iis

ConfigMgr 2012 R2 – WSUS sync fails with HTTP 503 errors

Ran into this issue with ConfigMgr 2012 R2 where it was unable to synchronize Software Update Point with the WSUS server. A review of the component status messages for the SMS_WSUS_SYNC_MANAGER component on the primary site server reveals errors related to WSUS synchronization which are similar to the following:
Message ID: 6703 WSUS Synchronization failed. Message: The request failed with HTTP status 503: Service Unavailable. Source: Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer.
Got the following error when trying to open Update Services on the WSUS server

Error: Connection Error An error occurred trying to connect to the WSUS server. This error can happen for a number of reasons. Please contact your network administrator if the problem persists. Click the Reset Server Node to connect to the server again.

In addition to the above, attempts to access the URL for the WSUS Administration website (i.e., http://CMCASSERVER:8530) fails with the error:

HTTP Error 503. The service is unavailable

In this situation, the most likely cause is that the WsusPool Application Pool in IIS is in a stopped state, as shown below.

Also, the Private Memory Limit (KB) for the Application Pool is probably set to the default value of 1843200 KB.

If you encounter this problem, increase the Private Memory Limit to 4GB (4000000 KB) and restart the Application Pool. To increase the Private Memory Limit, select the WsusPool Application Pool and click Advanced Settings under Edit Application Pool. Then set the Private Memory Limit to 4GB (4000000 KB).

After the Application Pool has been restarted, monitor the SMS_WSUS_SYNC_MANAGER component status, wcm.log and wsyncmgr.log for failures. Please note that it may be necessary to increase the Private Memory Limit to 8GB (8000000 KB) or higher depending on the environment.

Now WSUS is back online!

Microsoft IIS: Disabling the SSL v3 Protocol

Depending on how your Windows servers are configured, you may need to disable SSL v3.

Note that older versions of Internet Explorer may not have the TLS protocol enabled by default. If you disable SSL versions 2.0 and 3.0, the older versions of Internet Explorer will need to enable the TLS protocol before they can connect to your site.

For a Simpler Way to Disable the SSL v3 Protocol:

DigiCert is not responsible for any complications or problems if you decide to use this .zip file to disable the SSL v3 protocol on your server.

  1. Log into your server as a user with Administrator privileges.
  2. Download DisableSSL3.zip, extract the .zip file contents, and then double-click DisableSSL3.reg.
  3. In the Registry Editor caution window, click Yes.
  4. Restart server.

If you prefer to do it yourself, follow the steps in the instruction below.

Microsoft IIS: How to Disable the SSL v3 Protocol

  1. Open the Registry Editor and run it as administrator.For example, in Windows 2012:
    1. On the Start screen type regedit.exe.
    2. Right-click on regedit.exe and click Run as administrator.
  2. In the Registry Editor window, go to:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\Windows Registry Key
  3. In the navigation tree, right-click on Protocols, and in the pop-up menu, click New > Key.Windows Registry Key
  4. Name the key, SSL 3.0.
  5. In the navigation tree, right-click on the new SSL 3.0 key that you just created, and in the pop-up menu, click New > Key.Windows Registry Key
  6. Name the key, Client.
  7. In the navigation tree, right-click on the new SSL 3.0 key again, and in the pop-up menu, click New > Key.Windows Registry Key
  8. Name the key, Server.
  9. In the navigation tree, under SSL 3.0, right-click on Client, and in the pop-up menu, click New > DWORD (32-bit) Value.Windows Registry Key
  10. Name the value DisabledByDefault.
  11. In the navigation tree, under SSL 3.0, select Client and then, in the right pane, double-click the DisabledByDefault DWORD value.Windows Registry Key
  12. In the Edit DWORD (32-bit) Value window, in the Value Data box change the value to 1 and then, click OK.
  13. In the navigation tree, under SSL 3.0, right-click on Server, and in the pop-up menu, click New > DWORD (32-bit) Value.Windows Registry Key
  14. Name the value Enabled.
  15. In the navigation tree, under SSL 3.0, select Server and then, in the right pane, double-click the Enabled DWORD value.Windows Registry Key