 2
SESSION_RECORD_TYPE 0 0
IS_ENABLED 1 1
Note:
1 is the value only if the
Upstream WSUS is
encrypted. For plain
communication, use 0.
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 29
4.4 VSE - Requirements and configuration This section specifies all requirements and configurations for the VSE.
4.4.1 VSE server - requirements The following requirements need to be met to set up the WSUS Sync solution on the
VSE server:
• VSE version 4.8 and up is installed.
• VSE license - make sure your VSE license is updated with the Reverse Remote
Access feature. This feature includes the reverse tunnel option.
To check if you have the Reverse Remote Access feature:
1. On the VSE Web interface, click about on the upper right corner to display your
license details.
2. On the Add-Ons list, check if you have the Reverse Remote Access feature.
3. Based on your current license, perform one of the following:
If you have the Reverse Remote Access feature, you can continue and use
the WSUS Sync ESP.
If you do not have the Reverse Remote Access feature, contact Support and
ask for an updated license. Once you have the updated license, navigate to
about option Product Authorization and enable the Reverse Remote
Access feature by entering your new license number.
4.4.2 Configuring the tunnel on the VSE side Once one side of the reverse tunnel allocated for the WSUS Sync solution is defined in
the database of the Security Center database, the other side of the reverse tunnel must
be defined on the VSE server.
To configure the reverse tunnel on the VSE server:
1. Ensure that you have the permissions required for distributing software
distribution packages from the Security Center to the VSEs.
2. Ensure that the software distribution file sync_RRA.zip is customized with your
specific parameters (IDs, IP addresses etc.)
3. Import the software distribution package to the Security Center.
4. Distribute the package to the VSEs.
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 30
The package will automatically add the required settings for creating and opening
the reverse tunnel from the VSE side.
To distribute the Sync_RRA.zip file:
1. In the Security Center, open the site or the group to which you want to distribute
the Sync_RRA.zip file.
2. Click at the top right of the screen to display the Run Distribute Software
activity dialog box.
3. Select the Sync_RRA.zip file by clicking Select and browsing to this file.
4. Select the check box Unzip the file at the Site Server to automatically unzip the
file once it is distributed to the site.
5. Click Run.
The distribution package adds the required entries to the
ReverseRemoteAccess/DefaultRRAConfiguration.xml file.
Figure 4-1. Run Distribute Software activity dialog box
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 31
NOTE
By default, both tunnels are enabled when the WSUS SSL mode is used.
If the default values are used, the entries that are added to the
DefaultRRAConfiguration.xml file on the VSEs are as specified below.
Entries for non-encrypted mode:
<Service Id="4" Name="Windows Update Services"
ApplicationName="http" AccessType="REMOTE_WEB"
SessionTimeout="6" AuditType="2" Recordable="false"
Enabled="true">
<AllocatedPort>20003</AllocatedPort>
<SessionDescription>
<![CDATA[ Windows Server Update Services Non-
Encrypted]]>
</SessionDescription>
<Command><![CDATA[ @echo Windows Update Non-Encrypted
{0}:{1} & pause]]></Command>
<Extension>bat</Extension>
<SessionLogExtension />
</Service>
Entries for an encrypted mode:
<Service Id="444" Name="Windows Update Services SSL"
ApplicationName="http" AccessType="REMOTE_WEB"
SessionTimeout="6" AuditType="2" Recordable="false"
Enabled="true">
<AllocatedPort>20004</AllocatedPort>
<SessionDescription>
<![CDATA[ Windows Server Update Services SSL]]>
</SessionDescription>
<Command><![CDATA[ @echo Windows Update {0}:{1} &
pause]]></Command>
<Extension>bat</Extension>
<SessionLogExtension />
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 32
</Service>
CAUTION
The Service_ID and ALLOCATED_PORT values you specify in the DefaultRRAConfiguration.xml file on the VSE must be identical to the values of these parameters in the Security Center database. See section 4.3, Security Center – tunnel configuration in the database.
4.4.3 Configuring the local PowerShell execution policy for VSE WSUS Sync solution uses PowerShell scripts to run the WSUS Sync ESP. Therefore,
running PowerShell scripts on the VSE server should be enabled.
In most cases, Windows PowerShell execution policy is Restricted by default, which
means that Windows prevents the running of PowerShell scripts. To enable the WSUS
Sync solution, the PowerShell execution policy must be changed to allow the running
of the required scripts.
NOTE
In Windows Server 2012 R2, the default execution policy is RemoteSigned. In this
case, you do not need to change the execution policy.
The lowest (least privilege) execution policy level that allows running the WSUS Sync
scripts is RemoteSigned. You can also use the AllSigned and Unrestricted execution
policies.
NOTE
To learn more about Windows PowerShell execution policies, see:
https://docs.microsoft.com/en-
us/powershell/module/microsoft.powershell.core/about/about_execution_policies
?view=powershell-6&viewFallbackFrom=powershell-Microsoft.PowerShell.Core
Before changing your execution policy, find out what your current policy is.
To identify your current execution policy:
1. Open PowerShell as administrator by using the Run as Administrator option.
2. On PowerShell, enter the following command:
Get-ExecutionPolicy
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 33
Your current execution policy appears:
Based on your results, perform one of the following:
If your current execution policy is Restricted, change it to the RemoteSigned
policy or higher. See the instructions below.
If your current execution policy is one of the following - RemoteSigned,
AllSigned, or Unrestricted – no change is required; proceed to section 4.5.2,
Configuring WinRM.
To change your execution policy:
1. Open PowerShell as administrator by using the Run as Administrator option.
2. On PowerShell, enter the following command:
Set-ExecutionPolicy
A prompt appears, asking you to enter the required execution policy.
3. On the ExcectionPolicy prompt, enter:
RemoteSigned
A message appears, informing you of the policy change and asking you to confirm
the change.
4. Enter Y to confirm the policy change.
Figure 4-2. Current execution policy
Figure 4-3. Confirming the policy change
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 34
Your execution policy is now RemoteSigned, and the WSUS Sync solution scripts
can run when needed.
NOTE
To learn more about Set-ExecutionPolicy cmdlt, see:
https://docs.microsoft.com/en-
us/powershell/module/microsoft.powershell.security/set-
executionpolicy?view=powershell-6
4.4.4 Configuring WinRM for VSE Starting from VSE BigBen (version 4.8) and up, the WSUS Sync solution cannot
function properly unless Windows Remote Management (WinRM) is enabled and
configured on the VSE computer.
NOTE
• WinRM is automatically installed with all currently-supported versions of the
Windows operating system.
• To learn more about the installation and configuration of WinRM, see:
https://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx
To enable and configure WinRM:
1. Open PowerShell as an administrator by using the Run as Administrator option.
2. On PowerShell, enter the following command:
Winrm quickconfig
3. When prompted to confirm the changes, enter Y:
Your WinRM is now enabled and configured, enabling the WSUS Sync solution to
properly run on the VSE computer.
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 35
4.5 Downstream WSUS server – requirements and configuration The downstream WSUS server can either be installed on the same computer as the
VSE or on a separate computer.
4.5.1 Downstream WSUS server – requirements The following requirements need to be met to set up the WSUS Sync solution on the
downstream WSUS server:
• WSUS 3.0 SP2 and up installed
• On the WSUS server, a Windows user who is a member of the WSUS
Administrators group and who has privileges for managing WSUS; in addition, this
user needs permissions to access the server remotely by using WinRM.
NOTE
At a later stage, when you configure in the VSE the parameters of the device
used for WSUS Sync, enter the credentials of this user as the WSUS
parameters - WSUS Admin Username, Admin Domain, and Admin Password.
4.5.2 Configuring WinRM Starting from VSE BigBen (version 4.8) and up, the Windows Remote Management
(WinRM) must be enabled and configured on the downstream WSUS server to ensure
the proper operation of the WSUS Sync solution.
• If the downstream WSUS server is installed on the same computer as the VSE, and
the WinRM has already been configured on the VSE server (see section 4.4.4,
Configuring WinRM for VSE), there is no need to configure the WinRM again.
• If the downstream WSUS server is installed on a separate computer, configure the
WinRM on the downstream WSUS server as well, using the same process used to
configure WinRM on the VSE.
4.5.3 Importing the upstream WSUS certificate – encrypted mode This upstream WSUS certificate enables the downstream WSUS server to accept the
upstream WSUS server as a trusted source and to securely receive updates from the
upstream server.
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 36
4.5.4 Configuring the update source To enable the downstream WSUS server to receive updates from the upstream WSUS
server, configure the update source of the downstream WSUS server as follows:
To configure the update source of the downstream WSUS server:
1. In the downstream WSUS server settings, enter the source of the WSUS updates.
2. Open the downstream WSUS server Console by selecting Start > Windows Server
Update Services, to open the screen by same name.
3. In the left pane of this screen, select WSUS > Options to display the Options pane
in the middle of the dialog box.
4. Click Update Source and Proxy Server option to open a dialog box by the same
name, which allows the downstream WSUS server to synchronize with the
upstream WSUS server:
Figure 4-4. Update Source and Proxy Server option
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 37
5. Use the Update Source and Proxy Server dialog box to select the following
options:
Synchronize from another Windows Server Update Services server
This server is a replica of the upstream server
6. Enter the following values:
Port number – enter 18530
Server name – any of the following values
o IP address 127.0.0.1
o localhost
Figure 4-5. Update Source and Proxy Server dialog box
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 38
o WSUS Upstream DNS name
To find the server name in the imported certificate:
1. On the URL Address box of the server, click the Secure prefix, and select the
Certificate option:
2. On the Certificate dialog box, open either the General or Certification Path tabs,
and locate the name of the server as it appears on the certificate.
3. Use the Update Source tab to enter the following details:
Server name – the name that appears on the Certification Path tab.
Port number – enter 18530.
Use SSL when synchronizing update information check box – select this
check box.
Your dialog box should look as shown below.
4. Click Apply to complete the operation.
Figure 4-6. Source updated with all relevant details
INITIAL SETTINGS AND REQUIREMENTS
DocID CS-ICSE610en-510A 39
4.5.5 Editing the hosts file An entry needs to be added to the hosts file on the downstream WSUS server to map
the upstream WSUS server hostname to the IP address of the VSE.
This is required to bypass the DNS system, because the site’s DNS system either does
not exist or does not contain the WSUS IP address.
To edit the hosts file:
1. Open the hosts file, located at: C:\Windows\System32\drivers\etc:
2. On the hosts file, add a new entry as follows:
VSE_IP_Address Upstream_WSUS_Server_Name
NOTE
The Upstream_WSUS_Server_Name value must be identical to the name that
appears in the certificate.
For example:
3. Save the hosts file with the new entry.
Figure 4-7. Hosts file edited
CONFIGURING THE WSUS SYNC ESP IN THE VSE
DocID CS-ICSE610en-510A 40
5. Configuring the WSUS Sync ESP in the VSE
Each policy that was distributed to a VSE must be represented as a specific device in
the VSE before it can be configured and run. Therefore, you need to create a new
device in the VSE for each distributed policy, unless your site (VSE) already has a
device for syncing the policy.
Accordingly:
1. Before creating a new device for the WSUS Sync ESP, check whether you already
have the WSUS device in your VSE.
2. If the VSE already has a device for syncing WSUS, ensure that the configuration of
the device meets the requirements specified in this document.
Once you have a device for the WSUS Sync ESP, you need to configure the device. First
configure several basic parameters, such as connectivity credentials and the time
interval that needs to elapse after a successful sync, before a new sync is initiated.
Then, if necessary, you can change the default values of the advanced parameters of
the device.
In short, the configuration of the WSUS Sync ESP consists of the steps described in
the following sections:
• 5.1, Checking for the existence of a WSUS device
• 5.2, Creating a new device for the WSUS Sync ESP
• 5.3, Verifying the WSUS tunnel operation
• 5.4, Configuring the advanced parameters of the WSUS device
After WSUS Sync is configured to ensure meeting your network specification and
requirements, this policy automatically starts running by default once a day at 23:30
local time zone.
5.1 Checking for the existence of a WSUS device
To check if your VSE includes a device for the WSUS Sync ESP:
1. Open the VSE.
2. Go to Operations > Device Management.
3. Search for the file WSUS_PL4Vendor_[date].nnz .
CONFIGURING THE WSUS SYNC ESP IN THE VSE
DocID CS-ICSE610en-510A 41
4. Based on the results, perform one of the following:
If a device that is based on the WSUS product line exists, start configuring
the parameters of the existing device, as described in section 5.3, Verifying
the WSUS tunnel operation.
If such a device does not exist, create a new device for the WSUS Sync ESP,
as described in the next section.
5.2 Creating a new device for the WSUS Sync ESP
To create a new device for the WSUS Sync ESP:
1. Open the VSE.
2. Go to Operations > Device Management to display a list of all existing devices.
3. Click New above the table to display the New Device page.
4. On the New Device page, set the following:
Table 5-1. Properties of a WSUS device
Property Value
Product Line Select NextNine WSUS.
Model
Select either WSUS HTTP or WSUS SSL, depending on
the security mode selected for the upstream WSUS
server in the HQ.
• If you did not configure the upstream WSUS server
to use SSL, select WSUS HTTP.
• If you configured the upstream WSUS server to use
SSL for an encrypted mode, select WSUS SSL.
Version Select your VSE version.
Device Address
Enter the IP address of the computer where the
connected downstream WSUS server is located:
• If the downstream WSUS server is installed on the
same computer as the VSE – enter 127.0.0.1.
• If the downstream WSUS server is installed on a
remote computer – enter the IP address of the
remote computer.
CONFIGURING THE WSUS SYNC ESP IN THE VSE
DocID CS-ICSE610en-510A 42
Property Value
Device Name
Enter the requested name.
Note:
You can enter any name for the new device. For the
sake of clarity and consistency, the name WSUS server
is used in this guide.
5. Go to the Protocol Settings section to configure the parameters specified in the
table below.
NOTE
You can also complete the device creation at this stage, by clicking Save
at the bottom of the page, and continue configuring the WSUS Device
protocol settings later. To do that, click the WSUS device row on the left
pane of the All Devices page, and then click Edit Protocol Settings of
device on the right. The dialog box that opens is identical to the section
described in the next step.
Table 5-2. Parameters specified in Protocol Settings
Property Name Description Default Value
User Name A VSE username for accessing
the VSE API.
admin
Password A password for the above
username.
admin
WSUS Admin Domain If needed, a WSUS server domain
name.
If the WSUS Admin user is a local
user on the downstream WSUS
server, use the value “.”.
WSUS Admin Username A Windows username for a user
who is a member of the WSUS Administrators group and who
has permissions to access the
computer remotely by using
WinRM (for more information
about this Windows user, see
WSUSAdmin
CONFIGURING THE WSUS SYNC ESP IN THE VSE
DocID CS-ICSE610en-510A 43
Property Name Description Default Value
section 4.4.4, Configuring WinRM
for VSE)
WSUS Admin Password A password for the WSUS admin
user above
W5U5Admin
WSUS Hostname The hostname or IP address of
the downstream WSUS server
127.0.0.1
Down_server
Sync Interval The time Interval (in hours) that
needs to pass before
automatically initiating a new
sync after a successful one
(to learn more about using the
Sync Interval, see Section 6.1:
Understanding the operation and
output of WSUS Sync )
23
6. Once you have finished configuring the basic parameters of the WSUS device,
click Save.
A confirmation message appears, informing you of the creation of the new device.
7. Click OK to return to the Device Management page.
By default, once the WSUS device is properly created, the first synchronization between
the downstream WSUS server and the upstream WSUS server is automatically
executed at 23:30. You can wait for the automatic execution of the WSUS Sync ESP, or
perform one or both of the following:
[Optional]
• Configure the advanced parameters of the WSUS device
• Manually run the WSUS Sync ESP, and view the synchronization results.
CONFIGURING THE WSUS SYNC ESP IN THE VSE
DocID CS-ICSE610en-510A 44
5.3 Verifying the WSUS tunnel operation Before starting to use the WSUS Sync ESP, verify that the reverse tunnel allocated to
this policy is working properly.
