• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

WSUS servers not able to update via ISA servers

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> WSUS servers not able to update via ISA servers Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
WSUS servers not able to update via ISA servers - 16.Sep.2009 3:16:04 AM   
morne@afridata.net

 

Posts: 34
Joined: 19.Dec.2008
Status: offline
HI. I have 2x ISA 2006 on 2003 R2, both are fully updated and live on different sides of the world.

Recently I noticed my WSUS is not able to synchronize with the Microsoft servers anymore. I checked the URL set as per KB http://support.microsoft.com/kb/885819 and have all of those URL's configured. The rule is simple, allow server X, HTTP and HTTPS access to the WSUS url set, for all users at any time.

When I change the "to" part in the rule and add "external" it works fine. I can synchronize my WSUS servers. I notice requests going out to a 207.46 address range are being denied, and these are the update servers at microsoft.

This is obviously not ideal and any assistance in this regard will be appreciated. Thank You. Morne.
Post #: 1
RE: WSUS servers not able to update via ISA servers - 16.Sep.2009 4:43:16 AM   
Mekong River

 

Posts: 78
Joined: 9.Aug.2009
Status: offline
You should check your ISA log information. What rule that denie your WSUS server to access Microsoft Update website.

(in reply to morne@afridata.net)
Post #: 2
RE: WSUS servers not able to update via ISA servers - 17.Sep.2009 2:33:33 AM   
morne@afridata.net

 

Posts: 34
Joined: 19.Dec.2008
Status: offline
I have checked the log and the log states that rule 22 blocks the access but it does not tell me why. The rule granting access is rule 13. Surely this rule is checked before rule 22 and is supposed to allow the access?

(in reply to Mekong River)
Post #: 3
RE: WSUS servers not able to update via ISA servers - 17.Sep.2009 2:38:36 AM   
morne@afridata.net

 

Posts: 34
Joined: 19.Dec.2008
Status: offline
Rule22 provides http and https access to a specific group of users.

(in reply to morne@afridata.net)
Post #: 4
RE: WSUS servers not able to update via ISA servers - 17.Sep.2009 2:39:25 AM   
Mekong River

 

Posts: 78
Joined: 9.Aug.2009
Status: offline
Please describe the rule 13 and the rule 22 here. I need to see the configuration of each tab of the rule property.

Thank,

(in reply to morne@afridata.net)
Post #: 5
RE: WSUS servers not able to update via ISA servers - 17.Sep.2009 3:11:53 AM   
morne@afridata.net

 

Posts: 34
Joined: 19.Dec.2008
Status: offline
Ok, here goes:

rule 13:
action: allow
Protocols: HTTP, HTTPS
From: WSUS Server
To: WSUS Websites (URL Set) Should this maybe be a domain name set?
Users: All Users
Schedule: Always
Content: All content

rule 22:
action: allow
Protocols: HTTP, HTTPS
From: Internal
To: External
Users: Power Users (Research)
Schedule: Always
Content: All content

(in reply to Mekong River)
Post #: 6
RE: WSUS servers not able to update via ISA servers - 17.Sep.2009 4:14:33 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: morne@afridata.net

Ok, here goes:

rule 13:
action: allow
Protocols: HTTP, HTTPS
From: WSUS Server
To: WSUS Websites (URL Set) Should this maybe be a domain name set?
Users: All Users
Schedule: Always
Content: All content

rule 22:
action: allow
Protocols: HTTP, HTTPS
From: Internal
To: External
Users: Power Users (Research)
Schedule: Always
Content: All content


Yep, domain name set.

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to morne@afridata.net)
Post #: 7
RE: WSUS servers not able to update via ISA servers - 17.Sep.2009 6:04:38 AM   
morne@afridata.net

 

Posts: 34
Joined: 19.Dec.2008
Status: offline
HI. The domain set does not work either. It is getting denied on the same rule. What is interesting is that when i remove the domain or url set and just add "external" it works fine.

(in reply to Jason Jones)
Post #: 8
RE: WSUS servers not able to update via ISA servers - 17.Sep.2009 7:57:20 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
There should be a default domain name set for Microsoft Update, try using that...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to morne@afridata.net)
Post #: 9
RE: WSUS servers not able to update via ISA servers - 17.Sep.2009 10:52:26 AM   
frank_hoof

 

Posts: 52
Joined: 27.Mar.2008
Status: offline
What has blocked me more times is the port number the site uses. Some sites specifically mention the portnumber.
I resolved it by adding to the url set with the url:portnumber notation. Forinstance https://*.microsoft.com:443

(in reply to Jason Jones)
Post #: 10
RE: WSUS servers not able to update via ISA servers - 18.Sep.2009 2:11:24 AM   
morne@afridata.net

 

Posts: 34
Joined: 19.Dec.2008
Status: offline
Nope, still getting denied on rule 22. from IP 10.20.0.4 to IP 65.55.13.88 denied port 443. I have worked with ISA servers a long time and this is the first time i have come across a problem like this.

