WSUS - SSL and DMZ servers - 0x80072f8f

Hello,
First of all sorry for my english.
I've got error 0x80072F8F when i try to use WSUS (that is in the internal network) on my DMZ's servers.
Wsus server is a Wsus 3.0 SP1 on Windows 2003 (SSL enabled on port 8531)
DMZ's servers are Windows 2008 R2
1 - I have installed the root certificate of my PKI on the trust root certificate store of the DMZ's servers
2 - I have modified the Hosts file of the DMZ's servers for name resolution of the internal WSUS server therefore the wsus web certificate subject match the Wsus URL of the DMZ's servers.
3 - I created firewall rule for open the communications on port 8531 between DMZ's servers and Wsus server
4 -I created firewall rule for the download of the Certificate revocation list (of the WSUS certificate) by the DMZ's servers
5 - I am able to download
https://wsusserver/selfupdate/wuident.cab and there is no certificate error
6 - I am able to dowload the CRL of the WSUS certificate
7 - There is no time difference between Wsus server and DMZ's servers
But after all that when i run a 'wuauclt /detectnow' the DMZ's servers failed on the SelfUpdate check with error 0x80072F8F
anyone have a idea ?
WindowsUpdate.log :
WARNING: Send failed with hr = 80072f8f.
WARNING: SendRequest failed with hr = 80072f8f. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
WARNING: WinHttp: SendRequestUsingProxy failed for <https://WSUSserver:8531/selfupdate/wuident.cab>. error 0x80072f8f
WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072f8f
WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072f8f
WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072f8f
FATAL: SelfUpdate check failed, err = 0x80072F8F

Wsus server is a Wsus 3.0 SP1 on Windows 2003 (SSL enabled on port 8531)
The first step here is to either properly identify the actual version of WSUS in use, or to apply all of the required patches.
5 - I am able to download
https://wsusserver/selfupdate/wuident.cab and there is no certificate error
WARNING: WinHttp: SendRequestUsingProxy failed for <https://WSUSserver:8531/selfupdate/wuident.cab>. error 0x80072f8f
The second problem here is that SSL should *NOT* be used on the /selfupdate v-dir, so it seems that you have not properly configured the WSUS SSL implementation. Please refer to
Secure WSUS with the Secure Sockets Layer Protocol for the proper procedures.
Note also that there is a known issue with the April Update for Win8.1/WS2012R2 and WSUS SSL environments, so if you have Win8.1/WS2012R2 systems, since installing the update is fundamentally required, you should consider deferring the implementation of
SSL on WSUS until the patch for that issue is released.
Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
SolarWinds Head Geek
Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
http://www.solarwinds.com/gotmicrosoft
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

Similar Messages

Workgroup and DMZ clients

Hello Folks,
We are having Some workgroup computers and DMZ servers to manage. We follwed the below procedure to install client agent in a Worgroup computer
1. Enabled WMI and Filesharing in client machine.
2. Copied client agent folder on Workgroup machine and manually installed Agent with command line arguments.
3. Then approved the client machine in console and the policies started flowing into client machine.
4. But we are unable to deploy application to this PC.
Below are the errors we are receiving in CCM log from Primary site server.
---> Attempting to connect to administrative share '\\<ComputerName>\admin$' using account 'Domain\NAA' SMS_CLIENT_CONFIG_MANAGER 12/02/2015 11:41:52 7464 (0x1D28)
---> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account Domain\NAA (00000035) SMS_CLIENT_CONFIG_MANAGER 12/02/2015 11:41:52 7464 (0x1D28)
---> The device QVMTEST12 does not exist on the network. Giving up SMS_CLIENT_CONFIG_MANAGER 12/02/2015 11:41:52 7464 (0x1D28)
---> ERROR: Unable to access target machine for request: "2097152160", machine name: "QVMTEST12", access denied or invalid network path. SMS_CLIENT_CONFIG_MANAGER 12/02/2015 11:41:52 7464 (0x1D28)
Execute query exec [sp_CP_SetLastErrorCode] 2097152160, 53 SMS_CLIENT_CONFIG_MANAGER 12/02/2015 11:41:52 7464 (0x1D28)
Applications which we deploy is showing up in Software Center. But if we click Install the below error comes in:
Is there any other configuration which I need to do or enable for Workgroup computer support. Please help.
V I S H N U

Hi,
Please check the article for the ports used by SCCM.
https://technet.microsoft.com/en-us/library/hh427328.aspx
Best Regards,
Joyce
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Do Verizon's POP3 and SMTP servers support SSL?

The Mail account setup wizard on Mac OS X 10.6.2 successfully added my new verizon.net email account in a couple of easy steps. During the process, the wizard warned me that my password would be sent in the clear; I told it to continue.
After successfully sending and receiving test messages, I tried enabling SSL for the incoming and outgoing servers. At that point, both sending and receiving failed.
I read the minimalist Support description about email app setup -- no mention of ports or SSL.
Is SSL possible on Verizon's servers?
-- Ward
Solved!
Go to Solution.

Verizon's servers do not support SSL.
If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem.
"All knowledge is worth having."

WSUS, DC and CA on same physical machine?

Hi!
Have been playing around with WSUS as we are about to deploy that here and I had time over so I thought that I should learn a bit on how it works, how it's setup and all that.
I have three physical machines to play with, all running WS2012R2. One is master, one runs a hyper-v and the last one I deployed as a DC, ADCS (Enterprise CA) and WSUS:
Februaryserver: Master DC
Marchserver: Hyper-V
Aprilserver: DC, ADCS and WSUS
At my last attempt I almost succeeded, but ended up with an error on the server that tried to use the WSUS Server and that was that a certificate chain was processed, but terminated in a root certificate which is not trusted by the trust provider (can post
logfile if needed).
I have now installed and uninstalled everything 3 times I think because I cant get this working and I started wondering about that maybe, just maybe, it's a bad idea to promote a single server to be a DC, ADCS and WSUS...?
My questions are these: is there any complete guide to how to setup WSUS using SSL - OR is there a guide to setup WSUS and NOT using SSL? Can't seem to find any appropriate information.
This is my first attempt at trying to understand the CS role, creating certificates and what a CA/CN/CS etc is. Its also my first attempt at trying to setup a WSUS, but I actually might give up and let some third party do this for us instead, time is running
out :(
I have read and followed the following guides:
http://technet.microsoft.com/en-us/library/hh852346.aspx
http://technet.microsoft.com/en-us/library/hh831574.aspx
http://social.technet.microsoft.com/wiki/contents/articles/12485.configure-ssltls-on-a-web-site-in-the-domain-with-an-enterprise-ca.aspx
At my first attempt I didnt pay attention to the guide which covers setting up the ADCS and the result was that the CN was incorrectly named. The second time I thought I got it right but apparently I hadn't. At my third attempt I was just playing around and
trying to setup the whole WSUS without using SSL as ALL our clients are located at the same physical location as our servers.
So... that's about it. Story of my week so far :)
Would really appreciate any help/guidance/support/tips/whatever that might help me out here.
Thanks in advance and have nice holiday everyone!

Ok, thanks for clearing that out. So, WSUS should not be installed on a DC. I suppose I should move both the DC and ADCS to one of the other servers and test again.
The problem with the certificate will most likely remain though. If I setup ADCS on, for example, my machine called februaryserver, the CN till be februaryserver and FQDN will be februaryserver.xxx.xxx.xx, right? Other than installing the certificate as
a trusted root certificate provider, is there anything else I need to do to get this to become a trusted certificate?
Thanks!

SCCM 2012 What Ports Do I need to open so DMZ servers can communicate with my SCCM Server?

Hi,
What ports do I need to open in the firewall so my DMZ servers can talk to my SCCM server on the network?
Here are my steps before to make my DMZ servers talk to my SCCM server:
1. On my SCCM 2012 SP1 CU2 I have bounderies installed --> I install SCCM Client on my DMZ server with the appropriate switches --> I go back to my SCCM server to approve the server --> Works
But now my DMZ servers stops getting definition updates from my SCCM server and I was suggested that it is much easier to open ports in DMZ.
Now, could you please tell me what ports should we open to ensure two way communication among servers?
Thanks!

Yes and no. It's a bit muddy at times.
For Internet based clients, putting an Internet-enabled MP in the DMZ is perfectly acceptable because Internet clients will only choose MPs enabled for Internet communication.
For systems in the DMZ, that's where it really gets muddy. There's no perfect way to accomplish this. IMO, DMZ clients should be allowed to go back to the MP/DP in the Intranet with a targeted opening in the DMZ firewall rules that allows them to only go
to the internal MP. That's a security policy question though for your organization.
Another option is to treat the clients in the DMZ as Internet only clients. This way, they will only go to the Internet MP in the DMZ. You do lose some functionality though like Remote Control.
A final way is to actually put an MP/DP in the DMZ and deal with the timeout's that happen when clients try to talk to the MP in the Intranet. Clients will try 5 times to contact that MP before giving up. They try to find a new MP at the following times
(which are not configurable):
- Every 25 hours
- WHen the client detects a network change
- When the client agent starts
Jason | http://blog.configmgrftw.com

Bridge JMS on SSL Mutual authenticathed Servers

Hi all,
 I'm facing a problem on bridging JMS message with WLS bridge on SSL Mutual authenticathed Servers
 I configured two WLS (8.1 SP6), say "ALICE" and "BOB", with SSL listen port and I enabled "Two Way Client Cert Behavior" with "Client Certs Requested and Enforced" for both servers.
 I configured a WLS bridge on ALICE with source destination on ALICE itself and target destination on BOB.
 When I start this bridge it cannot connect to BOB. I enabled SSL debug and I found that ALICE didn't send CLIENT certificate to BOB.
 Here is BOB's log:
 <22-mag-2008 14.56.10 CEST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
 <22-mag-2008 14.56.10 CEST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 32975481>
 <22-mag-2008 14.56.10 CEST> <Debug> <TLS> <000000> <SSLSocket will be Muxing>
 <22-mag-2008 14.56.10 CEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
 <22-mag-2008 14.56.10 CEST> <Debug> <TLS> <000000> <isMuxerActivated: false>
 <22-mag-2008 14.56.10 CEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
 <22-mag-2008 14.56.12 CEST> <Debug> <TLS> <000000> <7192496 SSL Version 2 with no padding>
 <22-mag-2008 14.56.12 CEST> <Debug> <TLS> <000000> <21231495 SSL3/TLS MAC>
 <22-mag-2008 14.56.12 CEST> <Debug> <TLS> <000000> <21231495 received SSL_20_RECORD>
 <22-mag-2008 14.56.12 CEST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ClientHelloV2>
 <22-mag-2008 14.56.12 CEST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 58>
 <22-mag-2008 14.56.12 CEST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 566>
 <22-mag-2008 14.56.12 CEST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 260>
 <22-mag-2008 14.56.12 CEST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 4>
 <22-mag-2008 14.56.12 CEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
 <22-mag-2008 14.56.12 CEST> <Debug> <TLS> <000000> <isMuxerActivated: false>
 <22-mag-2008 14.56.12 CEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
 <22-mag-2008 14.56.13 CEST> <Debug> <TLS> <000000> <21231495 SSL3/TLS MAC>
 <22-mag-2008 14.56.13 CEST> <Debug> <TLS> <000000> <21231495 received HANDSHAKE>
 <22-mag-2008 14.56.13 CEST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Certificate>
 <22-mag-2008 14.56.13 CEST> <Debug> <TLS> <000000> <validationCallback: validateErr = 0>
 <22-mag-2008 14.56.13 CEST> <Debug> <TLS> <000000> <Required peer certificates not supplied by peer>
 <22-mag-2008 14.56.13 CEST> <Warning> <Security> <BEA-090508> <Certificate chain received from localhost - 127.0.0.1 was incomplete.>
 <22-mag-2008 14.56.13 CEST> <Debug> <TLS> <000000> <Validation error = 4>
 <22-mag-2008 14.56.13 CEST> <Debug> <TLS> <000000> <Certificate chain is incomplete>
 <22-mag-2008 14.56.13 CEST> <Debug> <TLS> <000000> <User defined JSSE trustmanagers not allowed to override>
 <22-mag-2008 14.56.13 CEST> <Debug> <TLS> <000000> <SSLTrustValidator returns: 68>
 <22-mag-2008 14.56.13 CEST> <Debug> <TLS> <000000> <Trust failure (68): CERT_CHAIN_INCOMPLETE>
 <22-mag-2008 14.56.13 CEST> <Debug> <TLS> <000000> <NEW ALERT with Severity: FATAL, Type: 40
 and here is ALICE's log:
 <22-mag-2008 15.28.01 CEST> <Warning> <Connector> <BEA-190032> << Weblogic Messaging Bridge Adapter (XA)_eis/jms/WLSConnectionFactoryJNDIXA > ResourceAllocationException of javax.resource.ResourceException: ConnectionFactory: failed to get
 initial context (InitialContextFactory =weblogic.jndi.WLInitialContextFactory, url = t3s://localhost:7002, user name = jmsbob) on createManagedConnection.>
 <22-mag-2008 15.28.01 CEST> <Info> <MessagingBridge> <BEA-200043> <Bridge "AliceToBobMessagingBridge" failed to connect to the target destination and will try again in 25 seconds. (java.lang.Exception: javax.resource.ResourceException: Conn
 ectionFactory: failed to get initial context (InitialContextFactory =weblogic.jndi.WLInitialContextFactory, url = t3s://localhost:7002, user name = jmsbob)
 at weblogic.jms.adapter.JMSBaseConnection.throwResourceException(JMSBaseConnection.java:1386)
 at weblogic.jms.adapter.JMSBaseConnection.throwResourceException(JMSBaseConnection.java:1366)
 at weblogic.jms.adapter.JMSBaseConnection.startInternal(JMSBaseConnection.java:345)
 at weblogic.jms.adapter.JMSBaseConnection.start(JMSBaseConnection.java:219)
 at weblogic.jms.adapter.JMSManagedConnectionFactory.createManagedConnection(JMSManagedConnectionFactory.java:188)
 at weblogic.connector.common.internal.ConnectionFactory.createResource(ConnectionFactory.java:127)
 at weblogic.common.resourcepool.ResourcePoolImpl.makeResources(ResourcePoolImpl.java:1193)
 at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:345)
 at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:286)
 at weblogic.connector.common.internal.ConnectionPool.reserveResource(ConnectionPool.java:567)
 at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:280)
 at weblogic.connector.common.internal.ConnectionPoolManager.getConnection(ConnectionPoolManager.java:650)
 at weblogic.connector.common.internal.ConnectionManagerImpl.allocateConnection(ConnectionManagerImpl.java:106)
 at weblogic.jms.adapter.JMSBaseConnectionFactory.getTargetConnection(JMSBaseConnectionFactory.java:120)
 at weblogic.jms.bridge.internal.MessagingBridge.getConnections(MessagingBridge.java:809)
 at weblogic.jms.bridge.internal.MessagingBridge.execute(MessagingBridge.java:991)
 at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
 at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
 -------------- Linked Exception ------------
 javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://localhost:7002: Destination unreachable; nested exception is:
 javax.net.ssl.SSLHandshakeException: [Security:090497]HANDSHAKE_FAILURE alert received from localhost - 127.0.0.1. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted C
 As, and hostname verification settings.; No available router to destination]
 at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:47)
 at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:651)
 at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:320)
 at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:253)
 at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:135)
 at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
 at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
 at javax.naming.InitialContext.init(InitialContext.java:219)
 at javax.naming.InitialContext.<init>(InitialContext.java:195)
 at weblogic.jms.adapter.JMSBaseConnection.getInitialContext(JMSBaseConnection.java:1967)
 at weblogic.jms.adapter.JMSBaseConnection.startInternal(JMSBaseConnection.java:233)
 at weblogic.jms.adapter.JMSBaseConnection.start(JMSBaseConnection.java:219)
 at weblogic.jms.adapter.JMSManagedConnectionFactory.createManagedConnection(JMSManagedConnectionFactory.java:188)
 at weblogic.connector.common.internal.ConnectionFactory.createResource(ConnectionFactory.java:127)
 at weblogic.common.resourcepool.ResourcePoolImpl.makeResources(ResourcePoolImpl.java:1193)
 at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:345)
 at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:286)
 at weblogic.connector.common.internal.ConnectionPool.reserveResource(ConnectionPool.java:567)
 at weblogic.common.resourcepool.ResourcePoolImpl.reserveResource(ResourcePoolImpl.java:280)
 at weblogic.connector.common.internal.ConnectionPoolManager.getConnection(ConnectionPoolManager.java:650)
 at weblogic.connector.common.internal.ConnectionManagerImpl.allocateConnection(ConnectionManagerImpl.java:106)
 at weblogic.jms.adapter.JMSBaseConnectionFactory.getTargetConnection(JMSBaseConnectionFactory.java:120)
 at weblogic.jms.bridge.internal.MessagingBridge.getConnections(MessagingBridge.java:809)
 at weblogic.jms.bridge.internal.MessagingBridge.execute(MessagingBridge.java:991)
 at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
 at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
 Caused by: java.net.ConnectException: t3s://localhost:7002: Destination unreachable; nested exception is:
 javax.net.ssl.SSLHandshakeException: [Security:090497]HANDSHAKE_FAILURE alert received from localhost - 127.0.0.1. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted C
 As, and hostname verification settings.; No available router to destination
 at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:200)
 at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:125)
 at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:310)
 ... 23 more
 )>
 <22-mag-2008 15.28.09 CEST> <Info> <MessagingBridge> <BEA-200036> <The Started attribute of Bridge "AliceToBobMessagingBridge" has been changed from "true" to "false".>
 What I need to do to avoid this problem?
 Nathan65

I checked my configuration. ALICE's keystores are
 IDENTITY
 Tipo keystore: jks
 Provider keystore: SUN
 Il keystore contiene 2 entry
 Nome alias: certgenca
 Data di creazione: 21-mag-2008
 Tipo entry: trustedCertEntry
 Proprietario: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
 Organismo di emissione: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
 Numero di serie: 234b5559d1fa0f3ff5c82bdfed032a87
 Valido da Thu Oct 24 17:54:45 CEST 2002 a Tue Oct 25 17:54:45 CEST 2022
 Impronte digitali certificato:
 MD5: A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE
 SHA1: F8:5D:49:A4:12:54:78:C7:BA:42:A7:14:3E:06:F5:1E:A0:D4:C6:59
 Nome alias: alicecert
 Data di creazione: 21-mag-2008
 Tipo entry: keyEntry
 Lunghezza catena certificati: 1
 Certificato[1]:
 Proprietario: [email protected], OU=CompetenceCenter, O=ValueTeam, L=Rome, ST=IT, C=IT
 Organismo di emissione: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
 Numero di serie: -1dbb65eaa595141fa1e44ba5856d65e4
 Valido da Tue May 20 09:39:25 CEST 2008 a Sun May 21 09:39:25 CEST 2023
 Impronte digitali certificato:
 MD5: BA:01:C2:E3:CC:92:C4:99:F7:8C:28:FF:C1:16:88:D9
 SHA1: C0:D8:E8:B6:C2:62:03:90:3F:23:3C:FA:A8:C8:0A:00:FA:96:5A:4E
 TRUST
 Tipo keystore: jks
 Provider keystore: SUN
 Il keystore contiene 1 entry
 Nome alias: certgenca
 Data di creazione: 21-mag-2008
 Tipo entry: trustedCertEntry
 Proprietario: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
 Organismo di emissione: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
 Numero di serie: 234b5559d1fa0f3ff5c82bdfed032a87
 Valido da Thu Oct 24 17:54:45 CEST 2002 a Tue Oct 25 17:54:45 CEST 2022
 Impronte digitali certificato:
 MD5: A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE
 SHA1: F8:5D:49:A4:12:54:78:C7:BA:42:A7:14:3E:06:F5:1E:A0:D4:C6:59
 BOB's keystores are:
 IDENTITY
 Tipo keystore: jks
 Provider keystore: SUN
 Il keystore contiene 2 entry
 Nome alias: certgenca
 Data di creazione: 21-mag-2008
 Tipo entry: trustedCertEntry
 Proprietario: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
 Organismo di emissione: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
 Numero di serie: 234b5559d1fa0f3ff5c82bdfed032a87
 Valido da Thu Oct 24 17:54:45 CEST 2002 a Tue Oct 25 17:54:45 CEST 2022
 Impronte digitali certificato:
 MD5: A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE
 SHA1: F8:5D:49:A4:12:54:78:C7:BA:42:A7:14:3E:06:F5:1E:A0:D4:C6:59
 Nome alias: bobcert
 Data di creazione: 21-mag-2008
 Tipo entry: keyEntry
 Lunghezza catena certificati: 1
 Certificato[1]:
 Proprietario: [email protected], OU=CompetenceCenter, O=ValueTeam, L=Rome, ST=IT, C=IT
 Organismo di emissione: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
 Numero di serie: 26ccb8983c1cd0dc2eb6b0c7019eddb2
 Valido da Tue May 20 09:53:38 CEST 2008 a Sun May 21 09:53:38 CEST 2023
 Impronte digitali certificato:
 MD5: 6C:B3:9D:02:6E:CD:F4:04:C2:76:F2:92:97:39:66:7E
 SHA1: D1:07:5A:64:79:2F:FE:35:4D:D4:FD:7E:42:FC:D3:9C:68:6B:EE:B8
 TRUST (same as ALICE's TRUST)
 Tipo keystore: jks
 Provider keystore: SUN
 Il keystore contiene 1 entry
 Nome alias: certgenca
 Data di creazione: 21-mag-2008
 Tipo entry: trustedCertEntry
 Proprietario: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
 Organismo di emissione: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
 Numero di serie: 234b5559d1fa0f3ff5c82bdfed032a87
 Valido da Thu Oct 24 17:54:45 CEST 2002 a Tue Oct 25 17:54:45 CEST 2022
 Impronte digitali certificato:
 MD5: A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE
 SHA1: F8:5D:49:A4:12:54:78:C7:BA:42:A7:14:3E:06:F5:1E:A0:D4:C6:59
 Here is a FRAGMENT of ALICE's "config.xml" (I use custom identity and custom trust)
 <Server
 CustomIdentityKeyStoreFileName="C:\bea\wlp81sp6\user_projects\domains\ALICE\CERTIFICATI\alice.jks"
 CustomIdentityKeyStorePassPhraseEncrypted="{3DES}/q7+XXkrvz0zncx18PjDug=="
 CustomIdentityKeyStoreType="JKS"
 CustomTrustKeyStoreFileName="C:\bea\wlp81sp6\user_projects\domains\ALICE\CERTIFICATI\certgenca.jks"
 CustomTrustKeyStorePassPhraseEncrypted="{3DES}/q7+XXkrvz0zncx18PjDug=="
 CustomTrustKeyStoreType="JKS" ExpectedToRun="false"
 JavaStandardTrustKeyStorePassPhraseEncrypted="{3DES}CVtHlHaDky1XKC1QZVz2Kw=="
 KeyStores="CustomIdentityAndCustomTrust" ListenAddress=""
 ListenPort="7011" Name="alice" NativeIOEnabled="true"
 ReliableDeliveryPolicy="RMDefaultPolicy" ServerVersion="8.1.6.0"
 StdoutDebugEnabled="true" StdoutSeverityLevel="64">
 <SSL ClientCertificateEnforced="true" Enabled="true"
 HostnameVerificationIgnored="true"
 IdentityAndTrustLocations="KeyStores" ListenPort="7012"
 Name="alice" ServerPrivateKeyAlias="alicecert"
 ServerPrivateKeyPassPhraseEncrypted="{3DES}/q7+XXkrvz0zncx18PjDug==" TwoWaySSLEnabled="true"/>
 <Log FileCount="2" FileMinSize="5000" Name="alice" NumberOfFilesLimited="true"/>
 </Server>
 and also here is a fragment of BOB's "config.xml" (same of ALICE's keystores configuration)
 <Server
 CustomIdentityKeyStoreFileName="C:\bea\wlp81sp6\user_projects\domains\BOB\CERTIFICATI\bob.jks"
 CustomIdentityKeyStorePassPhraseEncrypted="{3DES}PJMoAH+j5jeVWzQfY8Gf2w=="
 CustomIdentityKeyStoreType="JKS"
 CustomTrustKeyStoreFileName="C:\bea\wlp81sp6\user_projects\domains\BOB\CERTIFICATI\certgenca.jks"
 CustomTrustKeyStorePassPhraseEncrypted="{3DES}PJMoAH+j5jeVWzQfY8Gf2w=="
 CustomTrustKeyStoreType="JKS" ExpectedToRun="false"
 JavaStandardTrustKeyStorePassPhraseEncrypted="{3DES}TXgi1bpazzUgtLpwMy9q9Q=="
 KeyStores="CustomIdentityAndCustomTrust" ListenAddress=""
 ListenPort="7001" Name="bob" NativeIOEnabled="true"
 ReliableDeliveryPolicy="RMDefaultPolicy" ServerVersion="8.1.6.0"
 StdoutDebugEnabled="true" StdoutSeverityLevel="64">
 <SSL ClientCertificateEnforced="true" Enabled="true"
 HostnameVerificationIgnored="true"
 IdentityAndTrustLocations="KeyStores" ListenPort="7002"
 Name="bob" ServerPrivateKeyAlias="bobcert"
 ServerPrivateKeyPassPhraseEncrypted="{3DES}PJMoAH+j5jeVWzQfY8Gf2w==" TwoWaySSLEnabled="true"/>
 <Log FileCount="2" FileMinSize="5000" Name="bob" NumberOfFilesLimited="true"/>
 </Server>
 PS: I used a JNDI Client to access to BOB configured with ALICE's keystores and I got a success.
 Nat.

Disconnect WSUS server and Process of Approving Updates via Metadata.

Hi Folks:
I have recently setup 2 WSUS servers. The first one has connectivity to the Internet and of course has access to Microsoft updates. The second WSUS server is part of a disconnected network. Both WSUS servers are supporting client workstations
of various operating system versions. The connected WSUS server is fairly easy, from a management viewpoint. I simply check to see what updates are "Needed" and I approve them for download. However, the disconnected WSUS server
is the one that I need some advice on. I want to have a fairly simply procedure for the disconnected WSUS server, but here is the procedure that I think would work:
Transfer metadata and updates via disc from the connected WSUS server to the disconnected WSUS server (using documented export/import procedure).
Check to see what is "Needed" updates on the disconnected WSUS server, once the WSUS server has had a chance to absorb all the imported metadata and updates. This means that the disconnected WSUS server has determined from it's supported
client workstations, what updates are required.
Generate a list of those "Needed" updates in some form, so that I can now approve those updates on the CONNECTED WSUS server for download.
Once those updates have been downloaded to the connected WSUS server, transfer the updates and metadata again to the disconnected WSUS server. Approve those updates, so that they can now be sent out to the client workstations on the disconnected
network.
If that is my procedure (can someone like Lawrence Garvin), please let me know, if that sounds correct. I'm concerned about the double export/import of the metadata and updates.
Also, I'm wondering if it would be better to have separate connected WSUS server for supporting the disconnected WSUS to keep things straight.
For example:
One connected WSUS servers supporting the set of client workstations, that are on the connect WSUS server's network.
One disconnected WSUS server supporting the set of client workstations that are on the disconnected WSUS server's network.
One more connected WSUS server, that would be used to download and transfer metadata and updates to the disconnect WSUS server. The advantage in keeping this separate, is that you would never confuse approved updates between the connected network
client workstations and the disconnected network client workstations. Especially, if they have different versions of software, that require updating.
Any input would be appreciated.

You will likely also want to configure your WSUS server to "Download express installation files." under the "Update Files and Languages," setting on your options.
I will unequivocally disagree with this statement, for several reasons:
First, there's nothing that needs to be deployed that would use Express Installation Files anyway. Express Installation Files were designed to facilitate the deployment of Very Large Updates (read: SERVICE PACKS) across slow-speed links by significantly
reducing the size of the binary that must be downloaded by the CLIENT. There are NO service packs in the catalog that won't already be installed on any client system.
Second, in exchange for that ability of clients to download less, it significantly increased the size of the binary that must be downloaded by the SERVER from Microsoft. Express Installation Files will cause hundreds of gigabytes of extra binaries to be
downloaded, which will need to be transferred to the disconnected server. None of which will actually ever be used.
Third, most disconnected networks do not include WAN links, so the primary purpose of Express Installation File is contra-indicated by the very scenario being discussed.
Otherwise by default you might get just an installer downloaded onto the WSUS server and clients might still need internet access to download the actual package contents.
It would seem that you do not correctly understand Express Installation Files.
There is an in-depth explanation of Express Installation Files in the WSUS Deployment Guide. For additional information see
https://technet.microsoft.com/en-us/library/dd939908(v=ws.10).aspx#express
I also would not recommend a internet facing WSUS server just to provide updates to the disconnected WSUS server as that will also need to download a full copy of the content to that server when it is likely already downloaded onto your internet
/ production WSUS server anyway.
Seemingly you are also not actually familiar with the documented guidance for how to manage disconnected networks. An Internet-facing (connected) WSUS server is *exactly* how this is done.
You may also find this part of the Deployment Guide to be useful reading:
Configure a Disconnected Network to Receive Updates
Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
SolarWinds Head Geek
Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
http://www.solarwinds.com/gotmicrosoft
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

Wsus query needed - get WSUS-Computers, belonging WSUS-Group and Not Installed Count

Hi,
i try to find a way by using basic WSUS powershell cmds in combination with piping in Server 2012 R2 to get all registered computers in WSUS plus belonging WSUS-Group and Update "Not Installed Count" as output.
Is that possible?
I tried multiple times and enden up in using posh - is there no way based on standard powershell commandlets.
Thank you
Peter

Hi Michael,
it seems that you are right :(. I tried out a few things with powershell (source
http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/19/use-powershell-to-find-missing-updates-on-wsus-client-computers.aspx) - big problem is that i actually cant get belonging WSUS Group to Server object. I only are able to get all WSUS Groups
but cant find the right sytax to get only belonging ones.
Any ideas?
Thanks
Peter
#Load assemblies
[void][system.reflection.assembly]::LoadWithPartialName('Microsoft.UpdateServices.Administration')
#Create Scope objects
$computerscope = New-Object Microsoft.UpdateServices.Administration.ComputerTargetScope
$updatescope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
#Gather only servers
$ServersId = @($wsus.GetComputerTargets($computerscope) | Where {
$_.OSDescription -like "*Server*"
} | Select -expand Id)
#Get Update Summary
$wsus.GetSummariesPerComputerTarget($updatescope,$computerscope) | Where {
#Filter out non servers
$ServersId -Contains $_.ComputerTargetID
} | ForEach {
New-Object PSObject -Property @{
ComputerTarget = ($wsus.GetComputerTarget([guid]$_.ComputerTargetId)).FullDomainName
ComputerTargetGroupIDs = ($wsus.GetComputerTarget([guid]$_.ComputerTargetId)).ComputerTargetGroupIds
ComputerTargetGroupNames = ($wsus.GetComputerTargetGroups())
NeededCount = ($_.DownloadedCount + $_.NotInstalledCount)
#DownloadedCount = $_.DownloadedCount
NotInstalledCount = $_.NotInstalledCount
#InstalledCount = $_.InstalledCount

Command for STOPPING admin and managed servers

I am writing a script for our application, which apart from building and
deploying application, also needs to stop and start both admin and managed
servers. Is there any command available for properly stopping the weblogic
servers? ( something that "initiates the shutdown")
Thanks

Scott, could you try specifying the protocol: t3 in the url of the
servers.
eg) java weblogic.Admin -url t3://172.17.13.46:7013 -username system
-password
xxx SHUTDOWN
-mihir
Scott Jones wrote:
I have a script that shutsdown all my servers java weblogic.Admin -url
neo.conway.acxiom.com:$S4_ONLINE_PORT SHUTDOWN -username system
-password $S4_WLS_ADMIN_PW
java weblogic.Admin -url neo.conway.acxiom.com:$S4_S4MT_PORT SHUTDOWN
-username system -password $S4_WLS_ADMIN_PW
java weblogic.Admin -url neo.conway.acxiom.com:$S4_WLS_ADMIN_PORT
SHUTDOWN -username system -password $S4_WLS_ADMIN_PWThe first two
lines shut down my managed server. The last shuts down my admin
server. Scott [email protected]
"Mihir Kulkarni" <[email protected]> wrote in
message news:[email protected] here -
Solaris 2.7 with WLS 60 sp1.
I am not facing any problems, though!
Fyi, my managed-server is not in a cluster.
JD wrote:
I am running on Solaris 2.7 using WL6.0sp1.
Mihir Kulkarni <[email protected]> wrote:
<!doctype html public "-//w3c//dtd html 4.0transitional//en">
<html>
Hi,
 Could you please specify on which platform are youfacing this problem.Also,
which sp of the WLS 60 are you using ?
I tried the weblogic.Admin SHUTDOWN command on NT andSolaris and
it
runs correctly on both. These are the results:
on NT:
 on the client:
 java weblogic.Admin -url t3://172.17.13.46:7013-username system
-password
xxx SHUTDOWN
 Shutdown initiated
 The shutdown sequence has been initiated.
on the Managed server:
 <Jun 13, 2001 11:45:49 AM PDT> <Alert><WebLogicServer>
<The
disabling of server
 logins has been requested by system>
 <Jun 13, 2001 11:45:49 AM PDT> <Alert><WebLogicServer>
<Server
logins have been
 disabled.>
 <Jun 13, 2001 11:45:49 AM PDT> <Alert><WebLogicServer>
<Server
shutdown has bee
 n requested by system>
 <Jun 13, 2001 11:45:49 AM PDT> <Alert><WebLogicServer>
<The
shutdown sequence h
 as been initiated.>
 <Jun 13, 2001 11:45:49 AM PDT> <Info><WebLogicServer> <Server
shutdown is comme
 ncing NOW and is irreversible.>
 <Jun 13, 2001 11:45:49 AM PDT> <Info> <HTTP> <[HTTPstandAloneServer]
Destroying
 servlets in default servlet context>
 <Jun 13, 2001 11:45:49 AM PDT> <Info> <JMS><Undeployed
4 default connection fac
 tories.>
 <Jun 13, 2001 11:45:49 AM PDT> <Info> <JMS> <JMSshutdown
is complete.>
 <Jun 13, 2001 11:45:49 AM PDT> <Info><WebLogicServer> <Removing
"ClientContext
 - id: '#|standAloneServer|1.992457846784', bound:'false', dead:
'false'"
becaus
 e of hard disconnect timeout.>
 <Jun 13, 2001 11:45:50 AM PDT> <Info><WebLogicServer> <Requesting
all threads t
 o perform their own shutdown.>
 <Jun 13, 2001 11:45:50 AM PDT> <Info><WebLogicServer> <Shutting
down Thread[SSL
 ListenThread,5,WebLogicServer]>
 <Jun 13, 2001 11:45:50 AM PDT> <Info><WebLogicServer> <Waiting
20 seconds for t
 hreads to complete shutdown.>
 <Jun 13, 2001 11:45:50 AM PDT> <Info><WebLogicServer> <Shutting
down Thread[Lis
 tenThread,5,WebLogicServer]>
 <Jun 13, 2001 11:46:10 AM PDT> <Info><WebLogicServer> <Stopping
execute threads
 .>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '0' for queue: 'default'' stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '1' for queue: 'default'' stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '2' for queue: 'default'' stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '3' for queue: 'default'' stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '4' for queue: 'default'' stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '5' for queue: 'default'' stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '6' for queue: 'default'' stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '7' for queue: 'default'' stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '8' for queue: 'default'' stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '9' for queue: 'default'' stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '10' for queue: 'default'' stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '11' for queue: 'default'' stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '12' for queue: 'default'' stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '0' for queue: '__weblogic_admin_html_queue''stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '1' for queue: '__weblogic_admin_html_queue''stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '0' for queue: '__weblogic_admin_rmi_queue''stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Critical> <Kernel><Execute
Thread: 'ExecuteThre
 ad: '1' for queue: '__weblogic_admin_rmi_queue''stopped.>
 <Jun 13, 2001 11:46:10 AM PDT> <Info><WebLogicServer> <Shutdown
has completed.>
on Solaris platform:
 on client:
 java weblogic.Admin -url t3://willard.beasys.com:7003-username system
-xxx mihirk00 SHUTDOWN
 Shutdown initiated
 The shutdown sequence has been initiated.
on the Managed server:
 <Jun 13, 2001 11:52:26 AM PDT> <Alert><WebLogicServer>
<Server
shutdown has been requested by system>
 <Jun 13, 2001 11:52:26 AM PDT> <Alert><WebLogicServer>
<The
shutdown sequence has been initiated.>
 <Jun 13, 2001 11:52:26 AM PDT> <Emergency><WebLogicServer>
<ListenThread.run() failed: java.lang.ThreadDeath>
 <Jun 13, 2001 11:52:27 AM PDT> <Emergency><WebLogicServer>
<The WebLogic Server is no longer listening forconnections. You should
probably restart it.>
 <Jun 13, 2001 11:52:27 AM PDT> <Alert><WebLogicServer>
<Server
shutdown has been requested by system>
 <Jun 13, 2001 11:52:27 AM PDT> <Alert><WebLogicServer>
<The
shutdown sequence has been initiated.>
So, it works fine for me.
 Please let me know if I am missing something.
cheers,
 Mihir
 
Scott Simpson wrote:
<blockquote TYPE=CITE>"JD" <[email protected]> wrote
in message
 <a
href="news:[email protected]">news:[email protected]</a>...
 > I ran this problem past BEA support and as usualthey can not duplicate
 the problem.
They can't duplicate the problem! Everybody on thisnewsgroup has
the
same
 problem. How can they not duplicate it?!</blockquote>
</html>
[att1.html]

Automating start / restart of WebLogic Admin and managed servers on MS Windows

Hi All,
Please help me to do the automation of start and stop scrip of Oracle Weblogic 10.3.6 and Forms and Reports 11.1.2.2.0(Managed Servers) On Windows server 2008.
Here are two options for automating start / stop of WebLogic Admin and managed servers on MS Windows. Please suggesst which one is standrad procedure.
Use NodeManager (installed as a MS Windows Service)
or
Create Windows Service(s) for the server(s) - no NodeManager
Following Document : 1060058.1
Please suggest me the best practice. Many thanks in advance.
Kind Regards,
Mohan

Hi Borys,
Thank you for quick reply...
If we use the first option "Create Windows Service(s) for the server(s) - no NodeManager" then we will be facing issue Like "Admin Server or Managed Server may go into an unhealthy or failed state but the JVM is still running"
In the document : 1060058.1 : Mentioned as Important Note: The second option has a limitations.
Limitaion is below when we use first option : "Create Windows Service(s) for the server(s) - no NodeManager" -
Windows Services Manager only monitors the JVM process. If the JVM process fails (shuts down), then Windows Services Manager will attempt to restart it. But there are some scenarios where the Admin Server or Managed Server may go into an unhealthy or failed state but the JVM is still running. The Windows Service will not know to restart the process in these cases. If a server is started using NodeManager, NodeManager would recognize such a state and restart the process accordingly. Furthermore, if you start up managed servers via a MS Windows Service, you cannot monitor and/ or stop the managed server via the Weblogic Admin Console and/or Fusion Middleware ( Enterprise Manager ) Control.
I have implemented the second option "Use NodeManager starting admin and manged servers via WLST script" - Python script. Its working well without issue...No Limitation...
Script Contains Below :
print "================== Start scripts of Managed servers and Admin server ======================"
nmConnect(userConfigFile='D:/myFiles/myuserconfigfile.secure',userKeyFile='D:/myFiles/myuserkeyfile.secure',host='00.0.00.00',port='5556',domainName='ClassicDomain',domainDir='D:\Oracle\Middleware\user_projects\domains\ClassicDomain',nmType='ssl')
print "================== Adminserver Starting ================================================"
nmStart('AdminServer')
connect('weblogic','Password1','10.4.93.117:7001')
print "================== MANAGED SERVER (FROMS) Starting ====================================="
start('WLS_FORMS','Server')
print "================== MANAGED SERVER (REPORTS) Starting ==================================="
start('WLS_REPORTS','Server')
exit()
HOPE WE WILL MEET AGAIN AND AGAIN...
Many thanks for your comments!
Kind Regards,
Mohan

Delete or disable ssl and https on exchange web url

Hi,
I disable by clear check box on Default Web Site --> SSL Settiings --> Require SSL
and also inseret my domain name example: http://mail.myexchange.com/owa in Exchange admin center Console --> Servers --> Virtual Directory --> owa
and also i change <add key="UseHttpsForWacUrl" value="true" /> to <add key="UseHttpsForWacUrl" value="false" /> in C:\Program Files\Microsoft\Exchange
Server\V15\ClientAccess\Owa\web
But, after this steps for removing https on my url i can use it. and after loggin in https mode i can delete https on my url manually but did't work good and i get this error when i want see my email body "Error: Your
request can't be completed right now. Please try again later."

Hi S.Ali,
Have you restarted IIS after changing all the settings?
If not, please try to restart iis and check again.
Best regards,
Niko Cheng
TechNet Community Support

How to configure SCCM 2007 to deliver apps to DMZ servers

I'm needing some clarification and assistance here. I'm providing some background as well. This is my first foray in to this process, so the simpler and more thorough the explanations are, the better it will be for me.
We're running Config. Mgr. 2007 in Mixed Mode (can't go Native at this point) in our corporate domain. We also have 20 servers in our DMZ. Some are in workgroups. The rest are members of one
of three AD Domains in the DMZ. There is no trusted relationship with our internal corporate domain or between the domains in the DMZ. I want to use SCCM to distribute a limited number of applications to all the DMZ servers, automating the process
like we are currently doing, inside our firewall.
Here's the limited understanding I have from reviewing other posts, along with additional questions. Please feel free to correct any misconceptions and also fill in the blanks.
I'f I get the process correctly, the client is manually installed on DMZ servers. They will communicate over port 80 (HTTP). A SLP is required, which can be set up as part of the client command-line
installation. Alternatively we can set up a secondary site in the DMZ which will communicate over port 1433 to our internal network.
The questions I have are these. What box does the SLP have to be defined on if we not using a secondary site? Also, is it a component of the client installation that is enabled on one server in the DMZ, or is it inside the firewall? How
are DMZ servers directed to it?
If we use a secondary site in the DMZ, how does that affect our overall configuration? Currently we're using a single SCCM server, no children.
Thanks in advance for your assistance and information
Thanks, Dino

Here's a good guide to get you started :
http://blog.coretech.dk/wp-content/uploads/The-complete-guide-to-System-Center-Updates-Publisher-2011-V1.01.pdf
Benoit Lecours | Blog: System Center Dudes

Exchange 2010, UCC SSL, and the "new" CA/BROWSER Forum not issuing for .local

I don't know how many people have run into this yet, but the CA/BROSWER Forum, the "standards" authority for SSL issuing, has mandated that CA's can no longer issue a certificate using a FQDN "intranet" name for new or renewal SSL certificates effective
Nov 1, 2012. i.e. the Microsoft standard of mydomain.local will no longer be accepted as a SAN on a UCC for Exchange 2010. I've looked thru the KBs and Social forums, but haven't really found any guidance on how to solve this. I'm presuming
that the certs will have to be split and the "external" domain name of server.mydomain.net will just become a single server SSL, and the internal name of server.mydomain.local will become a Self-Signed certificate. With the increasing prevalence of OA
and ActiveSync devices, is there any baseline guidance yet on how to make this happen without completely fouling up production servers and killing access to the user community?

On the same topic, though likely different environment...
Against recommended deployment, I have a number of clients running all their services on one box. Windows Server 2008, Active Directoy, DNS, Exchange 2010 ...and so on. These servers all have .local addresses, which means of course that the SAN
certificates have .local addresses as one of the SANs.
I've read alot online about this issue, and am trying to find the most cost effective solution to switch numerous production servers running this configuration.
The best solution I've come up with so far is...
1. Virtual AD with new external domain, 2. Migrate Exchange CAS to this domain, 3. Reconfigure network through the box.
Obviously these steps will contain alot more details, but this is just the outline atm. At best, I see me having to take a second box with me to each location to perform these steps, and I can't see it happening without disruption to the work flow
of employees.
Thankfully, all of these businesses are relatively smal...under 25 employees. Still, I'd like to find the smoothest transition solution possible.
Any suggestions would be greatly appreciated!
Regards

WSUS - Check and Download

Hey all,
I want to know how to force a system to grab updates directly from a WSUS server, not just check for updates and grab them from the internet based Windows Servers...
I know all about the Group Policy to set to look for update from an intranet zone... I have set this up on the local Policy of the servers since they are do not have any updates policy's retrieved from our domain policy.
These servers sit behind a TMG firewall (can be so frustrating at times) and even though I manually specify the IP of our internal WSUS server and have allowed port 8530 TCP through the TMG, when checking the logs I can see the traffic going through the
TMG and success to our WSUS... but then to download the updates I constantly see calls out to public IP addresses. These servers are not allowed connection directly to the internet.
From my research on the technet note on WSUS says that when you sepcify the WSUS server via that group policy its suppose to check AND DOWNLOAD from that specified server...
Did I read something wrong or what am I missing here?

Found some more info on it, thanks to another technet question answered by Lawrence.
reviewing this, it would appear in my case WSUS was setup with the described setup above (Get approval from WSUS, but is downloading from the internet based Windows Update
servers.
I'll be checking up on the WSUS configuration to get it to store updates locally and save on internet bandwidth..
Here's the link for others who are wondering the same thing.
http://technet.microsoft.com/en-us/library/dd939920%28WS.10%29.aspx
Thanks me!

Move and redeploy application- and web-servers for Planing?

Hi, all!
Have Hyperion Planing ability to move application- and web-servers from unix-machine to another win-machine and after redeploy existing unix-installed planing on it?

They are actually for for 2 different things. The Sun WAS is for enterprise applications, EJBs and the like.
Tomcat is for simpler Servlet/JSP hosting.
The Sun WAS actually uses the Tomcat server as its Servlet/JSP engine then adds EJBs on top.

WSUS - SSL and DMZ servers - 0x80072f8f

Similar Messages

Maybe you are looking for