0

I need to setup a WSUS updates for client computers. I know that WSUS server uses port 8530 by default, and this port should be opened at WSUS server side , but which port should be opened at client side?

Best Regards

WS-2kx
  • 11
  • 1
  • 1
  • 1
  • Are the server and clients both within the same LAN? I am surprised you have such stringent (software?) firewalling in place that you need to worry about ports between these machines in the first place. – Tedwin Jun 19 '16 at 16:54

6 Answers6

2

The clients always initiate the connection. Therefore, they do not need to accept any incoming connections. They just need to open a connection to WSUS. Think of it like downloading files from the internet using a web browser. You don't need to open any ports on your own computer do to that. You just need to be able to browse the web. WSUS works the same way.

Charles Burge
  • 758
  • 6
  • 16
0

As I wanted to know this myself, I just tried it on two different clients (Windows 7 and Server 2012 R2)

The port used by the WSUS-clients is randomly mapped above the well-known ports. (In my case they were 64535 and 50890):

Transmission Control Protocol, Src Port: 50890 (50890), Dst Port: 8530 (8530), Seq: 293532, Ack: 20672, Len: 0

So it's the only way to allow the client's update-service through your firewall.

Lenniey
  • 5,090
  • 2
  • 17
  • 28
0

You don't have to open a port on the client because WSUS is a web service! The client connects to the WSUS and downloads the catalog, reports what updates it needs and downloads the patches...

You can configure the clients with GPOs in a domain environment, or with registry keys.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Robert R.
  • 101
  • Well, if you close *all* ports on your client for whatever "security reason", they won't be able to connect to WSUS – Lenniey Jun 23 '15 at 11:54
  • Windows Firewall Default behavior is, that all outgoing connections are allowed and all incoming connections are dropped. Responses for an established connections are allowed as well. So you dont need to open ports for incomming connections. – Robert R. Jul 02 '15 at 15:36
  • Yeah, but like I said. You could alter the default configuration of the firewall to disallow *everything*. – Lenniey Jul 06 '15 at 07:47
0

If you have any additionally applied restrictions for outbound traffic on your workstations, you would need to ensure that you allow them access to the WSUS ip and port - in your case 8530 - from any port over TCP. Other than that nothing else should be required.

Stoinov
  • 578
  • 2
  • 9
  • 15
0

Some firewalls, especially "enterprise-class" products don't automatically perform stateful-inspection so the server replies never get back to the client and you see time-out errors in the logs (for example c:\windows\windowsupdate.log).

Most home routers are stateful-inspection type so its easy for admins to forget about this issue. Normally in TCP/IP traffic when a client connects to a server it also includes in the IP header the reply port that the client listens for the server to connect back to. This is part of the IANA/RFC specification that was adopted since Windows Server 2008 and Vista.

Administrators might create a rule that allows clients to connect to the WSUS server on TCP 80, 443, 8530, 8531 but the server is unable to connect back to the client because the firewall product didn't automatically read that information from the initial client to server contact. WSUS normally uses 3 of these ephemeral ports to connect back to the client computer.

The IANA/RFC specifies ephemeral ports TCP 49152 through 65535 open for WSUS to be able to connect back to the Windows clients from Win 2008 and Vista onwards so you need to create an additional firewall rule open that port range from the WSUS server to the client subnet object.

gWaldo
  • 11,887
  • 8
  • 41
  • 68
anthonymaw
  • 1
  • 1
0

Unless someone has blocked outbound/destination ports to (specifically 8530) your clients should not have any problems checking for updates from your WSUS server. You may inadvertently be blocking the client connections on the WSUS server itself. Even if by default port 8530 is open, I would verify by testing the WSUS server for port 8530. You can use Putty or another telnet emulator to connect via telnet, just change the telnet port to 8530. If the connection is successful then and clients are unable to connect to and get updates from WSUS then you have other problems. Give this link a try WSUS Troubleshooting.

veel84
  • 288
  • 1
  • 4
  • 14