To verify the proper operation of the WSUS Sync tunnel:
1. Open the VSE, either directly from its server or by connecting to it remotely.
2. On the VSE, select the WSUS Sync device in the All Devices pane on the left side
of the screen.
3. In the Execution tab, select the check box of the Open Connection (without
syncing) option.
4. To open the tunnel allocated for the WSUS Sync ESP without starting the WSUS
sync, click Execute Once Now.
5. To verify that the tunnel was opened properly, open a web browser and navigate to
one of the following addresses, depending on your security mode:
Non-encrypted – HTTP://[vse]:18530
Encrypted - HTTPS://[vse]:18529
The results of the tunnel verification are one of the following:
Success: There is no error message, and the page is displayed.
Failure: A connection/certificate/security error is displayed. In this case,
check your configuration.
CONFIGURING THE WSUS SYNC ESP IN THE VSE
DocID CS-ICSE610en-510A 45
5.4 Configuring the advanced parameters of the WSUS device In addition to the basic parameters of the WSUS device, there are advanced
parameters that affect the results of the execution of the WSUS Sync ESP.
In version 4.8 and above, all these advanced parameters have default values that can
be kept. or, if required, modified.
The way you configure the advanced parameters depends on several factors: the
version of your WSUS Sync ESP; the existence of a previous WSUS device/policy in the
VSE; and the version of your VSE.
• For a new WSUS Sync v. 3.4x with no prior WSUS device in the VSE - see section
5.4.1, Configuring for a new WSUS device.
• For an upgraded WSUS Sync v. 3.4x with an existing WSUS device in the VSE - see
section 5.4.2, Configuring for upgraded WSUS .
5.4.1 Configuring for a new WSUS device
NOTE
The instructions in this section apply only to a new WSUS Sync solution v. 3.4x, with
no prior WSUS device in the VSE.
To configure the advanced parameters of a new WSUS device v. 3.4x:
1. On the VSE, click the Operations tab - Devices option.
2. From the All Devices list on the left side of the screen, select the WSUS device.
3. On the left pane of the All Devices page, click the Edit icon next to the WSUS
device:
Figure 5-1. Edit WSUS device
CONFIGURING THE WSUS SYNC ESP IN THE VSE
DocID CS-ICSE610en-510A 46
The Edit Protocol Settings of Device dialog box appears, allowing you to
configure the settings of the WSUS device.
4. To configure an advanced parameter, click Add to insert a new row at the bottom
of the parameters table.
5. Enter the parameter name and its value in the appropriate boxes, as specified in
the table below:
NOTES
• Copy and paste the Parameter Name without any changes. Do not
use quotation marks, whitespaces, or any other additions.
• The names and values of the parameters are case sensitive.
Table 5-3. Advanced parameters for WSUS device
Property Name Description Default Value
UI_Port The UI Port of the VSE 8449
Service_ID The ID of the WSUS service
as configured in the Security
Center and VSE
4
HTTP_Service_ID For the encrypted mode only
- the ID of the WSUS service
as configured in the Security
Center and VSE
When working in the
encrypted mode, enter the
Service ID of the HTTP here –
444
444
Client_WSUS_Port The listening port of the
downstream WSUS
component
8530
Tunnel_Port The VSE machine port on
which the VSE mimics the
upstream WSUS
communication
18530
Do not change this
value.
CONFIGURING THE WSUS SYNC ESP IN THE VSE
DocID CS-ICSE610en-510A 47
If you chose to add all advanced parameters, your Edit Protocol Settings of
Device dialog box looks as shown below.
6. Once you have entered all the required settings, click Save.
The Save action overrides the default values.
5.4.2 Configuring for upgraded WSUS device If you are already using the WSUS Sync solution, that is, you already have a running
WSUS device in your VSE and have upgraded the solution to WSUS Sync v. 3.4x, you
need to configure the advanced parameters in a different way.
When using an upgraded WSUS Sync policy, the Edit Protocol Settings of Device
dialog box in your VSE displays the advanced parameters. These advanced parameters
are not visible in the dialog box of the WSUS device. v. 3.4x, when using the WSUS Sync
ESP for the first time.
Although the advanced parameters are visible, and the values you entered for them
previously are kept, in the upgraded version of the policy, the format of the names of
the advanced parameters has changed. The values you previously entered for these
parameters, will be overridden by the new default values of the parameters. To apply
your customized values to the new version of the WSUS device, change the name
format of the parameters as described in the instructions below.
Figure 5-2. Edit Protocol Settings of Device dialog box
CONFIGURING THE WSUS SYNC ESP IN THE VSE
DocID CS-ICSE610en-510A 48
To configure the advanced parameters for an upgraded WSUS device:
1. In the VSE ribbon, go to the Operations tab Devices. In the All Devices list on
the left side of the screen, select the WSUS device.
2. In the list of devices, click the Edit Protocol Settings of Device ( ) icon next to
the WSUS device.
The Edit Protocol Settings of Device dialog box appears, allowing you to
configure the settings of the WSUS device.
If you use a new WSUS device with a newer version of the WSUS Sync ESP, the
dialog box does not display the entries listed below, which are configured with
their default values:
UI Port
Service ID
HTTP Service ID
Client WSUS Port
Tunnel Port
When using an existing WSUS device with a newer version of the WSUS Sync ESP,
these parameters do appear in the Edit Protocol Settings of Device dialog box,
including their current values, as shown below.
Figure 5-3. Settings of an existing device
CONFIGURING THE WSUS SYNC ESP IN THE VSE
DocID CS-ICSE610en-510A 49
However, regardless of the values displayed in the table, the WSUS device will use
the default values of these parameters. Therefore, if you would like to set a non-
default value to one or more of these parameters, you need to manually change
the name/s of the requested parameter/s by adding an underscore instead of
blank space, as follows:
UI Port –> UI_Port
Service ID –> Service_ID
HTTP Service ID –> HTTP_Service_ID
Client WSUS Port -> Client_WSUS_Port
Tunnel Port -> Tunnel_Port.
NOTE
If you are using a new WSUS device with a newer version of the WSUS Sync
ESP, click Add and enter the requested parameters and their values manually.
The figure below shows what your dialog box should look like.
3. Once you have changed all required names, click Save.
The Save action overrides the default values, and your customized values are
applied to the WSUS device.
Figure 5-4. Settings of an edited device
RUNNING THE WSUS SYNC ESP
DocID CS-ICSE610en-510A 50
6. Running the WSUS Sync ESP
After configuring the settings of the WSUS device, you can now run the WSUS Sync
ESP on demand from the VSE or from the Security Center; for details, see section 6.2.1,
Running the WSUS Sync ESP, and section 6.3.1, Running the WSUS Sync ESP from the
Security Center.
Before performing these actions, it is advisable to learn more about the operation and
output of WSUS Sync, as explained in the following section.
6.1 Understanding the operation and output of WSUS Sync By default, after you have configured the settings of the WSUS Sync ESP in the
Security Center and VSE, the WSUS Sync ESP runs once a day at 23:30. You do not
need to perform any additional action for the WSUS Sync ESP to be executed. You can
also manually run the WSUS Sync ESP, view the synchronization results after each run,
and deactivate the synchronization scheduler.
The WSUS device manages a synchronization monitoring and execution policy on a
scheduled basis in the following manner:
1. Every night at 23:30, the WSUS device on the VSE establishes a connection with
the downstream WSUS server.
2. Once the connection is established, the VSE sends a query to the downstream
WSUS server and checks its synchronization history. The WSUS device checks
whether there was a successful WSUS synchronization during a certain period.
This period is defined as a certain number of hours in the Sync Interval parameter
of the WSUS device. The Sync Interval determines the amount of time allowed
between a successful synchronization and the initiation of a new sync.
NOTE
For more information about the configuration of the Sync Interval
parameter, see section 5.3, Verifying the WSUS tunnel operation.
3. Based on the current WSUS synchronization state, the WSUS device performs one
of the following:
If no successful WSUS sync occurred during the last Sync Interval, the WSUS
device initiates a new WSUS sync.
For example, if the Sync Interval is 23h, and during the last 23h no
successful update has occurred, a new WSUS sync is initiated.
RUNNING THE WSUS SYNC ESP
DocID CS-ICSE610en-510A 51
If there was a successful WSUS sync during the last sync interval, a new
WSUS sync is not initiated. Until 4:00 a.m., a new check is then performed
every 10 minutes. If during one of the checks it is found that no successful
WSUS sync took place during the last Sync Interval, a WSUS update is
initiated.
For example, if the Sync Interval is 23h, and a successful sync has occurred
during the last 23 hours, a new WSUS sync will not be initiated. Then, every
10 minutes, the WSUS device checks if a successful sync has occurred in the
last 23 hours. If at one point between 23:30 and 4:00, it is found that no
successful sync was completed during the last 23h, a new sync is initiated.
4. If it is found that a new WSUS sync must be initiated, the VSE opens a reverse
tunnel for its execution.
NOTE
While In previous versions of the WSUS Sync ESP the reverse tunnel was
opened by the VSE automatically, starting from WSUS Sync v. 3.4x, the VSE
opens the reverse tunnel only when a new sync is required.
5. Every ten minutes, until 04:00, the WSUS device verifies that the connection
between the upstream and the downstream WSUS servers is active. If the
connection has been lost, the WSUS devices recreates the connection and sends
a new sync command to the downstream WSUS server.
ATTENTION
The WSUS Sync does not update the workstations on the remote site with
the updates that are received by the downstream WSUS server. The
configuration of the update routine of the workstations on the site is the
responsibility of the site manager. In addition, the WSUS Sync solution is
not responsible for configuring the update download policies on the
upstream WSUS server.
RUNNING THE WSUS SYNC ESP
DocID CS-ICSE610en-510A 52
6.2 Using the VSE to run the WSUS Sync ESP After you have defined and configured the WSUS device in the VSE, you can manually
run the WSUS Sync ESP from the VSE and view the WSUS Sync results.
NOTE
You can also run the WSUS Sync ESP and view its results from the Security Center,
as described on Section 6.2, Using the VSE to run .
6.2.1 Running the WSUS Sync ESP In addition to running the WSUS Sync policy on a scheduled basis, you can manually
run the policy on demand.
To run the WSUS Sync ESP from the VSE:
1. On the VSE, click the Operations tab Devices option on the upper toolbar, to
display the All Devices page.
2. From the list on the left, select the WSUS Sync device. The list of available profiles
for the WSUS device appears on the right:
Figure 6-1. List of available actions for the WSUS Device
RUNNING THE WSUS SYNC ESP
DocID CS-ICSE610en-510A 53
The list of execution profiles for the WSUS Sync ESP is as listed below.
