Monday, January 23, 2006

How to update old Windows 2000 from WSUS server on non-standard port?

Given: Windows 2000 machine in a local network that badly needs updates. No internet access due to high risk of attacks to the exposed system. Windows update server in the same local network.

Problem:
Windows 2000 won't update from server in local network, because service runs on non-standard port for this OS. Windows 2000 update client supplied with SP4 (aka SUS client) can only update from WSUS service on port 80.

Why the problem: Usually server machines in local networks run all kinds of services including intranet web sites and web-services among them. Needless to say that port 80 is very popular among these due to a browser preference to treat it like default. No surprise that update service is running on different port, but Windows 2000 deliberately looks for this service on port 80 (where it was in old good times) and to change this ill behavior it needs an update. A typical chicken and egg problem and here is how to resolve it.

So, what?: After update SUS client becomes WSUS client, which is able to operate with any port, but to bootstrap the process you need to make WSUS service available somewhere on port 80. If port 80 on server is busy with another service you need to use port 80 from another available machine - i.e. forward or map port. Which machine? The most simple - the same machine client is running - localhost. Just forward WSUS service port (e.g. 8530) from remote server to port 80 on local machine and tell old client to use the latter.


How: An example:
WSUS service is located at http://intranet:8530

Setup port forwarding/mapping by using trivialproxy [1] or other portmapping tool (like portmapper [2])
Local Port : 80
Remote Port : 8530 Remote Host : intranet

Launch reg file setup_windows_update_localhost.reg to tell native SUS client update itself from localhost next time.

---[setup_windows_update_localhost.reg ]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://localhost"
"WUStatusServer"="http://localhost"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000003

---

Launch AUForceUpdate.cmd (slightly modified version of [3]) to force client start update ASAP.

---[AUForceUpdate.cmd]
@echo off
Echo This batch file will Force the Update Detection from the AU client by:
Echo 1. Stops the Automatic Updates Service (wuauserv)
Echo 2. Deletes the LastWaitTimeout registry key (if it exists)
Echo 3. Deletes the DetectionStartTime registry key (if it exists)
Echo 4. Deletes the NextDetectionTime registry key (if it exists)
Echo 5. Restart the Automatic Updates Service (wuauserv)

Pause
@echo on
net stop wuauserv
echo REGEDIT4 > temp.reg
echo. >> temp.reg
echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update] >> temp.reg
echo "LastWaitTimeout"=- >> temp.reg
echo "DetectionStartTime"=- >> temp.reg
echo "NextDetectionTime"=- >> temp.reg
regedit /s temp.reg
del temp.reg
net start wuauserv

@echo off
Echo This AU client will now check for the Updates on the Local SUS Server.
Echo After 10-20 min have a look at C:\Window\Windows update.log
Pause

---

After 10-20 minutes check if update completes successfully in C:\WINNT\WindowsUpdate.log and restart machine (there are also some registry status keys you can monitor [4]).

After restart restore port mapping to make it possible for update to finish the job and issue the following command to speed up update process:
wuauclt /detectnow

If update icon flickers in system tray and doesn't propose to install new updates - stop WU service, delete C:\WINNT\SoftwareDistribution and start update process again. In short:
net stop wuauserv
rmdir /s /q C:\WINNT\SoftwareDistribution
net start wuauserv
wuauclt /detectnow

Copy setup_windows_update_localhost.reg to setup_windows_update_intranet.reg and edit the latter to use http://intranet:8530 (example server) for subsequent updates. Port mapping is not needed from now on, so shutdown the software.

In case of one-time update you probably do not need to keep link with WSUS server on this machine. Then after repeated restarts and updates to make sure everything is installed successfully, launch setup_windows_update_default.reg file to remove WSUS server settings from the registry.

---[setup_windows_update_localhost.reg]
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]

---


References:

[1] Trivial Proxy http://www.xrayapp.com/trivialproxy/
[2] AnalogX PortMapper http://www.analogx.com/contents/download/network/pmapper.htm
[3] WSUS: Script to force update detection http://support.microsoft.com/?kbid=555453
[4] Interpreting AUState Values http://susserver.com/FAQs/FAQ-InterpretingAUStateValues.asp