WIndows Update from ISA server fails (Full Version)

All Forums >> [ISA 2006 Firewall] >> Access Policies



Message


matheesha -> WIndows Update from ISA server fails (11.Mar.2007 11:44:02 AM)

I have a ISA 2006 std edition + windows 2003 std installation running with 2 NICs (3rd disabled) and has access rules configured using the edge firewall template. For reasons I dont understand the ISA server is unable to auto download windows updates.

The NIC connected to the ISP is DHCP enabled and receives DNS server addresses. The system policy rule for allowing ISA to access system policy allowed sites is intact. If I attempt to access Windows Update using IE (IE6 in enhanced security mode), it works until I get prompted to choose express/custom updates. If I choose express, and monitor the ISA logs, I see several https packets destined for one of the update.microsoft.com servers fail after hitting the deny all rule. It also tries more than one update server before it fails.

My theory is that because it cannot do a reverse lookup on the IP address belonging to update.microsoft.com, it cannot verify if it belongs to a domain allowed in the "system policy allowed sites" domain name list. I can do forward lookups on update.microsoft.com but not any reverse on the IP addresses themselves.

I dont have my ISA server running 24x7 so I dont know if the auto update service (wuauserv) also behaves this way. IE definitely does though.

Any thoughts?

Cheers

M@




spouseele -> RE: WIndows Update from ISA server fails (11.Mar.2007 1:55:40 PM)

Hi matheesha,

your analyzes is correct! [:)]

At some point an SSL connection is setted up. This request is obviously made by IP address for a SecureNAT client. Therefore ISA must perform a reverse DNS lookup in order to match the request to a Domain Name or URL set. Yet, this will not succeed because no proper reverse DNS entries exists for the Windows Update sites.

The workaround that problem, configure IE as a Web Proxy client, even on ISA itself and it should work.

HTH,
Stefaan




elmajdal -> RE: WIndows Update from ISA server fails (11.Mar.2007 4:54:24 PM)

Hi matheesha,

follow this article : http://elmajdal.net/ISAServer/Allow_Internet_From_ISA_Server_Machine.aspx

HTH,
Tarek




matheesha -> RE: WIndows Update from ISA server fails (12.Mar.2007 9:08:16 AM)

Thanks Tarek. I used your article to verify my webproxy configuration and as per Stefaan's instructions used IE and it connected OK.




matheesha -> RE: WIndows Update from ISA server fails (12.Mar.2007 9:12:59 AM)

Thanks Tarek & Stefaan.

I configured IE as a web proxy client (of itself) and connected to windows update and it listed IE7 as a critical update.So I guess that works. What I now need to test is whether I can get auto updates to work without configuring web proxy settings in IE. I say this because as per KB900935, the autoupdate service cannot obtain proxy settings from the user specific proxy settings in IE. Therefore I can configure proxycfg or use wpad entries. I will test and update the list.

Cheers

M@





matheesha -> RE: WIndows Update from ISA server fails (13.Mar.2007 5:12:40 PM)

I used proxycfg to set the ISA server to use itself as a proxy client. But I am now getting failed connection attempts to the MS update servers using the SSL-tunnel protocol. The service is showing up in logs as proxy and matches the system rule for http/https to system allowed sites.

I dont understand why it matches the system rule. As it is a proxy client and the service in use is proxy, shouldnt it match the firewall rules for internal clients accessing the web?

The weird thing is it works if I use IE. I cant understand why proxycfg is not able to fix this.




alex3299 -> RE: WIndows Update from ISA server fails (6.Apr.2007 1:28:52 PM)

If you use an allow rule to HTTP/HTTPS from ISA and a deny rule to all other websites it works...




ashish -> RE: WIndows Update from ISA server fails (28.Mar.2008 6:37:13 AM)

Hi fellows,

I have a similar setup as "matheesha" and I have the same problems.

I gave done what "spouseele" and "elmajdal" have advised but I still cannot get the ISA2006 server to windows update or macfee update.

The only way to update the server is when I disable the firewall for a while for a while.

Any Ideas???

Ashish




Page: [1]