(in reply to frank_hoof)
Post #: 11
RE: WSUS servers not able to update via ISA servers - 18.Sep.2009 5:00:27 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Is it just this one external IP address?

Do you see other destinations being allowed?

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to morne@afridata.net)
Post #: 12
RE: WSUS servers not able to update via ISA servers - 18.Sep.2009 5:37:18 AM   
morne@afridata.net

 

Posts: 34
Joined: 19.Dec.2008
Status: offline
Hi. I have multiple external address's and there are multiple rules allowing access to other sites for other servers that work fine. It is just this one rule that has a problem when it is locked down to specific sites. i have two isa servers and both have this issuea and they are on different networks on opposite sides of the globe. When i grant the rule access to ecternal it works fine.

(in reply to Jason Jones)
Post #: 13
RE: WSUS servers not able to update via ISA servers - 18.Sep.2009 5:52:37 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: morne@afridata.net

Nope, still getting denied on rule 22. from IP 10.20.0.4 to IP 65.55.13.88 denied port 443. I have worked with ISA servers a long time and this is the first time i have come across a problem like this.


I don't understand why it is even getting to rule 22? Surely it should be using rule 13???

Rule 22 will probably not work as it is requring user authentication...

Can you confirm how rule 13 is now configured?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to morne@afridata.net)
Post #: 14
RE: WSUS servers not able to update via ISA servers - 18.Sep.2009 6:16:21 AM   
morne@afridata.net

 

Posts: 34
Joined: 19.Dec.2008
Status: offline
rule 13:
action: allow
Protocols: HTTP, HTTPS
From: WSUS Server
To: WSUS Websites (URL Set) and WSUS domain set
Users: All Users
Schedule: Always
Content: All content

(in reply to Jason Jones)
Post #: 15
RE: WSUS servers not able to update via ISA servers - 18.Sep.2009 7:49:06 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
http://technet.microsoft.com/en-us/library/bb794766.aspx

To enable access to the Windows Update servers, create an access rule allowing access for users to the Microsoft Update Domain Name Set. This rule should be placed high in the ordered list of firewall policy rules. In particular, it must precede Web access rules that require authentication, which may block some users from obtaining updates from Windows Update.

Are you using the "Microsoft Update Domain Name Set" in your rule?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to morne@afridata.net)
Post #: 16
RE: WSUS servers not able to update via ISA servers - 18.Sep.2009 8:34:49 AM   
morne@afridata.net

 

Posts: 34
Joined: 19.Dec.2008
Status: offline
HI. We have already gone through these. the problem is rul13 is for some reason not allowing the sets and it eventually get's blocked on 22.

(in reply to Jason Jones)
Post #: 17
RE: WSUS servers not able to update via ISA servers - 18.Sep.2009 9:13:01 AM   
frank_hoof

 

Posts: 52
Joined: 27.Mar.2008
Status: offline
The only reason that it goes to 22 is because it doesnot comply to rule 13 and it is an internal machine.
Have you doublechecked the ip adress in the wsusserver?
Checked the log (filter on client ip from wsus server) where it is heading to and which protocol? Portnumber?

(in reply to morne@afridata.net)
Post #: 18
RE: WSUS servers not able to update via ISA servers - 18.Sep.2009 10:23:51 AM   
DEVLAVI

 

Posts: 115
Joined: 16.Jul.2009
From: Bangalore, India
Status: offline
Hi
Try using the built in Domain Name Sets "System Policy Allowed Sites" & "Microsoft Update Domain Name Set" in the to tab of your Access rule insted of your domain set


HTH,
Dev

_____________________________

Vasu Dev,
Network Administrator

"Abnormal is so common, it's practically normal."

(in reply to morne@afridata.net)
Post #: 19
RE: WSUS servers not able to update via ISA servers - 19.Sep.2009 10:49:44 AM   
Mekong River

 

Posts: 78
Joined: 9.Aug.2009
Status: offline
Hi Morne, with your rule, it should be working fine. Please try to create the problme again and check with your log file. Copy the log result where the problem occure and paste the result in Microsoft Excel.

Navigate to the last column, and check its URL. Then compare this URL with the Microsoft WSUS domain name set or your URL set. Also compare it with your success rule when you apply to External (not WSUS URL set).

I hope you could find the difference. If possible, please post this log result on this forum.

Kanel

(in reply to morne@afridata.net)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> WSUS servers not able to update via ISA servers Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts