The intention of this blog is not to go into the details of every aspect of third party patching feature in MEM CM as that is covered in a lot of blogs and our own documentation itself - Enable third party updates - Configuration Manager | Microsoft Docs. This is to run through some of the basic requirements which could help troubleshoot issues that you may run into while setting up the feature in a MEM CM hierarchy.
Although much of this is true for a single Primary, I am going to cover the scenario when you have a CAS and Primary in place as that makes it a bit more complicated. To add to it, in my case I have the SUP role running on a remote site system as that has a bearing on the set up.
High level data flow diagram
There are two types of Catalogs in the MEM CM third party patching, Partner Catalogs and Custom Catalogs. Partner Catalogs are currently HP, Dell and Lenovo. Custom Catalog for eg:- is Adobe. Both are catalogs published by third parties but the there is a difference in the way the communication flows for each and hence why I am calling it out.
I know most of it is duplicate from the Microsoft docs site but I will call it out just so you have it for reference while reading this blog.
Additional Pre-Requisites on the SUP as the SUP is remote in this case
Issue 1:- Cannot see the partner catalogs list in console.
Issue 2:- Console does not show signing certificate information in WSUS Signing Certificate Configuration.
In the above image I have chosen the option to use WSUS self-signing certificates. Once you choose that option the area that shows WSUS signing certificate details will be empty. If that option doesn't populate after a few WSUS syncs check the below steps.
Note:- If you are manually managing the certificate please refer to Enable third party updates - Configuration Manager | Microsoft Docs
Require SSL communication to WSUS server must be selected.
Issue 3:- What certificates do I need and where, for this solution to work.
As I called out earlier, your SUP on CAS should be running on https which by default is on port 8531. This would mean you would have a binding of a certificate with server authentication capability on the WSUS Administration site IIS.
Issue 4:- I have everything above in place but not able to download Custom Catalog eg:- Adobe.
Note: - You would be prompted to accept a certificate to complete the subscription process, as below.
Issue 5:- After I configured all this I notice my Primary SUP has stopped syncing with CAS SUP.
Issue 6:- "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.." error in the log
If you see this error in the ISV SyncAgent logs the chances are you have a root certificate missing. Most of the Microsoft hosted endpoints are configured with Baltimore CyberTrust Root Certificate. If this is missing,expired or corrupted you would see the above text in the log. More details here.
The details in the article are applicable to this case too. To resolve this problem it is documented here.
Now that we have the back end set up I would like to invite your attention to a couple of key facts
Hope this helps you in understanding the config better and troubleshoot some of the issues you might see in your environment.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.