Profile Name Tyoe Description
Open Connection (without syncing)
Diagnose Routine Opens the reverse tunnel
from the downstream WSUS
server to the upstream WSUS
server, without starting a new
WSUS sync
Open WSUS Connection and Sync
Diagnose Routine Opens the reverse tunnel
from the downstream WSUS
server to the upstream WSUS
server and initiate a new
WSUS sync. A new WSUS
sync is initiated, only if no
successful WSUS update
occurred during the last Sync
Interval. If a new WSUS sync
is initiated following the
activation of this option, the
sync occurs only once, and
not regularly on a scheduled
basis.
Open WSUS Connection and Sync Periodically
Monitoring Profile Allows the WSUS Sync ESP
to run once a day, based on
the settings predefined in
the scheduler. By default,
this option is enabled.
For details about stopping
and restarting the scheduler,
see section 6.3.3, Opening
WSUS connection and
syncing.
This profile has the following
statuses:
• Running
• Not Running
• Downloading
RUNNING THE WSUS SYNC ESP
DocID CS-ICSE610en-510A 54
Profile Name Tyoe Description
Note
The status Downloading,
which was introduced in
version 3.5.X, appears if the
connection with the
upstream server completed
successfully and the
downstream WSUS is
currently downloading the
updates received from the
upstream server in the
background. When the
status is Downloading, the
periodical check of the WSUS
connection will not close the
tunnel.
Sync Now Diagnose Routine Opens the reverse tunnel
and initiates a new WSUS
sync, regardless of the last
sync execution time and
result. The WSUS sync
occurs once.
Terminate WSUS Connection
Diagnose Routine Close the reverse tunnel
allocated for the WSUS
synchronization. This action
causes any active WSUS
sync to stop.
Note
Before using the Terminate
WSUS Connection option,
check whether a
synchronization is currently
running. If a synchronization
is currently in progress, wait
until it is completed before
terminating the WSUS
connection.
RUNNING THE WSUS SYNC ESP
DocID CS-ICSE610en-510A 55
Profile Name Tyoe Description
Calculate Clients Updates Compliance
Diagnose Routine Checks a list of updates that
were approved by the
organization’s WSUS
manager, as well as a user-
defined threshold for the
maximum number of days
allowed before the device
must be updated.
For each WSUS device, this
profile checks whether there
any approved updates that
are relevant to the device and
the OS it runs.
• If no such updates exist, or if there are one or more relevant updates but the threshold mentioned above has not been exceeded, the result is True.
If there are such updates,
and the threshold has been
exceeded, the result is False.
3. To run one of the execution profiles of the WSUS Sync ESP, from the Actions list,
select the check box of the action you want to execute and click Execute Once
Now.
Figure 6-2. One-time execution of an action
RUNNING THE WSUS SYNC ESP
DocID CS-ICSE610en-510A 56
The selected profile is executed. During the action run, you can open the Current
Execution tab to view its status:
Once the profile execution is completed, the profile no longer appears under the
Current Execution tab.
4. To view the results:
a. Open the View Data tab.
b. Click the relevant device.
c. Locate the profile for which you would like to view the results.
d. Click the link in the Status column:
The Execution Result – View pane appears, displaying the results of the
executed action. If the execution was not completed successfully, the pane
will display the error number and its description.
Figure 6-3. Current Execution tab
Figure 6-4. View Data tab
RUNNING THE WSUS SYNC ESP
DocID CS-ICSE610en-510A 57
6.2.2 Stopping and restarting the WSUS scheduler By default, once you create a WSUS device and set its basic parameters, its scheduler
is automatically activated. This scheduler runs the WSUS Sync ESP every night at
23:30.
NOTE
To learn more about the operation of the WSUS Sync scheduler, see section 6.1,
Understanding the operation and output of WSUS Sync .
You can stop the activity of the WSUS Sync scheduler and restart it when needed.
To stop and restart the WSUS scheduler:
1. In the VSE, open the list of profile list for the WSUS Sync ESP by clicking the
Operations tab > Devices option, and selecting the WSUS device option from the
Devices list.
2. To stop the WSUS scheduler, on the list of profiles select the Open WSUS
Connection and Sync Periodically check box. Then, click Deactivate.
3. To restart the WSUS scheduler, on the list of profiles, verify that the Open WSUS
Connection and Sync Periodically check box is selected and click Activate.
The WSUS Sync scheduler is activated and will now start running once a day at
23:30.
Figure 6-5. Execution Result – View pane
RUNNING THE WSUS SYNC ESP
DocID CS-ICSE610en-510A 58
6.3 Using the Security Center to run the WSUS Sync ESP After you have defined and configured the WSUS device in the VSE, you can manually
run the WSUS Sync ESP from the Security Center.
NOTE
You can also run the WSUS Sync ESP and view its results from the VSE, as described
on Section 6.2, Using the VSE to run .
6.3.1 Running the WSUS Sync ESP from the Security Center In addition to running the WSUS Sync ESP on a scheduled basis, you can run the ESP
manually when needed.
To run the WSUS Sync ESP from the Security Center:
1. In the Security Center, select your site.
2. Open the Device List tab.
3. Click the WSUS device.
4. Click Diagnose to display the Run Diagnose activity on device dialog box.
5. Open the Diagnosis Routine drop-down list and select one of the options shown
in the figure below.
The options
Open connection without syncing– opens the reverse tunnel from the
downstream WSUS server to the upstream WSUS server, without starting the
WSUS sync. For details see section 6.3.2, Opening connection without
syncing.
