Having a problem with the WSUS part of SCCM 2012 not working on agents in our DMZ. These agents have PKI certificates from internal PKI, and are appearing in the console as active inventory.
Because many parts of the SCCM roles must be configured for HTTP or HTTPS and not both at the same time:
1 - these agents are on a boundary that assign them to a MP that is configured for SSL. Agent control panel shows correct MP.
2 - these agents are also in a collection with different client settings to assign them an 8531 appcat.
SDCSCMP23 is the HTTP WSUS/Appcat/MP for internal agents
SDCSCMP25 is the SSL WSUS/Appcat/MP with PKI certs for DMZ agents
The problem is that SCCM is configuring these agents to use the HTTP parts of the Infrastructure for WSUS, and not the HTTPS parts. Per MS Doc, Client Settings are supposed to auto assign an HTTPS appcat before an HTTP one, but this was not happening, so I made my own client settings to assign the HTTPS appcat.
Simply modifying the firewall config to permit 443, 8531 to this other server is NOT an option, because those servers are listening on 80, 8530 (for internal HTTP agents) not 443, 8531. We have a requirement to use only 443, 8531 for the DMZ agents. Have verified that 443, 8531 are open through the firewall to SDCSCMP25 from the agents. This is SCCM 2012 SP1. We are NOT assigning WSUS servers through GPO.
How do I get SCCM to assign the correct WSUS servers to these agents?
WUAHandler.log
Enabling WUA Managed server policy to use server: HTTP://SDCSCMP23.ACME.COM:8530
m_spSearchJobUpdateSearcher->EndSearch(m_spSearchJob, &spSearchResult), HRESULT=80072ee2 (e:\nts_sccm_release\sms\client\updatesmgmt\wuahandler\cwuahandler.cpp,3064) WUAHandler 4/11/2013 6:09:59 PM 1480 (0x05C8)
OnSearchComplete - Failed to end search job. Error = 0x80072ee2. WUAHandler 4/11/2013 6:09:59 PM 1480 (0x05C8)
Scan failed with error = 0x80072ee2. WUAHandler 4/11/2013 6:09:59 PM 1480 (0x05C8)
WindowsUpdate.log
2013-04-11 18:09:05:376 828 15fc Agent *********** Agent: Refreshing global settings cache ***********
2013-04-11 18:09:05:376 828 15fc Agent * WSUS server: HTTP://SDCSCMP23.ACME.COM:8530 (Changed)
2013-04-11 18:09:05:376 828 15fc Agent * WSUS status server: HTTP://SDCSCMP23.ACME.COM:8530 (Changed)
2013-04-11 18:09:35:641 828 1668 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2013-04-11 18:09:35:641 828 1668 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://SDCSCMP23.ACME.COM:8530/ClientWebService/client.asmx
2013-04-11 18:09:59:235 828 1668 Misc WARNING: Send failed with hr = 80072ee2.
2013-04-11 18:09:59:235 828 1668 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
2013-04-11 18:09:59:235 828 1668 PT + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2013-04-11 18:09:59:235 828 1668 PT + Caller provided credentials = No
2013-04-11 18:09:59:235 828 1668 PT + Impersonate flags = 0
2013-04-11 18:09:59:235 828 1668 PT + Possible authorization schemes used =
2013-04-11 18:09:59:235 828 1668 PT WARNING: GetConfig failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2013-04-11 18:09:59:235 828 1668 PT WARNING: PTError: 0x80072ee2
2013-04-11 18:09:59:235 828 1668 PT WARNING: GetConfig_WithRecovery failed: 0x80072ee2
2013-04-11 18:09:59:235 828 1668 PT WARNING: RefreshConfig failed: 0x80072ee2
2013-04-11 18:09:59:235 828 1668 PT WARNING: RefreshPTState failed: 0x80072ee2
2013-04-11 18:09:59:235 828 1668 PT WARNING: Sync of Updates: 0x80072ee2
2013-04-11 18:09:59:235 828 1668 PT WARNING: SyncServerUpdatesInternal failed: 0x80072ee2
2013-04-11 18:09:59:235 828 1668 Agent * WARNING: Failed to synchronize, error = 0x80072EE2
2013-04-11 18:09:59:235 828 1668 Agent * WARNING: Exit code = 0x80072EE2
It seems to me that the core issue here is the attempt to configure multiple SUPs (one SSL, one not) within the site. You can only have one Software Update Point (SUP) per site, and the SUP is either SSL-enabled, or not.
I see only have two possible options:
User contributions licensed under CC BY-SA 3.0