WSUS Sync ESP User Guide...This guide provides step-by-step instructions for configuring, distributing, and using WSUS Sync ESP. at all levels, from the initial settings up to the

ICS SHIELD

R510.2

Windows Server Update Services Sync ESP

User Guide

CS-ICSW610en-510B

June 2020

DocID CS-ICSW610en-510B 2

Notices

Trademarks Microsoft and SQL Server are either registered trademarks or trademarks of Microsoft

Corporation in the United States and/or other countries.

Trademarks that appear in this document are used only to the benefit of the trademark

owner, with no intention of trademark infringement.

Third-party licenses This product may contain or be derived from materials, including software, of third parties. The third party materials may be subject to licenses, notices, restrictions and obligations imposed by the licensor


About this Guide

This document provides instructions for configuring and using the WSUS Sync ESP,

the solution for remotely managing Microsoft Windows Server Update Services

(WSUS).

Scope This guide provides step-by-step instructions for configuring, distributing, and using

WSUS Sync ESP. at all levels, from the initial settings up to the deployment in the

Security Center and the VSEs.

Intended audience This guide is for people who are responsible for the configuration and operation of

WSUS Sync ESP on the Security Center and VSEs:

• Initial Settings - Professional Services, Support, or IT personnel

• Security Center – Administrators and operators

• VSE – Administrators and operators

Prerequisite skills This guide assumes basic knowledge of the ICS Shield modules relevant to the

Security Center, the VSE, or both, depending on your specific role.

Using this guide Use this guide as required by your role in the configuration and operation of the WSUS

Sync ESP:

• Initial Settings – Professional Services, Support, or IT personnel:

Upstream WSUS server – see section 4.2: Upstream WSUS server -

configuration for encrypted mode.

Security Center – see section 4.3, Security Center – tunnel configuration in

the database.

VSE computer – see section 4.4, VSE - Requirements and configuration.

Downstream WSUS server – see section 4.4.4, Configuring WinRM for VSE.

• VSE:


Administrators – see chapter 5, Configuring the WSUS Sync ESP in the VSE.

Operators – see section 6.2, Using the VSE to run .

• Security Center:

Administrators – see section 4.1, Before you start.

Operators – see section 6.3, Using the Security Center to run the WSUS Sync

ESP.

Related documents The following list identifies publications that contain information relevant to the

information in this document.

Document Name Document Number

ICS Shield R510.2 - Security Center User Guide CS-ICSW400en-510B

ICS Shield R510.2 - Virtual Security Engine – User

Guide CS-ICSW601en-510B

Revision history

Revision Supported Release

Date Description

B Release 510.2 June 2020 This software is an upgrade-only release

from Release 510.2

A Release 510.1 August 2019 This software is an upgrade-only release

from Release 501.1

A Release 500.1 June 2019 First release of product


Contents 1. SECURITY CONSIDERATIONS ........................................................................................ 9

1.1 Physical security ...................................................................................................................................... 9

1.2 Secured zone ............................................................................................................................................. 9

1.3 Limiting access ........................................................................................................................................ 9 1.3.1 At the VSE level ...................................................................................................................... 9 1.3.2 At the directory or file level ............................................................................................... 10 1.3.3 Ports used by the application ........................................................................................ 10

1.4 Authorization measures ...................................................................................................................... 10

1.5 Encryption and validation................................................................................................................... 11

1.6 WSUS- specific measures for mitigating security risks ...................................................... 11

2. TERMS AND DEFINITIONS .............................................................................................. 12

3. INTRODUCTION ................................................................................................................... 15

3.1 Understanding the WSUS Sync solution .................................................................................... 15

3.2 Exploring the WSUS Sync solution architecture ..................................................................... 18

3.3 Basic workflow of the WSUS Sync solution ............................................................................... 19

4. INITIAL SETTINGS AND REQUIREMENTS ................................................................. 21

4.1 Before you start ........................................................................................................................................ 21 4.1.1 Basic requirements for the WSUS Sync solution ................................................. 21 4.1.2 Contents of the WSUS Sync solution package...................................................... 22 4.1.3 Steps required for configuring the WSUS Sync solution ................................. 22

4.2 Upstream WSUS server - configuration for encrypted mode ........................................... 23

4.3 Security Center – tunnel configuration in the database ..................................................... 24 4.3.1 Configuring WSUS tunnels manually ........................................................................ 24

4.4 VSE - Requirements and configuration ....................................................................................... 27 4.4.1 VSE server - requirements ............................................................................................... 27 4.4.2 Configuring the tunnel on the VSE side ................................................................... 27 4.4.3 Configuring the local PowerShell execution policy for VSE ............................ 30 4.4.4 Configuring WinRM for VSE ............................................................................................ 32

4.5 Downstream WSUS server – requirements and configuration ........................................ 32 4.5.1 Downstream WSUS server – requirements ............................................................. 32 4.5.2 Configuring WinRM ............................................................................................................. 33 4.5.3 Importing the upstream WSUS certificate – encrypted mode ...................... 33 4.5.4 Configuring the update source ..................................................................................... 33 4.5.5 Editing the hosts file ........................................................................................................... 36

5. CONFIGURING THE WSUS SYNC ESP IN THE VSE ................................................ 38


5.1 Checking for the existence of a WSUS device .......................................................................... 38

5.2 Creating a new device for the WSUS Sync ESP ....................................................................... 39

5.3 Verifying the WSUS tunnel operation ........................................................................................... 41

5.4 Configuring the advanced parameters of the WSUS device ............................................ 42 5.4.1 Configuring for a new WSUS device ........................................................................... 42 5.4.2 Configuring for upgraded WSUS device ................................................................... 45

6. RUNNING THE WSUS SYNC ESP ................................................................................... 48

6.1 Understanding the operation and output of WSUS Sync .................................................. 48

6.2 Using the VSE to run the WSUS Sync ESP ................................................................................. 50 6.2.1 Running the WSUS Sync ESP ........................................................................................ 50 6.2.2 Stopping and restarting the WSUS scheduler ....................................................... 55

6.3 Using the Security Center to run the WSUS Sync ESP ........................................................ 56 6.3.1 Running the WSUS Sync ESP from the Security Center .................................. 56 6.3.2 Opening connection without syncing ........................................................................ 57 6.3.3 Opening WSUS connection and syncing ................................................................. 59 6.3.4 Initiating synchronization ................................................................................................ 59 6.3.5 Terminating the WSUS connection ............................................................................. 60

A TROUBLESHOOTING ......................................................................................................... 62

B CONFIGURATION CHECKLIST ....................................................................................... 63

C CHANGES INTRODUCED IN VERSION 3.5.9 ............................................................. 65


List of Figures FIGURE 3-1. WSUS ARCHITECTURE ............................................................................................ 18 FIGURE 4-1. RUN DISTRIBUTE SOFTWARE ACTIVITY DIALOG BOX ................................................ 28 FIGURE 4-2. CURRENT EXECUTION POLICY ................................................................................. 31 FIGURE 4-3. CONFIRMING THE POLICY CHANGE ......................................................................... 31 FIGURE 4-4. UPDATE SOURCE AND PROXY SERVER OPTION ....................................................... 34 FIGURE 4-5. UPDATE SOURCE AND PROXY SERVER DIALOG BOX ................................................ 35 FIGURE 4-6. SOURCE UPDATED WITH ALL RELEVANT DETAILS .................................................... 36 FIGURE 4-7. HOSTS FILE EDITED ................................................................................................. 37 FIGURE 5-1. EDIT WSUS DEVICE ................................................................................................ 43 FIGURE 5-2. EDIT PROTOCOL SETTINGS OF DEVICE DIALOG BOX ............................................... 45 FIGURE 5-3. SETTINGS OF AN EXISTING DEVICE........................................................................... 46 FIGURE 5-4. SETTINGS OF AN EDITED DEVICE ............................................................................. 47 FIGURE 6-1. LIST OF AVAILABLE ACTIONS FOR THE WSUS DEVICE............................................. 50 FIGURE 6-2. ONE-TIME EXECUTION OF AN ACTION ..................................................................... 53 FIGURE 6-3. CURRENT EXECUTION TAB ...................................................................................... 54 FIGURE 6-4. VIEW DATA TAB ........................................................................................................ 54 FIGURE 6-5. EXECUTION RESULT – VIEW PANE .......................................................................... 55 FIGURE 6-6. DIAGNOSIS ROUTINE DROP-DOWN LIST .................................................................. 56 FIGURE 6-7. DATA VIEWER PANE ................................................................................................. 58


List of Tables TABLE 1-1. LIST OF PORTS .......................................................................................................... 10 TABLE 5-1. PROPERTIES OF A WSUS DEVICE ............................................................................. 39 TABLE 5-2. PARAMETERS SPECIFIED IN PROTOCOL SETTINGS ................................................... 40 TABLE 5-3. ADVANCED PARAMETERS FOR WSUS DEVICE ........................................................... 43

SECURITY CONSIDERATIONS


1. Security Considerations

This chapter outlines the security measures for WSUS Sync ESP.