Figure 6-6. Diagnosis Routine drop-down list
RUNNING THE WSUS SYNC ESP
DocID CS-ICSE610en-510A 59
Open WSUS connection and sync – opens the reverse tunnel from the
downstream WSUS server to the upstream WSUS server and initiates a new
WSUS sync; a new WSUS sync will occur only if no successful WSUS update
occurred during the last sync interval. For details see section 6.3.26.3.3,
Opening WSUS connection and syncing.
Sync Now – opens the reverse tunnel and start a WSUS sync, regardless of
the last sync execution time and result. For details see section 6.3.4,
Initiating synchronization.
Terminate WSUS connection – Terminates the open reverse tunnel; this
action causes any active synchronization to stop. For details see section
6.3.5, Terminating the WSUS connection.
NOTE
Both the Open WSUS Connection and Sync and Sync Now options allow
you to manually run the WSUS Sync ESP once, on demand. The difference
between these two options is that when executing the Open WSUS
Connection and Sync diagnose routing, synchronization will take place in
the downstream WSUS server only if no successful synchronization has
occurred during the last Sync Interval. On the other hand, when executing
Sync Now, the downstream WSUS server will perform synchronization in
any case.
6. After you select an option, click Run to activate it.
Once the WSUS Sync run is initiated, the run activity is added to the Activity Log.
In addition, the message Activity created appears, indicating that the run activity
has started:
The selected WSUS Sync activity starts running. When the action is completed,
the status of its activity in the Activity Log changes to Completed:
For additional information on the running and results of each WSUS Sync activity,
see the following sections.
6.3.2 Opening connection without syncing The Open Connection (without syncing) option allows opening the reverse tunnel
from the downstream WSUS server to the upstream WSUS server, without starting the
WSUS sync.
RUNNING THE WSUS SYNC ESP
DocID CS-ICSE610en-510A 60
NOTES
When using an encrypted mode (SSL/TLS enabled) for transferring updates from
the upstream WSUS server to the downstream WSUS server, the following tunnels
are opened:
• Metadata: for transferring the metadata of WSUS updates via HTTP
protocol over SSL/TLS
• Download: for transferring the new WSUS updates via HTTP protocol
By default, when the reverse tunnel is opened manually, it remains open for six hours.
You cannot change this setting, but you can close the reverse tunnel via the Terminate
WSUS Connection option (see section 6.3.5, Terminating the WSUS connection).
To open a tunnel connection for WSUS updates without syncing:
1. Select the WSUS device and click Diagnose.
2. On the Run Diagnose activity on device dialog box, open the Diagnosis Routine
drop-down list, and select the Open Connection (without synching) option.
3. Click Run.
One or two of the reverse tunnels that are allocated to the WSUS Sync ESP are
opened, without performing a WSUS synchronization.
4. To view the status and results of the action, open the Activity Log tab.
5. To see more results, select the activity, and click its View Data ( ) icon on the
right side of the activity line:
The pane shown below appears, confirming the opening of the reverse tunnel, and
displaying the port number that is allocated to it:
Figure 6-7. Data Viewer pane
RUNNING THE WSUS SYNC ESP
DocID CS-ICSE610en-510A 61
6.3.3 Opening WSUS connection and syncing The Open WSUS Connection and Sync option enables you to open the reverse tunnel
from the downstream WSUS server to the upstream WSUS server, and to initiate a new
WSUS sync. A new WSUS sync is initiated, only if there was no successful WSUS
update during the last Sync Interval. If a new WSUS sync is initiated following the
activation of this option, it will occur only once, and not on a scheduled basis.
NOTES
• To learn more about the rules that determine when a new WSUS sync is
initiated, see section 6.1, Understanding the operation and output of WSUS
Sync . The rules that are described there are applied automatically to a
scheduled WSUS sync, but they also apply to the one-time activation of the
Open WSUS Connection and Sync option.
• By default, when the reverse tunnel is manually opened, it remains open for
6 hours. Starting from version 3.5.9, it is possible to configure this setting by
using the custom parameter Tunnel Timeout. In addition, you can close the
reverse tunnel by using the Terminate WSUS Connection option. For
details, see section 6.3.5, Terminating the WSUS connection.
To open the WSUS connection and sync:
1. Select the WSUS device and click Diagnose.
2. On the Run Diagnose activity on device dialog box, open the Diagnosis Routine
drop-down list, and select the Open WSUS Connection and Sync option.
3. Click Run.
The reverse tunnel allocated to the WSUS Sync ESP is opened. If no successful
WSUS update occurred during the last Sync Interval, a new WSUS sync is initiated.
NOTE
If the tunnel for the WSUS Sync ESP is already open, the WSUS Sync ESP will
use it to initiate the new sync.
4. To view the status and results of the action, as well as detailed results, repeat
steps
4 and 5 in section 6.3.2, Opening connection without syncing.
6.3.4 Initiating synchronization The Sync Now option enables opening the reverse tunnel and starting the WSUS
synchronization, regardless of the last sync execution time and result. The WSUS sync
will occur once.
RUNNING THE WSUS SYNC ESP
DocID CS-ICSE610en-510A 62
To initiate WSUS synchronization:
1. Select the WSUS device and click Diagnose.
2. On the Run Diagnose activity on device dialog box, open the Diagnosis Routine
drop-down list, and select the Sync Now option.
3. Click Run.
4. The reverse tunnel allocated to the WSUS Sync ESP opens, and a WSUS sync is
initiated.
NOTE
If the tunnel for the WSUS Sync ESP is already open, the WSUS Sync ESP will
use it to initiate the new sync.
