WoodyW

Managed to test this - Using the same Web Server Certificate I'd bound to the Default Website - Subject left blank, entered both the Intranet and Internet FQDN (Internet was first, not sure that this matters). Ran WSUSUTIL CONFIGURESSL specifying the Internet FQDN and then added the SUP role. The following was logged in the WCM.log: Attempting connection to local WSUS server SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C) System.Net.WebException: The request failed with HTTP status 401: Unauthorized.~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C) Failed to set WSUS Local Configuration. Will retry configuration in 1 minutes SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C) Attempting connection to local WSUS server SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C) System.Net.WebException: The request failed with HTTP status 401: Unauthorized.~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C) Failures reported during periodic health check by the WSUS Server servername.domain.com. Will retry check in 1 minutes SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C) Re-running the WSUSUTIL CONFIGURESSL specifying the Intranet FQDN allowed WSUS to be configured by the SUP and for a synchronisation to take place on the Internet Facing SUP. Confirmed that Internet Based Clients could scan successfully against the SUP. Thanks again for your help with this.

Thanks for the replies, much appreciated. I should get a chance to test during the week and will let you know how I get on.

Hi, Firstly, thanks Niall and all the contributors for this great website, it's been a really useful resource over the years. The Primary Site server has a DP, MP and SUP role which are set to Intranet client only using HTTP. I'm looking at setting up a Remote Site System in the DMZ for management of Internet-Based clients - Both servers are running Windows Server 2012 R2. I've duplicated the certificate templates based on the Technet Step-by-Step guide and have enrolled them. (I left the Subject blank, and entered both the Intranet and Internet FQDN, despite this server only expecting to manage Internet-Clients). The Site System Properties have been configured with both the servers Intranet FQDN and Internet FQDN (which has been registered in Public DNS)., The Default website has the Web Server certificate bound to port 443. The MP and DP roles have been installed and set to 'Allow Internet-Only Connections', and although I haven't had a chance to test with a client yet, judging by the logs they appear to be working as expected. Despite this, I have some questions over configuring WSUS and the SUP for SSL. Would someone be able to clarify the following, as the information I've found in various blogs and on Technet is useful but seems inconsistent - I understand that I can use the same Web Server certificate which is bound to Default Website on the WSUS Administration website (on port 8531), but when requesting the Web Server certificate and entering the "More information is required to enroll for this certificate", should Subject have been populated with the Internal Server FQDN, the Internet FQDN or left blank? If the SUP will only be servicing Internet Clients, what needed to go in the Alternative Name? Only Internet FQDN, or Internet FQDN and Intranet FQDN? Given that the Internet FQDN and Intranet FQDN are different, when running the WSUSUTIL CONFIGURESSL command, should internal or external FQDN be entered? Thanks.