1.1 Physical security

CAUTION

WSUS Sync ESP is a mission-critical component.

Take all necessary physical measures to prevent attacks or disasters.

Ensure that the server where the product is installed is located in an approved

physically secure location that is accessible only to authorized personnel.

1.2 Secured zone WSUS Sync ESP contains sensitive information, the loss of which could have severe

consequences. Therefore, there is a need to protect the sensitive information and

prevent attacks against the product. To do that, the VSE software, as well as its related

extensions, must be installed in an internally secured zone such as the site’s layer 3

network, with strict access control lists and appropriate firewall/routing rules.

Ensure that WSUS Sync ESP is installed in a directory that is only accessible to

authorized personnel responsible for the product.

CAUTION

If WSUS Sync ESP is installed on one or more servers that are exposed to untrusted networks such as the Internet, protection against denial-of-service (DoS) attacks must be implemented.

1.3 Limiting access It is highly recommended to follow regulatory, industry, and enterprise standards for

limiting access to sensitive information as specified below.

1.3.1 At the VSE level The user management at the host running the VSE must follow the principles of need

to know and least privilege: Only users who absolutely must have access to the

computer are granted access, and these users are assigned the minimal set of

permissions allowing them to perform their job.



1.3.2 At the directory or file level Access to directories and files should also be granted in accordance with the principles

of need to know and least privilege: Only Users who absolutely must have access to the

requested directory and file are granted access, and these Users are assigned the

minimal set of permissions allowing them to perform their job.

Use the built-in file access audit logging of the OS to monitor unauthorized changes to

sensitive files.

1.3.3 Ports used by the application The ports used for WSUS Sync ESP are listed in the table below, relative to the VSE.

Table 1-1. List of Ports

Port Number Inbound/Outbound Used for

18530 Inbound Connecting from the WSUS to the VSE

18529 Inbound Connecting from the WSUS to the VSE

in SSL mode

8530 Outbound to the WSUS

Connecting from the VSE to the WSUS

(default value in version 3.4 and

higher versions)

80 Outbound to the WSUS

Connecting from the VSE to the WSUS

(default value in versions up to – and

including – 3.3)

1.4 Authorization measures It is strongly recommended to implement the following security measures:

• Change the default administrative password and delete/disable the default service

accounts as soon as new administrative accounts are created

• Disable any default Administrator/Root user on the computer

• Disable any default Guest user on the computer

• Disable any unauthenticated access to the computer via shared directories etc.

• Ensure that the OS is up to date with the latest security patches provided by the OS

vendor

•



1.5 Encryption and validation All cryptographic keys generated for the encrypted communication must follow the

current industry standards, including key size, encryption suites, certificate swapping

etc.

Operators and other personnel who have a low authorization level are advised to

ensure that they only run software provided from the Headquarters as a code-signed

execution file, such as Hyper Tunnel installer. A code-signed software displays the

signed by notification when it starts to run.

It is recommended to use a valid certificate issued by a trusted Certificate Authority

(CA), either the organization’s internal CA or an external CA.

1.6 WSUS- specific measures for mitigating security risks

To mitigate these possible security risks, you are advised to take the following

preventive measures:

• Follow Microsoft’s best practices for defining the WSUS Admin role

• Allow the upstream WSUS server port used for connection to accept only

connections from the RAG

• Limit the RAG connections to specific servers only

TERMS AND DEFINITIONS


2. Terms and definitions

NOTE

The terms and definitions are listed in alphabetical order

Term Definition

add-on An umbrella term for product lines and ESPs.

asset Any site component that is connected to the network and is

accessible from the VSE

Communication Server (CS)

The Communication Server provides secure communication

between the Security Center and the VSEs and, optionally,

between the VSEs themselves.

compliance Whether the asset meets the organization policy

corrective action A collection profile that performs an action to correct a problem

detected by other collection profiles; for example, if a

monitoring profile detected a low disk space issue, a corrective

action will delete obsolete and large temporary files

DB Database server component

device A representation of a physical or virtual server or machine in the

VSE

diagnose routine (DR)

A collection profile that runs on demand and is intended to

collect in-depth diagnostic data.

discovery engine A VSE utility that represents the ICS Shield Active Discovery

mechanism, which detects and classifies network assets, and,

optionally, adds them as assets to the VSE

Essential security policy (ESP)

Essential Security Policy: A collection of scripts related to one

logical area, such as machine security status, hardware

information, event logs, or storage information; these scripts

can either be run on demand (Diagnose Routine or Corrective

Action) or based on a predefined schedule.



Term Definition

ESP Essential Security Policy: A collection of scripts related to one

logical area, such as machine security status, hardware

information, event logs, or storage information; these scripts

can either be run on demand (Diagnose Routine or Corrective

Action) or based on a predefined schedule.

execution profile A collection of scripts related to one logical area, such as

machine security status, hardware information, event logs, or

storage information; these scripts can either be run on demand

(Diagnose Routine or Corrective Action) or based on a

predefined schedule.

exposure level The extent to which the specific asset is critical to ongoing site

operation; the predefined value options for the exposure levels

are one of the following:

• High

• Medium

• Low

HQ Headquarters; the location of the Security Center

monitoring profile (MP)

A collection profile configured to run at set time intervals, such

as Every day at 18:00.

product line A set of actions and scripts that together instruct the VSE to

perform certain procedures on devices that are defined in the

VSE.

Remote Access Bridge (RAB)

A component installed externally to the Security Center, which

enables secure remote access between the Security Center and

the VSE. On receiving communication requests from the VSE

and the RAG, it creates a secure bridge between them, thereby

enabling a secure communications tunnel from the Security

Center to the VSE, and from there to the required asset.

Remote Access Gateway (RAG)

The Remote Access Gateway is part of ICS Shield’s remote

access solution.

When initiated, the Remote Access Gateway automatically pulls

the connection details from the Security Center database.

reverse tunnel A secured connection initiated by the VSE to the Security



Term Definition

Center.

scan config Scan configuration; contains a set of network vulnerability tests

(NVTs) used to scan a machine in order to detect vulnerabilities.

Security Center (SC)

ICS Shield component that is installed at the corporate data

center. The security center is composed of various software

components, which enable to remotely collect, analyze, view,

manage, and store data retrieved from the VSEs. This data

refers to the monitored assets and network devices found at the

VSE’s sites.

site A remote physical location, such as an industrial plant, which

includes one or more network environments and has at least

one VSE.

tunnel A secure connection established from the Security Center to the

VSE.

VSE The ICS Shield component that is installed at the remote site,

monitors the assets at the site, and provides additional

functionalities such as remote access.

WSUS Windows Server Update Services, a Microsoft product that

allows administrators to deploy to multiple servers, which are

configured so that each server synchronizes its content from

Microsoft Update.

WSUS device The VSE device used for applying the WSUS policy; the device

can be assigned any name.

INTRODUCTION


3. Introduction

This chapter provides information about basic concepts of the ICS Shield WSUS Sync

solution, its architecture, and configuration.

3.1 Understanding the WSUS Sync solution Windows Server Update Service (WSUS) is computer software developed by Microsoft.

Using WSUS, administrators can manage the distribution of updates and hotfixes

released for Microsoft products to computers in a corporate environment.

When new Microsoft updates are released, WSUS server downloads the updates from

Microsoft Update website and then distributes them to computers on a network. The

WSUS server can also be configured to download the updates from another WSUS

server.

The most common implementation of WSUS in industrial companies is that of a main

WSUS server (upstream WSUS server) configured at the headquarters, and a sub-

WSUS server (downstream WSUS server) configured at each of the company’s sites.

This type of WSUS implementation poses the following challenges:

• The WSUS updates and hotfixes should be distributed from the upstream WSUS

server to the downstream WSUS server, when both network environments have

private addresses and are protected by firewalls. This requires establishing a

secure connection between the WSUS servers.

• New updates are constantly being released, and therefore the downstream WSUS

servers must constantly be synchronized with the most recent updates, even when

there is no continuous communication between the headquarters and the sites.

This means that some mechanism should be implemented to manage and monitor

the WSUS synchronization process, to verify that the downstream WSUS servers

are up-to-date and contain all required updates.

ICS Shield WSUS Sync solution addresses these challenges by providing a secure way

to transfer updates between the upstream and downstream WSUS servers. The

solution also guarantees that within a certain time interval, the downstream WSUS

server is always synchronized with the most recent updates of the upstream WSUS

server, even when there is no continuous communication between the two WSUS

servers.

INTRODUCTION


The way that the WSUS Sync solution secures the connection between the upstream

WSUS server and the downstream WSUS server and ensures the transfer of updates,

even when there is no constant connection, is by using a reverse tunnel. A reverse

tunnel is a secure communication connection between the Security Center and the

VSEs, which is initiated by the VSEs when the need for a certain type of communication

arises. By connecting the upstream WSUS server to the RAG and configuring the

downstream WSUS server to synchronize against the VSE, the WSUS updates can be

distributed to the downstream WSUS server without compromising the site security,

while overcoming periodic disconnections.

The architecture of the WSUS Sync solution also enables the management and

monitoring of the WSUS synchronization process and state. The VSE regularly checks

the current synchronization state of the downstream WSUS server. When exceeding a

certain period since the last WSUS synchronization, the VSE instructs the downstream

WSUS server to request recent updates from the upstream WSUS server.

Simultaneously, the VSE opens the reverse tunnel that is dedicated for the WSUS sync

task, to allow the transfer of the request and the transfer back of the recent updates.

Thus, recent updates are sent from the upstream WSUS server to the downstream

WSUS server on a regular basis. This management and monitoring procedure of the

WSUS synchronization is activated by default on a scheduled basis, once a day at

23:30 (local site time) and can also be activated on demand at any given time.

After the WSUS Sync ESP is distributed to a VSE, it needs to be represented as a

specific device in the VSE. Without such a device, this policy cannot be configured or

run. If the VSE already has a device for the WSUS Sync ESP, you only need to ensure

that the device’s configuration meets the requirements specified in this document.

Once the required configuration changes are implemented, it is possible to distribute

the policy.

If no device dedicated to WSUS Sync is configured in a VSE, such a device can be

created. Once the WSUS Sync ESP is represented as a device, several parameters

should be set for it. These parameters mainly consist of the connectivity credentials

that are required for the solution and the time interval that needs to pass after a

successful sync before a new sync is initiated automatically. The WSUS Sync ESP can

then start running, and the WSUS sync process is monitored and managed on a

scheduled basis.

INTRODUCTION


ATTENTION

The WSUS Sync solution is not responsible for updating the workstations at

the remote site, with the updates that are received by the downstream WSUS

server. The update routine of the workstations at the site is the responsibility

of the site manager. In addition, the WSUS Sync is not responsible for

configuring the updated download policies on the upstream WSUS server.

INTRODUCTION


3.2 Exploring the WSUS Sync solution architecture The following diagram illustrates the architecture of the WSUS Sync solution:

1. The Remote Access Gateway (RAG) is started and automatically pulls data from

the Security Center database. The data that the RAG pulls specifies the

connection details of the upstream WSUS side of the tunnels. To configure the

Security Center database for the WSUS tunnels, see section 4.3, Security Center –

tunnel configuration in the database.

2. When the tunnel specification is received from the database, the RAG opens two

segments of the tunnel designated for the WSUS Sync solution. One part of the

tunnel is opened between the RAG and the upstream WSUS server, and the other

between the RAG and the Remote Access Bridge (RAB).

3. When the WSUS Sync solution is activated on the VSE (either following the

predefined scheduler or on demand), the VSE opens another segment of the

tunnel designated for the WSUS Sync solution, between itself and the RAB. To

configure the VSE for the WSUS tunnels, see section 4.4.2, Configuring the tunnel

on the VSE side.

Figure 3-1. WSUS architecture

INTRODUCTION


4. When the WSUS Sync solution is activated, the VSE also sends a query to the

downstream WSUS server, checking its current synchronization state. Upon

finding that a new synchronization is needed, the VSE instructs the downstream

WSUS server to synchronize with the upstream WSUS server. For additional details

about the way the WSUS Sync ESP determines if a new WSUS Sync should be

initiated, see section 6.1, Understanding the operation and output of WSUS Sync .

5. When the downstream WSUS server receives the instruction to synchronize, it

sends a request to the upstream WSUS server via the open dedicated tunnel,

asking for updates. To configure the downstream WSUS server to connect to the

upstream WSUS server and to properly respond to the VSE instructions, see

section 4.4.4, Configuring WinRM for VSE.

6. Once the upstream WSUS server receives the update request from the

downstream WSUS server, it sends back its most recent updates to the

downstream Server.

3.3 Basic workflow of the WSUS Sync solution The basic workflow of the configuration, execution, and operation of the WSUS Sync

solution is as follows:

1. One-time configuration:

Upstream WSUS server – configuring for encrypted mode only

RAG – configuring one side of the tunnels that are used for transferring

WSUS updates

VSE computer

i. Configuring the other side of the tunnels used for transferring WSUS

updates

ii. Configuring the execution policy of the local PowerShell to allow the

WSUS Sync ESP scripts to run

Downstream WSUS server

i. Enabling and configuring Windows Remote Management to allow the

operation of the WSUS Sync ESP, if the downstream Server is installed on

a separate computer

ii. Importing the upstream WSUS server certificate to the downstream

WSUS server – for encrypted mode only

INTRODUCTION


iii. Editing of the hosts file – for encrypted mode only.

iv. Configuring the update source of the downstream WSUS server.

2. Security Center

a. Importing the WSUS Sync ESP to the Security Center

b. Distributing the WSUS Sync ESP from the Security Center into the required

VSEs

3. VSEs

Locating the existing device for the WSUS Sync ESP,

—or, if this device does not exist—

Creating a specific device for the WSUS Sync ESP in the VSEs

Configuring the device used for WSUS Sync based on the specific

parameters and the required synchronization interval

4. VSEs and Security Center

Running the WSUS Sync ESP, either manually or automatically, in

accordance with the built-in schedule

The WSUS Sync ESP starts the synchronization process. The downstream

WSUS server receives the most recent updates from the upstream WSUS

server.

NOTE

For a checklist of the one-time settings, which can assist you in

verifying that the all configurations required for your WSUS Sync

solution are set, see Appendix B, Configuration checklist.

INITIAL SETTINGS AND REQUIREMENTS


4. Initial Settings and Requirements

The settings and requirements described in this chapter apply to all network

environments. They are needed for enabling the WSUS Sync solution, and should be

configured and verified once, before the solution can start running. These settings

should be configured by Professional Services, Support, or IT personnel.

NOTE

When all requirements are met, the WSUS Sync solution needs additional

configuration at the VSE level. For details, see chapter 5, Configuring the WSUS Sync

ESP in the VSE.

4.1 Before you start Before configuring the required settings for WSUS Sync solution, it is important to

become familiar with the following:

• Basic requirements for the WSUS Sync solution

• The contents of WSUS Sync solution package

• The steps required for configuring the WSUS Sync solution

4.1.1 Basic requirements for the WSUS Sync solution Before you can start configuring and using the WSUS Sync ESP, you need to verify the

following:

• ICS Shield has been installed.

• The WSUS Sync ESP exists in the Security Center and has been distributed to the

appropriate VSEs.

NOTE

For details about importing product lines to the Security Center and distributing

them to VSEs, see the Security Center Getting Started Guide.

• Upstream WSUS server – installed at the Security Center and is accessible from the

RAG

• Installed VSEs - at least one VSE installed at a remote site

• Downstream WSUS server - Installed at the remote site, and can access the VSE

and be accessed by the VSE on that site



4.1.2 Contents of the WSUS Sync solution package The WSUS Sync solution package contains the following files, which are required for

the implementation and configuration of the policy:

• WSUS_3.0.12.nnz – contains the WSUS Sync ESP. This file should be imported

into the Security Center Builder, and then distributed to the VSEs.

• SQL_Insert.sql – contains the definitions of the reverse tunnels from the Security

Center side; these tunnels are required for the operation of the WSUS Sync

solution. This file should be run on the Security Center database. See section 4.3,

Security Center – tunnel configuration in the database.

NOTE

The contents of the sql_insert.sql file must match the contents of the file

Sync_RRA.zip file.

• Sync_RRA.zip – contains the definitions of the reverse tunnels from the VES side;

this file should be imported to the Security Center and then distributed to the VSEs

and run on them. See section 4.4.2,: Configuring the tunnel on the VSE .

4.1.3 Steps required for configuring the WSUS Sync solution The configurations required for the WSUS Sync solution are the following:

• Upstream WSUS server – see section 4.2,.Upstream WSUS server - configuration

for encrypted mode.

• Security Center – configuration of the Security Center side of the tunnels that are

used for transferring WSUS updates; for details, see section 4.3, Security Center –

tunnel configuration in the database.

• VSE Computer

a. Configuring the VSE side of the tunnels used for transferring WSUS updates;

for details, see section 4.4.2, Configuring the tunnel on the VSE .

b. Configuring the execution policy of the local PowerShell to allow the WSUS

Sync ESP scripts to run; for details, see section 4.4.3, Configuring the local

PowerShell execution policy for VSE.

c. Enabling and configuring Windows Remote Management (WinRM) to allow

the operation of the WSUS Sync ESP; for details, see section .4.4.4

,Configuring WinRM for VSE.

• Downstream WSUS server



a. Enabling and configuring WinRM – only for a downstream WSUS that is

installed on a separate machine; for details, see section 4.5.2, Configuring

WinRM.

b. Importing the upstream WSUS certificate to the downstream WSUS – for

encrypted mode only; for details, see section 4.5.3, Importing the upstream

WSUS certificate – encrypted mode.

c. Configuring the update source – namely, creating a connection between the

downstream WSUS server and the upstream WSUS server, and defining from

where to receive WSUS updates; for details, see section 4.5.4, Configuring the

update source.

d. Editing the hosts file to bypass DNS lookup – map the upstream WSUS server

hostname to the IP address of the VSE; for details, see section 4.5.5, Editing

the hosts file.

4.2 Upstream WSUS server - configuration for encrypted mode The upstream WSUS server should be located at the headquarters, on a separate

server from the one that runs the Security Center.

The configuration of the upstream WSUS server depends on the security mode to be

used for the WSUS deployment – either the encrypted or non-encrypted mode. WSUS

update files are transferred via HTTP protocol in both modes. Only the metadata files

are transferred via a secure protocol.

In an encrypted mode, the metadata of WSUS updates is transferred via HTTP over

SSL/TLS protocol. In a non-encrypted mode, the metadata is transferred via HTTP

protocol. Therefore, when using an encrypted mode, you need two protocols, and two

reverse tunnels – one for each protocol. When using the non-encrypted mode, you

need one protocol and one reverse tunnel for all WSUS data.

The configuration of the upstream WSUS server depends on the requested security

mode:

• Non-encrypted mode – no specific configuration of the upstream WSUS server is

required.

• Encrypted mode (SSL/TLS enabled) - configure your upstream WSUS server based

on the instructions specified in Microsoft documentation for WSUS 3.0 SP2 and

WSUS 2016.

http://technet.microsoft.com/en-us/library/dd939849(v=ws.10).aspx

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services



4.3 Security Center – tunnel configuration in the database The Security Center database should be configured to enable the connection from the

downstream WSUS server to the upstream WSUS server. This connection is set by

defining one or two reverse tunnels in the database for the WSUS synchronization.

A reverse tunnel is defined by a set of entries, which needs to be added to the Security

Center database. When using an encrypted mode, two sets of entries need to be

entered, one for each tunnel. These entries define one side of the tunnels – the

upstream WSUS server/Security Center side. Providing the communication tunnel ID

used by the gateway as one of the entries allows the Remote Access Gateway to funnel

the communication between the VSEs and the upstream WSUS server.

The required entries with the appropriate values for opening the WSUS tunnels from

the Security Center side are defined in the SQL_Insert.sql file, which is part of the

WSUS Sync solution package and includes the entries for both non-encrypted and

encrypted modes. These entries should be added to the RMA_INBOUND_SERVICE_T table.

NOTE

Completing the tunnel configuration requires adding entries for the other side of

the tunnels, namely, on the VSE side. The RMA_SVC_ID and ALLOCATED_PORT

values entered in the Security Center database must be identical to the values of

these parameters in the DefaultRRAConfiguration.xml file in the VSE. See Section

4.4.2, Configuring the tunnel on the VSE .

You can configure the WSUS tunnels in the Security Center database manually, by

entering the required entries into the database; see section 4.3.1, Configuring WSUS

tunnels manually.

This procedure is a one-time configuration done by Support personnel. To set this

configuration, you need the IP address or hostname of the upstream WSUS server.

4.3.1 Configuring WSUS tunnels manually Depending on your security mode, enter one or two of the following entries sets into

the database:

• For the non-encrypted mode – enter only the entries in the column: Value for a

Non-Encrypted Mode. These entries define a reverse tunnel via HTTP.

• For the encrypted mode – enter the entries in BOTH columns: Value for a Non-

Encrypted Mode and Value for an Encrypted Mode. These entries define two

reverse tunnels for the HTTP over SSL/TLS protocol and HTTP protocol.



To manually configure WSUS tunnels in the Security Center database:

Regardless if non-encrypted or encrypted mode are used, add the following entries to

the RMA_INBOUND_SERVICE_T table in the Security Center database:

Entry Name Value for a Non-Encrypted Mode

Value for an Encrypted Mode

RMA_SVC_ID

This is the tunnel ID.

4

444

RMA_SVC_NAME WSUS WSUS Encrypted

ACCESS_TYPE 3 3

APPLICATION_NAME Http Https

ALLOCATED_PORT

The allocated port number

must be 20000 and

higher. Usually, ports

20000, 20001, and 20002

are already in use.

20003

20004

DESTINATION <IP address/ hostname>: port no.

• Enter the IP address or hostname of the upstream WSUS server.

• The port number depends on your WSUS server version:

• For Windows

versions earlier

than Windows

Server 2012 - enter

port number 80.

• For Windows

Server 2012 and

up – enter port

number 8530.

<IP address/ hostname>: 443

• Enter the IP address or hostname of the upstream WSUS server.

• The port number is 443.

DESCRIPTION WSUS Sync – Non-Encrypted

WSUS Sync - Encrypted



Entry Name Value for a Non-Encrypted Mode

Value for an Encrypted Mode

EXECUTION_COMMAND @echo Windows Update Non-Encrypted {0}:{1} & pause

@echo Windows Update Encrypted {0}:{1} & pause

EXEC_FILE_EXTENSION bat bat

SESSION_TIMEOUT_MIN

The value of the session

timeout, in minutes

360

360

AUDIT_TYPE 2 2

SESSION_RECORD_TYPE 0 0

IS_ENABLED 1 1

Note:

1 is the value only if the

Upstream WSUS is

encrypted. For plain

communication, use 0.



4.4 VSE - Requirements and configuration This section specifies all requirements and configurations for the VSE.

4.4.1 VSE server - requirements The following requirements need to be met to set up the WSUS Sync solution on the

VSE server:

• VSE version 4.8 and up is installed.

• VSE license - make sure your VSE license is updated with the Reverse Remote

Access feature. This feature includes the reverse tunnel option.

To check if you have the Reverse Remote Access feature:

1. On the VSE Web interface, click about on the upper right corner to display your

license details.

2. On the Add-Ons list, check if you have the Reverse Remote Access feature.

3. Based on your current license, perform one of the following:

If you have the Reverse Remote Access feature, you can continue and use

the WSUS Sync ESP.

If you do not have the Reverse Remote Access feature, contact Support and

ask for an updated license. Once you have the updated license, navigate to

about option Product Authorization and enable the Reverse Remote

Access feature by entering your new license number.

4.4.2 Configuring the tunnel on the VSE side Once one side of the reverse tunnel allocated for the WSUS Sync solution is defined in

the database of the Security Center database, the other side of the reverse tunnel must

be defined on the VSE server.

To configure the reverse tunnel on the VSE server:

1. Ensure that you have the permissions required for distributing software

distribution packages from the Security Center to the VSEs.

2. Ensure that the software distribution file sync_RRA.zip is customized with your

specific parameters (IDs, IP addresses etc.)

3. Import the software distribution package to the Security Center.

4. Distribute the package to the VSEs.



The package will automatically add the required settings for creating and opening

the reverse tunnel from the VSE side.

To distribute the Sync_RRA.zip file:

1. In the Security Center, open the site or the group to which you want to distribute

the Sync_RRA.zip file.

2. Click at the top right of the screen to display the Run Distribute Software

activity dialog box.

3. Select the Sync_RRA.zip file by clicking Select and browsing to this file.

4. Select the check box Unzip the file at the Site Server to automatically unzip the

file once it is distributed to the site.

5. Click Run.

The distribution package adds the required entries to the

ReverseRemoteAccess/DefaultRRAConfiguration.xml file.

Figure 4-1. Run Distribute Software activity dialog box



NOTE

By default, both tunnels are enabled when the WSUS SSL mode is used.

If the default values are used, the entries that are added to the

DefaultRRAConfiguration.xml file on the VSEs are as specified below.

Entries for non-encrypted mode:

<Service Id="4" Name="Windows Update Services"

ApplicationName="http" AccessType="REMOTE_WEB"

SessionTimeout="6" AuditType="2" Recordable="false"

Enabled="true">

<AllocatedPort>20003</AllocatedPort>

<SessionDescription>

<![CDATA[ Windows Server Update Services Non-

Encrypted]]>

</SessionDescription>

<Command><![CDATA[ @echo Windows Update Non-Encrypted

{0}:{1} & pause]]></Command>

<Extension>bat</Extension>

<SessionLogExtension />

</Service>

Entries for an encrypted mode:

<Service Id="444" Name="Windows Update Services SSL"

ApplicationName="http" AccessType="REMOTE_WEB"

SessionTimeout="6" AuditType="2" Recordable="false"

Enabled="true">

<AllocatedPort>20004</AllocatedPort>

<SessionDescription>

<![CDATA[ Windows Server Update Services SSL]]>

</SessionDescription>

<Command><![CDATA[ @echo Windows Update {0}:{1} &

pause]]></Command>

<Extension>bat</Extension>

<SessionLogExtension />



</Service>

CAUTION

The Service_ID and ALLOCATED_PORT values you specify in the DefaultRRAConfiguration.xml file on the VSE must be identical to the values of these parameters in the Security Center database. See section 4.3, Security Center – tunnel configuration in the database.

4.4.3 Configuring the local PowerShell execution policy for VSE WSUS Sync solution uses PowerShell scripts to run the WSUS Sync ESP. Therefore,

running PowerShell scripts on the VSE server should be enabled.

In most cases, Windows PowerShell execution policy is Restricted by default, which

means that Windows prevents the running of PowerShell scripts. To enable the WSUS

Sync solution, the PowerShell execution policy must be changed to allow the running

of the required scripts.

NOTE

In Windows Server 2012 R2, the default execution policy is RemoteSigned. In this

case, you do not need to change the execution policy.

The lowest (least privilege) execution policy level that allows running the WSUS Sync

scripts is RemoteSigned. You can also use the AllSigned and Unrestricted execution

policies.

NOTE

To learn more about Windows PowerShell execution policies, see:

https://docs.microsoft.com/en-

us/powershell/module/microsoft.powershell.core/about/about_execution_policies

?view=powershell-6&viewFallbackFrom=powershell-Microsoft.PowerShell.Core

Before changing your execution policy, find out what your current policy is.

To identify your current execution policy:

1. Open PowerShell as administrator by using the Run as Administrator option.

2. On PowerShell, enter the following command:

Get-ExecutionPolicy

Your current execution policy appears:

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-6&viewFallbackFrom=powershell-Microsoft.PowerShell.Core





Based on your results, perform one of the following:

If your current execution policy is Restricted, change it to the RemoteSigned

policy or higher. See the instructions below.

If your current execution policy is one of the following - RemoteSigned,

AllSigned, or Unrestricted – no change is required; proceed to section 4.5.2,

Configuring WinRM.

To change your execution policy:

1. Open PowerShell as administrator by using the Run as Administrator option.


Set-ExecutionPolicy

A prompt appears, asking you to enter the required execution policy.

3. On the ExcectionPolicy prompt, enter:

RemoteSigned

A message appears, informing you of the policy change and asking you to confirm

the change.

4. Enter Y to confirm the policy change.

Figure 4-2. Current execution policy

Figure 4-3. Confirming the policy change



Your execution policy is now RemoteSigned, and the WSUS Sync solution scripts

can run when needed.

NOTE

To learn more about Set-ExecutionPolicy cmdlt, see:

https://docs.microsoft.com/en-

us/powershell/module/microsoft.powershell.security/set-

executionpolicy?view=powershell-6

4.4.4 Configuring WinRM for VSE Starting from VSE BigBen (version 4.8) and up, the WSUS Sync solution cannot

function properly unless Windows Remote Management (WinRM) is enabled and

configured on the VSE computer.

NOTE

WinRM is automatically installed with all currently-supported versions of the

Windows operating system.

To learn more about the installation and configuration of WinRM, see:

https://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx

To enable and configure WinRM:

1. Open PowerShell as an administrator by using the Run as Administrator option.


Winrm quickconfig

3. When prompted to confirm the changes, enter Y:

Your WinRM is now enabled and configured, enabling the WSUS Sync solution to

properly run on the VSE computer.

4.5 Downstream WSUS server – requirements and configuration The downstream WSUS server can either be installed on the same computer as the

VSE or on a separate computer.

4.5.1 Downstream WSUS server – requirements The following requirements need to be met to set up the WSUS Sync solution on the

downstream WSUS server:

• WSUS 3.0 SP2 and up installed

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6



https://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx



• On the WSUS server, a Windows user who is a member of the WSUS

Administrators group and who has privileges for managing WSUS; in addition, this

user needs permissions to access the server remotely by using WinRM.

NOTE

At a later stage, when you configure in the VSE the parameters of the device

used for WSUS Sync, enter the credentials of this user as the WSUS

parameters - WSUS Admin Username, Admin Domain, and Admin Password.

4.5.2 Configuring WinRM Starting from VSE BigBen (version 4.8) and up, the Windows Remote Management

(WinRM) must be enabled and configured on the downstream WSUS server to ensure

the proper operation of the WSUS Sync solution.

• If the downstream WSUS server is installed on the same computer as the VSE, and

the WinRM has already been configured on the VSE server (see section 4.4.4,

Configuring WinRM for VSE), there is no need to configure the WinRM again.

• If the downstream WSUS server is installed on a separate computer, configure the

WinRM on the downstream WSUS server as well, using the same process used to

configure WinRM on the VSE.

4.5.3 Importing the upstream WSUS certificate – encrypted mode This upstream WSUS certificate enables the downstream WSUS server to accept the

upstream WSUS server as a trusted source and to securely receive updates from the

upstream server.

4.5.4 Configuring the update source To enable the downstream WSUS server to receive updates from the upstream WSUS

server, configure the update source of the downstream WSUS server as follows:

To configure the update source of the downstream WSUS server:

1. In the downstream WSUS server settings, enter the source of the WSUS updates.

2. Open the downstream WSUS server Console by selecting Start > Windows Server

Update Services, to open the screen by same name.

3. In the left pane of this screen, select WSUS > Options to display the Options pane

in the middle of the dialog box.

4. Click Update Source and Proxy Server option to open a dialog box by the same

name, which allows the downstream WSUS server to synchronize with the

upstream WSUS server:



5. Use the Update Source and Proxy Server dialog box to select the following

options:

Synchronize from another Windows Server Update Services server

This server is a replica of the upstream server

Figure 4-4. Update Source and Proxy Server option



6. Enter the following values:

Port number – enter 18530

Server name – any of the following values

o IP address 127.0.0.1

o localhost

o WSUS Upstream DNS name

To find the server name in the imported certificate:

1. On the URL Address box of the server, click the Secure prefix, and select the

Certificate option:

Figure 4-5. Update Source and Proxy Server dialog box



2. On the Certificate dialog box, open either the General or Certification Path tabs,

and locate the name of the server as it appears on the certificate.

3. Use the Update Source tab to enter the following details:

Server name – the name that appears on the Certification Path tab.

Port number – enter 18530.

Use SSL when synchronizing update information check box – select this

check box.

Your dialog box should look as shown below.

4. Click Apply to complete the operation.

4.5.5 Editing the hosts file An entry needs to be added to the hosts file on the downstream WSUS server to map

the upstream WSUS server hostname to the IP address of the VSE.

Figure 4-6. Source updated with all relevant details



This is required to bypass the DNS system, because the site’s DNS system either does

not exist or does not contain the WSUS IP address.

To edit the hosts file:

1. Open the hosts file, located at: C:\Windows\System32\drivers\etc:

2. On the hosts file, add a new entry as follows:

VSE_IP_Address Upstream_WSUS_Server_Name

NOTE

The Upstream_WSUS_Server_Name value must be identical to the name that

appears in the certificate.

For example:

3. Save the hosts file with the new entry.

Figure 4-7. Hosts file edited

CONFIGURING THE WSUS SYNC ESP IN THE VSE


5. Configuring the WSUS Sync ESP in the VSE

Each policy that was distributed to a VSE must be represented as a specific device in

the VSE before it can be configured and run. Therefore, you need to create a new

device in the VSE for each distributed policy, unless your site (VSE) already has a

device for syncing the policy.

Accordingly:

1. Before creating a new device for the WSUS Sync ESP, check whether you already

have the WSUS device in your VSE.

2. If the VSE already has a device for syncing WSUS, ensure that the configuration of

the device meets the requirements specified in this document.

Once you have a device for the WSUS Sync ESP, you need to configure the device. First

configure several basic parameters, such as connectivity credentials and the time

interval that needs to elapse after a successful sync, before a new sync is initiated.

Then, if necessary, you can change the default values of the advanced parameters of

the device.

In short, the configuration of the WSUS Sync ESP consists of the steps described in

the following sections:

• 5.1, Checking for the existence of a WSUS device

• 5.2, Creating a new device for the WSUS Sync ESP

• 5.3, Verifying the WSUS tunnel operation

• 5.4, Configuring the advanced parameters of the WSUS device

After WSUS Sync is configured to ensure meeting your network specification and

requirements, this policy automatically starts running by default once a day at 23:30

local time zone.

5.1 Checking for the existence of a WSUS device

To check if your VSE includes a device for the WSUS Sync ESP:

1. Open the VSE.

2. Go to Operations > Device Management.

3. Search for the file WSUS_PL4Vendor_[date].nnz .

4. Based on the results, perform one of the following:



If a device that is based on the WSUS product line exists, start configuring

the parameters of the existing device, as described in section 5.3, Verifying

the WSUS tunnel operation.

If such a device does not exist, create a new device for the WSUS Sync ESP,

as described in the next section.

5.2 Creating a new device for the WSUS Sync ESP

To create a new device for the WSUS Sync ESP:

1. Open the VSE.

2. Go to Operations > Device Management to display a list of all existing devices.

3. Click New above the table to display the New Device page.

4. On the New Device page, set the following:

Table 5-1. Properties of a WSUS device

Property Value

Product Line Select NextNine WSUS.

Model

Select either WSUS HTTP or WSUS SSL, depending on

the security mode selected for the upstream WSUS

server in the HQ.

• If you did not configure the upstream WSUS server

to use SSL, select WSUS HTTP.

• If you configured the upstream WSUS server to use

SSL for an encrypted mode, select WSUS SSL.

Version Select your VSE version.

Device Address

Enter the IP address of the computer where the

connected downstream WSUS server is located:

• If the downstream WSUS server is installed on the

same computer as the VSE – enter 127.0.0.1.

• If the downstream WSUS server is installed on a

remote computer – enter the IP address of the

remote computer.



Property Value

Device Name

Enter the requested name.

Note:

You can enter any name for the new device. For the

sake of clarity and consistency, the name WSUS server

is used in this guide.

5. Go to the Protocol Settings section to configure the parameters specified in the

table below.

NOTE

You can also complete the device creation at this stage, by clicking Save

at the bottom of the page, and continue configuring the WSUS Device

protocol settings later. To do that, click the WSUS device row on the left

pane of the All Devices page, and then click Edit Protocol Settings of

device on the right. The dialog box that opens is identical to the section

described in the next step.

Table 5-2. Parameters specified in Protocol Settings

Property Name Description Default Value

User Name A VSE username for accessing

the VSE API.

admin

Password A password for the above

username.

admin

WSUS Admin Domain If needed, a WSUS server domain

name.

If the WSUS Admin user is a local

user on the downstream WSUS

server, use the value “.”.

WSUS Admin Username A Windows username for a user

who is a member of the WSUS Administrators group and who

has permissions to access the

computer remotely by using

WinRM (for more information

about this Windows user, see

WSUSAdmin




section 4.4.4, Configuring WinRM

for VSE)

WSUS Admin Password A password for the WSUS admin

user above

W5U5Admin

WSUS Hostname The hostname or IP address of

the downstream WSUS server

127.0.0.1

Down_server

Sync Interval The time Interval (in hours) that

needs to pass before

automatically initiating a new

sync after a successful one

(to learn more about using the

Sync Interval, see Section 6.1:

Understanding the operation and

output of WSUS Sync )

23

6. Once you have finished configuring the basic parameters of the WSUS device,

click Save.

A confirmation message appears, informing you of the creation of the new device.

7. Click OK to return to the Device Management page.

By default, once the WSUS device is properly created, the first synchronization between

the downstream WSUS server and the upstream WSUS server is automatically

executed at 23:30. You can wait for the automatic execution of the WSUS Sync ESP, or

perform one or both of the following:

[Optional]

• Configure the advanced parameters of the WSUS device

• Manually run the WSUS Sync ESP, and view the synchronization results.

5.3 Verifying the WSUS tunnel operation Before starting to use the WSUS Sync ESP, verify that the reverse tunnel allocated to

this policy is working properly.

To verify the proper operation of the WSUS Sync tunnel:

1. Open the VSE, either directly from its server or by connecting to it remotely.



2. On the VSE, select the WSUS Sync device in the All Devices pane on the left side

of the screen.

3. In the Execution tab, select the check box of the Open Connection (without

syncing) option.

4. To open the tunnel allocated for the WSUS Sync ESP without starting the WSUS

sync, click Execute Once Now.

5. To verify that the tunnel was opened properly, open a web browser and navigate to

one of the following addresses, depending on your security mode:

Non-encrypted – HTTP://[vse]:18530

Encrypted - HTTPS://[vse]:18529

The results of the tunnel verification are one of the following:

Success: There is no error message, and the page is displayed.

Failure: A connection/certificate/security error is displayed. In this case,

check your configuration.

5.4 Configuring the advanced parameters of the WSUS device In addition to the basic parameters of the WSUS device, there are advanced

parameters that affect the results of the execution of the WSUS Sync ESP.

In version 4.8 and above, all these advanced parameters have default values that can

be kept. or, if required, modified.

The way you configure the advanced parameters depends on several factors: the

version of your WSUS Sync ESP; the existence of a previous WSUS device/policy in the

VSE; and the version of your VSE.

• For a new WSUS Sync v. 3.4x with no prior WSUS device in the VSE - see section

5.4.1, Configuring for a new WSUS device.

• For an upgraded WSUS Sync v. 3.4x with an existing WSUS device in the VSE - see

section 5.4.2, Configuring for upgraded WSUS .

5.4.1 Configuring for a new WSUS device

NOTE

The instructions in this section apply only to a new WSUS Sync solution v. 3.4x, with

no prior WSUS device in the VSE.



To configure the advanced parameters of a new WSUS device v. 3.4x:

1. On the VSE, click the Operations tab - Devices option.

2. From the All Devices list on the left side of the screen, select the WSUS device.

3. On the left pane of the All Devices page, click the Edit icon next to the WSUS

device:

The Edit Protocol Settings of Device dialog box appears, allowing you to

configure the settings of the WSUS device.

4. To configure an advanced parameter, click Add to insert a new row at the bottom

of the parameters table.

5. Enter the parameter name and its value in the appropriate boxes, as specified in

the table below:

NOTES

Copy and paste the Parameter Name without any changes. Do not use

quotation marks, whitespaces, or any other additions.

The names and values of the parameters are case sensitive.

Table 5-3. Advanced parameters for WSUS device


UI_Port The UI Port of the VSE 8449

Service_ID The ID of the WSUS service

as configured in the Security

Center and VSE

4

Figure 5-1. Edit WSUS device




HTTP_Service_ID For the encrypted mode only

- the ID of the WSUS service

as configured in the Security

Center and VSE

When working in the

encrypted mode, enter the

Service ID of the HTTP here –

444

444

Client_WSUS_Port The listening port of the

downstream WSUS

component

8530

Tunnel_Port The VSE machine port on

which the VSE mimics the

upstream WSUS

communication

18530

Do not change this

value.



If you chose to add all advanced parameters, your Edit Protocol Settings of

Device dialog box looks as shown below.

6. Once you have entered all the required settings, click Save.

The Save action overrides the default values.

5.4.2 Configuring for upgraded WSUS device If you are already using the WSUS Sync solution, that is, you already have a running

WSUS device in your VSE and have upgraded the solution to WSUS Sync v. 3.4x, you

need to configure the advanced parameters in a different way.

When using an upgraded WSUS Sync policy, the Edit Protocol Settings of Device

dialog box in your VSE displays the advanced parameters. These advanced parameters

are not visible in the dialog box of the WSUS device. v. 3.4x, when using the WSUS Sync

ESP for the first time.

Although the advanced parameters are visible, and the values you entered for them

previously are kept, in the upgraded version of the policy, the format of the names of

the advanced parameters has changed. The values you previously entered for these

parameters, will be overridden by the new default values of the parameters. To apply

your customized values to the new version of the WSUS device, change the name

format of the parameters as described in the instructions below.

Figure 5-2. Edit Protocol Settings of Device dialog box



To configure the advanced parameters for an upgraded WSUS device:

1. In the VSE ribbon, go to the Operations tab Devices. In the All Devices list on

the left side of the screen, select the WSUS device.

2. In the list of devices, click the Edit Protocol Settings of Device ( ) icon next to

the WSUS device.

The Edit Protocol Settings of Device dialog box appears, allowing you to

configure the settings of the WSUS device.

If you use a new WSUS device with a newer version of the WSUS Sync ESP, the

dialog box does not display the entries listed below, which are configured with

their default values:

UI Port

Service ID

HTTP Service ID

Client WSUS Port

Tunnel Port

When using an existing WSUS device with a newer version of the WSUS Sync ESP,

these parameters do appear in the Edit Protocol Settings of Device dialog box,

including their current values, as shown below.

Figure 5-3. Settings of an existing device



However, regardless of the values displayed in the table, the WSUS device will use

the default values of these parameters. Therefore, if you would like to set a non-

default value to one or more of these parameters, you need to manually change

the name/s of the requested parameter/s by adding an underscore instead of

blank space, as follows:

UI Port –> UI_Port

Service ID –> Service_ID

HTTP Service ID –> HTTP_Service_ID

Client WSUS Port -> Client_WSUS_Port

Tunnel Port -> Tunnel_Port.

NOTE

If you are using a new WSUS device with a newer version of the WSUS Sync

ESP, click Add and enter the requested parameters and their values manually.

The figure below shows what your dialog box should look like.

3. Once you have changed all required names, click Save.

The Save action overrides the default values, and your customized values are

applied to the WSUS device.

Figure 5-4. Settings of an edited device

RUNNING THE WSUS SYNC ESP


6. Running the WSUS Sync ESP

After configuring the settings of the WSUS device, you can now run the WSUS Sync

ESP on demand from the VSE or from the Security Center; for details, see section 6.2.1,

Running the WSUS Sync ESP, and section 6.3.1, Running the WSUS Sync ESP from the

Security Center.

Before performing these actions, it is advisable to learn more about the operation and

output of WSUS Sync, as explained in the following section.

6.1 Understanding the operation and output of WSUS Sync By default, after you have configured the settings of the WSUS Sync ESP in the

Security Center and VSE, the WSUS Sync ESP runs once a day at 23:30. You do not

need to perform any additional action for the WSUS Sync ESP to be executed. You can

also manually run the WSUS Sync ESP, view the synchronization results after each run,

and deactivate the synchronization scheduler.

The WSUS device manages a synchronization monitoring and execution policy on a

scheduled basis in the following manner:

1. Every night at 23:30, the WSUS device on the VSE establishes a connection with

the downstream WSUS server.

2. Once the connection is established, the VSE sends a query to the downstream

WSUS server and checks its synchronization history. The WSUS device checks

whether there was a successful WSUS synchronization during a certain period.

This period is defined as a certain number of hours in the Sync Interval parameter

of the WSUS device. The Sync Interval determines the amount of time allowed

between a successful synchronization and the initiation of a new sync.

NOTE

For more information about the configuration of the Sync Interval

parameter, see section 5.3, Verifying the WSUS tunnel operation.

3. Based on the current WSUS synchronization state, the WSUS device performs one

of the following:

If no successful WSUS sync occurred during the last Sync Interval, the WSUS

device initiates a new WSUS sync.

For example, if the Sync Interval is 23h, and during the last 23h no

successful update has occurred, a new WSUS sync is initiated.



If there was a successful WSUS sync during the last sync interval, a new

WSUS sync is not initiated. Until 4:00 a.m., a new check is then performed

every 10 minutes. If during one of the checks it is found that no successful

WSUS sync took place during the last Sync Interval, a WSUS update is

initiated.

For example, if the Sync Interval is 23h, and a successful sync has occurred

during the last 23 hours, a new WSUS sync will not be initiated. Then, every

10 minutes, the WSUS device checks if a successful sync has occurred in the

last 23 hours. If at one point between 23:30 and 4:00, it is found that no

successful sync was completed during the last 23h, a new sync is initiated.

4. If it is found that a new WSUS sync must be initiated, the VSE opens a reverse

tunnel for its execution.

NOTE

While In previous versions of the WSUS Sync ESP the reverse tunnel was

opened by the VSE automatically, starting from WSUS Sync v. 3.4x, the VSE

opens the reverse tunnel only when a new sync is required.

5. Every ten minutes, until 04:00, the WSUS device verifies that the connection

between the upstream and the downstream WSUS servers is active. If the

connection has been lost, the WSUS devices recreates the connection and sends

a new sync command to the downstream WSUS server.

ATTENTION

The WSUS Sync does not update the workstations on the remote site with

the updates that are received by the downstream WSUS server. The

configuration of the update routine of the workstations on the site is the

responsibility of the site manager. In addition, the WSUS Sync solution is

not responsible for configuring the update download policies on the

upstream WSUS server.



6.2 Using the VSE to run the WSUS Sync ESP After you have defined and configured the WSUS device in the VSE, you can manually

run the WSUS Sync ESP from the VSE and view the WSUS Sync results.

NOTE

You can also run the WSUS Sync ESP and view its results from the Security Center,

as described on Section 6.2, Using the VSE to run .

6.2.1 Running the WSUS Sync ESP In addition to running the WSUS Sync policy on a scheduled basis, you can manually

run the policy on demand.

To run the WSUS Sync ESP from the VSE:

1. On the VSE, click the Operations tab Devices option on the upper toolbar, to

display the All Devices page.

2. From the list on the left, select the WSUS Sync device. The list of available profiles

for the WSUS device appears on the right:

The list of execution profiles for the WSUS Sync ESP is as listed below.

Profile Name Tyoe Description

Open Connection (without syncing)

Diagnose Routine Opens the reverse tunnel

from the downstream WSUS

server to the upstream WSUS

server, without starting a new

WSUS sync

Open WSUS Diagnose Routine Opens the reverse tunnel

Figure 6-1. List of available actions for the WSUS Device




Connection and Sync from the downstream WSUS

server to the upstream WSUS

server and initiate a new

WSUS sync. A new WSUS

sync is initiated, only if no

successful WSUS update

occurred during the last Sync

Interval. If a new WSUS sync

is initiated following the

activation of this option, the

sync occurs only once, and

not regularly on a scheduled

basis.

Open WSUS Connection and Sync Periodically

Monitoring Profile Allows the WSUS Sync ESP

to run once a day, based on

the settings predefined in

the scheduler. By default,

this option is enabled.

For details about stopping

and restarting the scheduler,

see section 6.3.3, Opening

WSUS connection and

syncing.

This profile has the following

statuses:

• Running

• Not Running

• Downloading

Note

The status Downloading,

which was introduced in

version 3.5.X, appears if the

connection with the

upstream server completed

successfully and the

downstream WSUS is

currently downloading the




updates received from the

upstream server in the

background. When the

status is Downloading, the

periodical check of the WSUS

connection will not close the

tunnel.

Sync Now Diagnose Routine Opens the reverse tunnel

and initiates a new WSUS

sync, regardless of the last

sync execution time and

result. The WSUS sync

occurs once.

Terminate WSUS Connection

Diagnose Routine Close the reverse tunnel

allocated for the WSUS

synchronization. This action

causes any active WSUS

sync to stop.

Note

Before using the Terminate

WSUS Connection option,

check whether a

synchronization is currently

running. If a synchronization

is currently in progress, wait

until it is completed before

terminating the WSUS

connection.

Calculate Clients Updates Compliance

Diagnose Routine Checks a list of updates that

were approved by the

organization’s WSUS

manager, as well as a user-

defined threshold for the

maximum number of days

allowed before the device

must be updated.




For each WSUS device, this

profile checks whether there

any approved updates that

are relevant to the device and

the OS it runs.

• If no such updates exist, or if there are one or more relevant updates but the threshold mentioned above has not been exceeded, the result is True.

If there are such updates,

and the threshold has been

exceeded, the result is False.

3. To run one of the execution profiles of the WSUS Sync ESP, from the Actions list,

select the check box of the action you want to execute and click Execute Once

Now.

Figure 6-2. One-time execution of an action



The selected profile is executed. During the action run, you can open the Current

Execution tab to view its status:

Once the profile execution is completed, the profile no longer appears under the

Current Execution tab.

4. To view the results:

a. Open the View Data tab.

b. Click the relevant device.

c. Locate the profile for which you would like to view the results.

d. Click the link in the Status column:

The Execution Result – View pane appears, displaying the results of the

executed action. If the execution was not completed successfully, the pane

will display the error number and its description.

Figure 6-3. Current Execution tab

Figure 6-4. View Data tab



6.2.2 Stopping and restarting the WSUS scheduler By default, once you create a WSUS device and set its basic parameters, its scheduler

is automatically activated. This scheduler runs the WSUS Sync ESP every night at

23:30.

NOTE

To learn more about the operation of the WSUS Sync scheduler, see section 6.1,

Understanding the operation and output of WSUS Sync .

You can stop the activity of the WSUS Sync scheduler and restart it when needed.

To stop and restart the WSUS scheduler:

1. In the VSE, open the list of profile list for the WSUS Sync ESP by clicking the

Operations tab > Devices option, and selecting the WSUS device option from the

Devices list.

2. To stop the WSUS scheduler, on the list of profiles select the Open WSUS

Connection and Sync Periodically check box. Then, click Deactivate.

3. To restart the WSUS scheduler, on the list of profiles, verify that the Open WSUS

Connection and Sync Periodically check box is selected and click Activate.

The WSUS Sync scheduler is activated and will now start running once a day at

23:30.

Figure 6-5. Execution Result – View pane



6.3 Using the Security Center to run the WSUS Sync ESP After you have defined and configured the WSUS device in the VSE, you can manually

run the WSUS Sync ESP from the Security Center.

NOTE

You can also run the WSUS Sync ESP and view its results from the VSE, as described

on Section 6.2, Using the VSE to run .

6.3.1 Running the WSUS Sync ESP from the Security Center In addition to running the WSUS Sync ESP on a scheduled basis, you can run the ESP

manually when needed.

To run the WSUS Sync ESP from the Security Center:

1. In the Security Center, select your site.

2. Open the Device List tab.

3. Click the WSUS device.

4. Click Diagnose to display the Run Diagnose activity on device dialog box.

5. Open the Diagnosis Routine drop-down list and select one of the options shown

in the figure below.

The options

Open connection without syncing– opens the reverse tunnel from the

downstream WSUS server to the upstream WSUS server, without starting the

WSUS sync. For details see section 6.3.2, Opening connection without

syncing.

Open WSUS connection and sync – opens the reverse tunnel from the

downstream WSUS server to the upstream WSUS server and initiates a new

Figure 6-6. Diagnosis Routine drop-down list



WSUS sync; a new WSUS sync will occur only if no successful WSUS update

occurred during the last sync interval. For details see section 6.3.26.3.3,

Opening WSUS connection and syncing.

Sync Now – opens the reverse tunnel and start a WSUS sync, regardless of

the last sync execution time and result. For details see section 6.3.4,

Initiating synchronization.

Terminate WSUS connection – Terminates the open reverse tunnel; this

action causes any active synchronization to stop. For details see section

6.3.5, Terminating the WSUS connection.

NOTE

Both the Open WSUS Connection and Sync and Sync Now options allow

you to manually run the WSUS Sync ESP once, on demand. The difference

between these two options is that when executing the Open WSUS

Connection and Sync diagnose routing, synchronization will take place in

the downstream WSUS server only if no successful synchronization has

occurred during the last Sync Interval. On the other hand, when executing

Sync Now, the downstream WSUS server will perform synchronization in

any case.

6. After you select an option, click Run to activate it.

Once the WSUS Sync run is initiated, the run activity is added to the Activity Log.

In addition, the message Activity created appears, indicating that the run activity

has started:

The selected WSUS Sync activity starts running. When the action is completed,

the status of its activity in the Activity Log changes to Completed:

For additional information on the running and results of each WSUS Sync activity,

see the following sections.

6.3.2 Opening connection without syncing The Open Connection (without syncing) option allows opening the reverse tunnel

from the downstream WSUS server to the upstream WSUS server, without starting the

WSUS sync.



NOTES

When using an encrypted mode (SSL/TLS enabled) for transferring updates from

the upstream WSUS server to the downstream WSUS server, the following tunnels

are opened:

Metadata: for transferring the metadata of WSUS updates via HTTP protocol

over SSL/TLS

Download: for transferring the new WSUS updates via HTTP protocol

By default, when the reverse tunnel is opened manually, it remains open for six hours.

You cannot change this setting, but you can close the reverse tunnel via the Terminate

WSUS Connection option (see section 6.3.5, Terminating the WSUS connection).

To open a tunnel connection for WSUS updates without syncing:

1. Select the WSUS device and click Diagnose.

2. On the Run Diagnose activity on device dialog box, open the Diagnosis Routine

drop-down list, and select the Open Connection (without synching) option.

3. Click Run.

One or two of the reverse tunnels that are allocated to the WSUS Sync ESP are

opened, without performing a WSUS synchronization.

4. To view the status and results of the action, open the Activity Log tab.

5. To see more results, select the activity, and click its View Data ( ) icon on the

right side of the activity line:

The pane shown below appears, confirming the opening of the reverse tunnel, and

displaying the port number that is allocated to it:

Figure 6-7. Data Viewer pane



6.3.3 Opening WSUS connection and syncing The Open WSUS Connection and Sync option enables you to open the reverse tunnel

from the downstream WSUS server to the upstream WSUS server, and to initiate a new

WSUS sync. A new WSUS sync is initiated, only if there was no successful WSUS

update during the last Sync Interval. If a new WSUS sync is initiated following the

activation of this option, it will occur only once, and not on a scheduled basis.

NOTES

To learn more about the rules that determine when a new WSUS sync is initiated,

see section 6.1, Understanding the operation and output of WSUS Sync .

The rules that are described there are applied automatically to a scheduled

WSUS sync, but they also apply to the one-time activation of the Open

WSUS Connection and Sync option.

By default, when the reverse tunnel is manually opened, it remains open for 6

hours. Starting from version 3.5.9, it is possible to configure this setting by

using the custom parameter Tunnel Timeout. In addition, you can close the

reverse tunnel by using the Terminate WSUS Connection option. For

details, see section 6.3.5, Terminating the WSUS connection.

To open the WSUS connection and sync:



drop-down list, and select the Open WSUS Connection and Sync option.

3. Click Run.

The reverse tunnel allocated to the WSUS Sync ESP is opened. If no successful

WSUS update occurred during the last Sync Interval, a new WSUS sync is initiated.

NOTE

If the tunnel for the WSUS Sync ESP is already open, the WSUS Sync ESP will

use it to initiate the new sync.

4. To view the status and results of the action, as well as detailed results, repeat

steps

4 and 5 in section 6.3.2, Opening connection without syncing.

6.3.4 Initiating synchronization The Sync Now option enables opening the reverse tunnel and starting the WSUS

synchronization, regardless of the last sync execution time and result. The WSUS sync

will occur once.



To initiate WSUS synchronization:



drop-down list, and select the Sync Now option.

3. Click Run.

4. The reverse tunnel allocated to the WSUS Sync ESP opens, and a WSUS sync is

initiated.

NOTE

If the tunnel for the WSUS Sync ESP is already open, the WSUS Sync ESP will

use it to initiate the new sync.

5. To view the status and results of the action, as well as detailed results, repeat

steps 4 and 5 of section 6.3.2, Opening connection without syncing.

6.3.5 Terminating the WSUS connection The Terminate WSUS Connection option allows closing the reverse tunnel allocated to

the WSUS synchronization. This action causes any active WSUS sync to stop.

NOTE

Before running Terminate WSUS Connection, check if a synchronization is

currently running. If a synchronization is currently in progress, wait until it is

completed before terminating the WSUS connection.

To terminate the WSUS connection:



drop-down list, and select the Terminate WSUS Connection option.

3. Click Run.

The reverse tunnel allocated to the WSUS Sync ESP closes.

To view the status and results, repeat steps 4 and 5 of section 6.3.2, Opening

connection without syncing.

APPENDICES


Appendices

This user guide includes the following appendices:

• A, Troubleshooting

• B, Configuration checklist

TROUBLESHOOTING


A Troubleshooting

The following table describes a few common problems in the operation of the WSUS

Sync solution with their possible solutions.

Error Code

Error Message Possible Solutions

472 Unable to open Tunnel, WSUS Sync will not continue. Make sure that service id <4 or 444> is defined properly in VSE, Database and protocol settings->custom.

The Service ID might not be defined properly

in the Security Center database or in the VSE.

• Check the Service ID definition in the Security Center database, RMA_INBOUND_SERVICE_T table. For details, see Understanding the WSUS Sync solution.

• Check the Service ID definition in the VSE File - DefaultRRAConfiguration.xml. For details, see section 4.4.2, Configuring the tunnel on the VSE side.

If the Service ID is defined properly in both

places, check if the VSE is listening on the

port that is defined in the file -

DefaultRRAConfiguration.xml.

476 Tunnel is already open, no need to re-open.

The reverse tunnel allocated for the WSUS

Sync is already open. The open tunnel will be

used for the required action. No need to

resolve.

706 Tunnel was not opened. VSE credentials are incorrect.

Examine VSE User Name and VSE Password parameters in protocol Settings->Custom.

The value of the VSE Username and/or

Password is incorrect. Check the values of

these parameters in the Edit Protocol Settings dialog box of the WSUS device and

change them if necessary.

CONFIGURATION CHECKLIST


B Configuration checklist

The following table lists the steps required for a complete configuration of the WSUS

Sync solution.

Step Component Procedure Relevant section

1 Upstream WSUS server

For the encrypted

mode:

configuration for using

the SSL/TLS protocol

4.2, Upstream WSUS server -

configuration for encrypted mode.

2 Security Center Database

Configuring the reverse

tunnel from the

Security Center

4.3, Security Center – tunnel

configuration in the database

3 VSE server Verifying that the VSE

license has been

updated with the

Reverse Remote Access

feature.

4.4.1, VSE server - requirements

4 Configuring the reverse

tunnel from the VSE

4.4.2, Configuring the tunnel on the

VSE side

5 Configuring the

execution policy of the

local PowerShell

4.4.3, Configuring the local

PowerShell execution policy for VSE

6 Enabling and

configuring the

Windows Remote

Management (WinRM).

4.4.4, Configuring WinRM for VSE

7 Downstream WSUS

Creating or verifying

the existence of a

Windows user who is a

member of the WSUS Administrators group

and who has

4.5.1, Downstream WSUS server –

requirements

CONFIGURATION CHECKLIST


Step Component Procedure Relevant section

permissions for

communicating with

WinRM.

8 For a downstream

WSUS server that is

installed on a separate

computer:

enabling and

configuring the

Windows Remote

Management (WinRM)

4.5.2, Configuring WinRM

9 For the encrypted

mode:

importing the upstream

WSUS server certificate

to the downstream

WSUS server

4.5.3, Importing the upstream WSUS

certificate – encrypted mode

10 Configuring the Update

Source of the

downstream WSUS

server

4.5.4, Configuring the update source

11 For the encrypted

mode:

editing the hosts file

4.5.5, Editing the hosts file

CHANGES INTRODUCED IN VERSION 3.5.9


C Changes introduced in version 3.5.9

The following changes were introduced in version 3.5.9 of WSUS Sync ESP:

• The status Downloading has been added to the execution profile Open WSUS

Connection and Sync Periodically. For details, see section 6.2.1, Running the WSUS

Sync ESP.

• The execution profile Calculate Clients Updates Compliance has been added. For

details, see section 6.2.1, Running the WSUS Sync ESP.

• The custom parameter Tunnel Timeout now allows to define the amount of time for

which reverse tunnel remains open after it was opened manually. For details see

section 6.3.3, Opening WSUS connection and syncing.


Documents

WSUS Sync ESP User Guide...This guide provides step-by-step instructions for configuring, distributing, and using WSUS Sync ESP. at all levels, from the initial settings up to the