There is a whole bunch of possible issues here:
- Is the WSUS actually operating on the defaults ports as you say ? It could be using the alternate config.
- The pfSense suggest the WSUS server is in another subnet as the clients. Are you sure the URL used in the policy is actually valid from the clients perspective ?
- Is the policy really deployed to the clients ? Check if the registry keys are created on a client computer. GPUPDATE /FORCE is your friend.
- On a client run "wuauclt /DetectNow" from a command prompt. Check WindowsUpdate.log (in C:\Windows or c:\Winnt) to see what is happening.