5. To view the status and results of the action, as well as detailed results, repeat
steps 4 and 5 of section 6.3.2, Opening connection without syncing.
6.3.5 Terminating the WSUS connection The Terminate WSUS Connection option allows closing the reverse tunnel allocated to
the WSUS synchronization. This action causes any active WSUS sync to stop.
NOTE
Before running Terminate WSUS Connection, check if a synchronization is
currently running. If a synchronization is currently in progress, wait until it is
completed before terminating the WSUS connection.
To terminate the WSUS connection:
1. Select the WSUS device and click Diagnose.
2. On the Run Diagnose activity on device dialog box, open the Diagnosis Routine
drop-down list, and select the Terminate WSUS Connection option.
3. Click Run.
The reverse tunnel allocated to the WSUS Sync ESP closes.
To view the status and results, repeat steps 4 and 5 of section 6.3.2, Opening
connection without syncing.
APPENDICES
DocID CS-ICSE610en-510A 63
Appendices
This user guide includes the following appendices:
• A, Troubleshooting
• B, Configuration checklist
TROUBLESHOOTING
DocID CS-ICSE610en-510A 64
A Troubleshooting
The following table describes a few common problems in the operation of the WSUS
Sync solution with their possible solutions.
Error Code
Error Message Possible Solutions
472 Unable to open Tunnel, WSUS Sync will not continue. Make sure that service id <4 or 444> is defined properly in VSE, Database and protocol settings->custom.
The Service ID might not be defined properly
in the Security Center database or in the VSE.
• Check the Service ID definition in the Security Center database, RMA_INBOUND_SERVICE_T table. For details, see Understanding the WSUS Sync solution.
• Check the Service ID definition in the VSE File - DefaultRRAConfiguration.xml. For details, see section 4.4.2, Configuring the tunnel on the VSE side.
If the Service ID is defined properly in both
places, check if the VSE is listening on the
port that is defined in the file -
DefaultRRAConfiguration.xml.
476 Tunnel is already open, no need to re-open.
The reverse tunnel allocated for the WSUS
Sync is already open. The open tunnel will be
used for the required action. No need to
resolve.
706 Tunnel was not opened. VSE credentials are incorrect.
Examine VSE User Name and VSE Password parameters in protocol Settings->Custom.
The value of the VSE Username and/or
Password is incorrect. Check the values of
these parameters in the Edit Protocol Settings dialog box of the WSUS device and
change them if necessary.
CONFIGURATION CHECKLIST
DocID CS-ICSE610en-510A 65
B Configuration checklist
The following table lists the steps required for a complete configuration of the WSUS
Sync solution.
Step Component Procedure Relevant section
1 Upstream WSUS server
For the encrypted
mode:
configuration for using
the SSL/TLS protocol
4.2, Upstream WSUS server -
configuration for encrypted mode.
2 Security Center Database
Configuring the reverse
tunnel from the
Security Center
4.3, Security Center – tunnel
configuration in the database
3 VSE server Verifying that the VSE
license has been
updated with the
Reverse Remote Access
feature.
4.4.1, VSE server - requirements
4 Configuring the reverse
tunnel from the VSE
4.4.2, Configuring the tunnel on the
VSE side
5 Configuring the
execution policy of the
local PowerShell
4.4.3, Configuring the local
PowerShell execution policy for VSE
6 Enabling and
configuring the
Windows Remote
Management (WinRM).
4.4.4, Configuring WinRM for VSE
7 Downstream WSUS
Creating or verifying
the existence of a
Windows user who is a
member of the WSUS Administrators group
and who has
4.5.1, Downstream WSUS server –
requirements
CONFIGURATION CHECKLIST
DocID CS-ICSE610en-510A 66
Step Component Procedure Relevant section
permissions for
communicating with
WinRM.
8 For a downstream
WSUS server that is
installed on a separate
computer:
enabling and
configuring the
Windows Remote
Management (WinRM)
4.5.2, Configuring WinRM
9 For the encrypted
mode:
importing the upstream
WSUS server certificate
to the downstream
WSUS server
4.5.3, Importing the upstream WSUS
certificate – encrypted mode
10 Configuring the Update
Source of the
downstream WSUS
server
4.5.4, Configuring the update source
11 For the encrypted
mode:
editing the hosts file
4.5.5, Editing the hosts file
CHANGES INTRODUCED IN VERSION 3.5.9
DocID CS-ICSE610en-510A 67
C Changes introduced in version 3.5.9
The following changes were introduced in version 3.5.9 of WSUS Sync ESP:
• The status Downloading has been added to the execution profile Open WSUS
Connection and Sync Periodically. For details, see section 6.2.1, Running the WSUS
Sync ESP.
• The execution profile Calculate Clients Updates Compliance has been added. For
details, see section 6.2.1, Running the WSUS Sync ESP.
• The custom parameter Tunnel Timeout now allows to define the amount of time for
which reverse tunnel remains open after it was opened manually. For details see
section 6.3.3, Opening WSUS connection and syncing.
CS-ICSE610en-510A July 2019 © 2019 Honeywell International Sàrl
Honeywell Process Solutions
1250 W Sam Houston Pkwy S #150, Houston,
TX 77042
Honeywell House, Skimped Hill Lane
Bracknell, Berkshire, RG12 1EB Building #1, 555 Huanke Road, Zhangjiang
Hi-Tech Park,
Pudong New Area, Shanghai, China 201203
www.honeywellprocess.com