• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

WIndows Update from ISA server fails

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> WIndows Update from ISA server fails Page: [1]
Login
Message << Older Topic   Newer Topic >>
WIndows Update from ISA server fails - 11.Mar.2007 11:44:02 AM   
matheesha

 

Posts: 23
Joined: 11.Mar.2007
Status: offline
I have a ISA 2006 std edition + windows 2003 std installation running with 2 NICs (3rd disabled) and has access rules configured using the edge firewall template. For reasons I dont understand the ISA server is unable to auto download windows updates.

The NIC connected to the ISP is DHCP enabled and receives DNS server addresses. The system policy rule for allowing ISA to access system policy allowed sites is intact. If I attempt to access Windows Update using IE (IE6 in enhanced security mode), it works until I get prompted to choose express/custom updates. If I choose express, and monitor the ISA logs, I see several https packets destined for one of the update.microsoft.com servers fail after hitting the deny all rule. It also tries more than one update server before it fails.

My theory is that because it cannot do a reverse lookup on the IP address belonging to update.microsoft.com, it cannot verify if it belongs to a domain allowed in the "system policy allowed sites" domain name list. I can do forward lookups on update.microsoft.com but not any reverse on the IP addresses themselves.

I dont have my ISA server running 24x7 so I dont know if the auto update service (wuauserv) also behaves this way. IE definitely does though.

Any thoughts?

Cheers

M@
Post #: 1
RE: WIndows Update from ISA server fails - 11.Mar.2007 1:55:40 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi matheesha,

your analyzes is correct!

At some point an SSL connection is setted up. This request is obviously made by IP address for a SecureNAT client. Therefore ISA must perform a reverse DNS lookup in order to match the request to a Domain Name or URL set. Yet, this will not succeed because no proper reverse DNS entries exists for the Windows Update sites.

The workaround that problem, configure IE as a Web Proxy client, even on ISA itself and it should work.

HTH,
Stefaan

(in reply to matheesha)
Post #: 2
RE: WIndows Update from ISA server fails - 11.Mar.2007 4:54:24 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Hi matheesha,

follow this article : http://elmajdal.net/ISAServer/Allow_Internet_From_ISA_Server_Machine.aspx

HTH,
Tarek

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to matheesha)
Post #: 3
RE: WIndows Update from ISA server fails - 12.Mar.2007 9:08:16 AM   
matheesha

 

Posts: 23
Joined: 11.Mar.2007
Status: offline
Thanks Tarek. I used your article to verify my webproxy configuration and as per Stefaan's instructions used IE and it connected OK.

(in reply to elmajdal)
Post #: 4
RE: WIndows Update from ISA server fails - 12.Mar.2007 9:12:59 AM   
matheesha

 

Posts: 23
Joined: 11.Mar.2007
Status: offline
Thanks Tarek & Stefaan.

I configured IE as a web proxy client (of itself) and connected to windows update and it listed IE7 as a critical update.So I guess that works. What I now need to test is whether I can get auto updates to work without configuring web proxy settings in IE. I say this because as per KB900935, the autoupdate service cannot obtain proxy settings from the user specific proxy settings in IE. Therefore I can configure proxycfg or use wpad entries. I will test and update the list.

Cheers

M@


(in reply to spouseele)
Post #: 5
RE: WIndows Update from ISA server fails - 13.Mar.2007 5:12:40 PM   
matheesha

 

Posts: 23
Joined: 11.Mar.2007
Status: offline
I used proxycfg to set the ISA server to use itself as a proxy client. But I am now getting failed connection attempts to the MS update servers using the SSL-tunnel protocol. The service is showing up in logs as proxy and matches the system rule for http/https to system allowed sites.

I dont understand why it matches the system rule. As it is a proxy client and the service in use is proxy, shouldnt it match the firewall rules for internal clients accessing the web?

The weird thing is it works if I use IE. I cant understand why proxycfg is not able to fix this.

(in reply to spouseele)
Post #: 6
RE: WIndows Update from ISA server fails - 6.Apr.2007 1:28:52 PM   
alex3299

 

Posts: 44
Joined: 19.Mar.2003
From: Portugal
Status: offline
If you use an allow rule to HTTP/HTTPS from ISA and a deny rule to all other websites it works...

< Message edited by alex3299 -- 6.Apr.2007 1:31:23 PM >

(in reply to matheesha)
Post #: 7
RE: WIndows Update from ISA server fails - 28.Mar.2008 6:37:13 AM   
ashish

 

Posts: 1
Joined: 13.Mar.2008
Status: offline
Hi fellows,

I have a similar setup as "matheesha" and I have the same problems.

I gave done what "spouseele" and "elmajdal" have advised but I still cannot get the ISA2006 server to windows update or macfee update.

The only way to update the server is when I disable the firewall for a while for a while.

Any Ideas???

Ashish

(in reply to matheesha)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> WIndows Update from ISA server fails Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts