I would like to allow my servers to be able to access MS update websites. They do not have access to external network right now.
I create an access rule on ISA 06 Edge Firewall with the following settings:
Protocol: http, https Action: Allow From: Servername To: Microsoft Update Domain name set Users: All users
This rule is placed right at the top of the firewall rules list.
When I try to run Windows update on IE using a server with static IP addressing, it does not work. Under Monitoring, I see that the connection to the website is Initiated, then Denied and Closed.
The Denied log is as follows: Denied Connection ALog type: Web Proxy (Forward) Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL). Rule: [Enterprise] Default rule Source: Internal (10.10.10.10) Destination: External (65.55.13.91:80) Request: GET http://65.55.13.91/windowsupdate/v6/default.aspxFilter information: Req ID: 08471fbb; Compression: client=No, server=No, compress rate=0% decompress rate=0% Protocol: http User: anonymous Any help would be greatly appreciated.
to configure a client server as a web proxy client, do I simply input the ISA internal IP as the proxy server address and port 8080 under LAN settings in IE connection options? I am not too familiar with web proxy client as I have been using Securenat all this while. However these proxy settings have been configured for my ISA firewall servers and they are able to access the WU websites.
I have also tried installing the Hostname logger software on the ISA firewalls and CSS servers, and restarted the Firewall service. However it does not seem to work as well. I still get denied by the Enterprise default rule, with either method.
Are there any other rules that I need to implement, apart from allowing the servers access to the domain name set?
Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,
quote:
to configure a client server as a web proxy client, do I simply input the ISA internal IP as the proxy server address and port 8080 under LAN settings in IE connection options?
Yes.
How´s configured your ISA NICs (ip, mask, gw and dns)?
I have checked the KB. Both scenarios do not apply as I do not even reach the scanning of the latest version of the WU software, let alone seeing the main site with Express/Custom Install options.
Here are the errors I get on IE when I try to run WU:
Without Proxy configured: Technical Information (for support personnel) Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 207.46.21.124 Date: 12/16/2009 2:24:51 AM [GMT] Server: xxxxxxxxxxxxxSource: proxy With Proxy configured: Technical Information (for support personnel) Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 10.10.10.254 Date: 12/16/2009 2:32:53 AM [GMT] Server: xxxxxxxxxxxxxxSource: proxy
Initially I installed the Hostname Logger on both ISA firewalls only, and not on the CSS servers. I received an alert: Description: Web filter 'Hostname Logger' is not installed on this server. Install the filter and then restart the Firewall service.
After I installed them on the CSS servers as well, there wasn't anymore alerts. All instances of installation of Hostname Logger ended with a pop-up saying that installation was successful. I then restarted the Firewall service.
I have checked the main firewall logs but am unable to find any 'Hostname logger' entry in them.
Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,
quote:
Without Proxy configured: Technical Information (for support personnel) Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 207.46.21.124 Date: 12/16/2009 2:24:51 AM [GMT] Server: xxxxxxxxxxxxxSource: proxy
With Proxy configured: Technical Information (for support personnel) Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 10.10.10.254 Date: 12/16/2009 2:32:53 AM [GMT] Server: xxxxxxxxxxxxxxSource: proxy
Why the IP address are different? The error is clear, ISA is denying the URL. Check the KB I´ve posted for more WU websites and add them to your access rule.
From which machine is the IP address 10.10.10.254? Is it internal?
sorry think I pasted the wrong error: here they are again,
Without Proxy settings on the server running WU:
Technical Information (for support personnel) Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 65.55.184.27 Date: 12/18/2009 2:03:27 AM [GMT] Server: xxxxxxxxxxxxxxSource: proxy ISA logging:
Denied Connection xxxxxxxx 12/18/2009 10:03:27 AMLog type: Web Proxy (Forward) Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL). Rule: [Enterprise] Default rule Source: Internal (10.10.9.51) Destination: External (65.55.184.27:80) Request: GET http://update.microsoft.com/windowsupdate/v6/default.aspxFilter information: Req ID: 0fdc0994; Compression: client=No, server=No, compress rate=0% decompress rate=0% Protocol: http User: anonymous
65.55.184.27 is the IP for update.microsoft.com website.
With Proxy settings on server running WU:
Technical Information (for support personnel) Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 10.10.10.254 Date: 12/18/2009 2:17:54 AM [GMT] Server: APLISA01.aksaas.local Source: proxy
ISA logging:
Denied Connection xxxxxxxx 12/18/2009 10:03:27 AMLog type: Web Proxy (Forward) Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL). Rule: [Enterprise] Default rule Source: Internal (10.10.9.51) Destination: External (65.55.184.27:80) Request: GET http://update.microsoft.com/windowsupdate/v6/default.aspxFilter information: Req ID: 0fdc0998; Compression: client=No, server=No, compress rate=0% decompress rate=0% Protocol: http User: anonymous
10.10.10.254 is the VIP for ISA array, which I have configured as the proxy server with port 8080 in the Proxy LAN settings for the server trying to run WU. This IP is also used for DG for SecureNAT.
The access rule is using the default Microsoft Update Domain Name set. *.update.microsoft.com is included in this set.
The config for this access rule is: Allow Http, Https from Internal network to Microsoft Update Domain Name set, Always for All Users.
the strange thing is that I don't have any Deny rules apart from the Enterprise default rule and this rule is right at the top of the list.
I have tried creating a custom Domain Name set with *.update.microsoft.com and *.windowsupdate.microsoft.com and trying to run WU site from the server but I still get the same 403 error on IE, and ISA monitoring shows that the Enterprise default rule is blocking.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> HTTP Filtering >> How to allow MS update sites using Domain name sets 
How to allow MS update sites using Domain name sets - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread