How to create an Internet facing WSUS server that uses different internal and external names

imageHi everyone, Joao Madureira here.  I’m a Senior Support Escalation Engineer here at Microsoft on the System Center team and I wanted to take a minute and talk about installing WSUS in an Internet facing scenario.  When installing WSUS, often times you want to have your WSUS server on the Internet but with a different name from the current internal WSUS server name. For example, your domain name is internally but you want to publish the same WSUS to work on the Internet with a different name such as This post will explain that process and how to configure your SSL certificate.

When configuring WSUS, we will need a public or domain certificate that will be trusted by the clients so that they can use SSL/HTTPS.  This certificate will require a Subject that will include the internal FQDN for the WSUS server as well as a Subject Alternative Name (SAN) for the external FQDN that will be published outside.  Note that even if you have to use only the alternative (external) subject name for the certificate, the subject name still needs to have the internal FQDN to be able to access the Management console (MMC).

After creating the certificate (domain or public cert), add the certificate to the binding for the website in IIS:


Verify if the certificate is correct.  The Subject field should contain your internal domain information:


The Subject Alternative Name should contain your internal and external domain information:


Once you’re sure that everything looks correct, test the connection in Internet Explorer to make sure you get a secure website:


Then open a command prompt and navigate to C:\program files\update services\tools and run the following command:

wsusutil configuressl <certificate name> <external FQDN>

You should see something like this:


Once you’ve created the certificate with the SAN (subject alternative name) and the subject name properly populated, you can have your WSUS server facing Internet with a different name than it uses internally.

When trying to connect to the WSUS console, you will see the reason to create a certificate with both names (the internal one and the external one).  The MMC uses the internal name to authenticate to the console so the certificate must match the internal FQDN for the machine:


Have fun patching your clients on the Internet!

Joao Madureira | Senior Support Escalation Engineer

The App-V Team blog:
The WSUS Support Team blog:
The SCMDM Support Team blog:
The ConfigMgr Support Team blog:
The SCOM 2007 Support Team blog:
The SCVMM Team blog:
The MED-V Team blog:
The DPM Team blog:
The OOB Support Team blog:
The Opalis Team blog:
The Service Manager Team blog: http:
The AVIcode Team blog: http:
The System Center Essentials Team blog: http:
The Server App-V Team blog: http:

clip_image001 clip_image002