• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

"Failed Connection Attempt" for MSBITS client - WIndows Update

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> "Failed Connection Attempt" for MSBITS client - WIndows Update Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
"Failed Connection Attempt" for MSBITS client... - 2.Oct.2008 1:47:14 PM   
Hapexamendios

 

Posts: 7
Joined: 2.Oct.2008
Status: offline
Hi all,

My first post on this forum; though it has helped me a great deal in the past :)

Here's my problem:

Recently, I've noticed that, when attempting to perform Windows or Microsoft Update through our ISA 2006 Std server, some (but not all) of the updates are failing. I ahev a Firewall rule which is designed to allow anonymous access to all the Windows Update sites as highlighted in

http://support.microsoft.com/kb/885819/en-us

I ran a live logging session on ISA against a "problem" client, and saw some interesting results - a large amount of "Failed Connection Attempt" entries, like this:





Failed Connection Attempt
<ISA Server name> 02/10/2008 18:10:43

Log type: Web Proxy (Forward)

Status: 12158

Rule: MS Updates

Source: Internal (<client's IP address>)

Destination: External (<upstrem content-filtering server:80>)

Request: GET http://www.download.windowsupdate.com/msdownload/update/software/uprl/2008/07/windowsxp-kb951072-v2-x86-enu_416780abe6a655cc4be4dfc720dd17c4fad0011f.psf

Filter information: Req ID: 16440723 , Range=22016-25441;25600-29027

Protocol: http

User: anonymous



Additional information

Client agent: Microsoft BITS/6.7
Object source: Upstream (Object was returned from an upstream proxy cache.)
Cache info: 0x8800040 (Request includes the RANGE header. Response includes the LAST-MODIFIED header. Response includes the VIA header.)
Processing time: 31 ms
MIME type: -

    I'm struggling to find a relevant common denominator; and I'm unsure I have, but it seems that these "Failed Connection Attempt" have this in common:
    • they originate from the MSBITS/6.6 or MSBITS/6.7 client on the machine instead of the WIndows Update Agent or the browser
    • they are all attempts to download ".psf" files

    Having checked further, there are entries for successful connections by MSBITS/x, but only when ".exe" files are the target as selected by the Windows Update site.

    The last piece of obviously relevant information is that ISA connects through a content-filtering server - MIMESweeper for Web by Clearswift, which is the "<content-filtering server>" above. It's been checked over, and if I use it as the proxy instead of the ISA serevr, there's not a single hitch.

    Can anyone there assist with a method of troubleshooting this? I've been through everything from the Networks, System Firewall policy and my own firewall rules - however as it's the "MS Updates" rule I created being registered as the blocking rule, surely it's somewhere there...?

    Much appreciated...

    < Message edited by Hapexamendios -- 3.Oct.2008 8:06:01 AM >
    Post #: 1
    RE: "Failed Connection Attempt" for MSBITS cl... - 2.Oct.2008 3:16:25 PM   
    hsdhilon

     

    Posts: 9
    Joined: 17.Dec.2007
    Status: offline
    Did you add all the below sites to URLs to Windows Update URL set as documented in KB885819. The policy to fetch the updates from Windows Update is part of System Policy.

    http://download.windowsupdate.com
    https://*.windowsupdate.microsoft.com
    http://*.windowsupdate.microsoft.com
    http://*.update.microsoft.com
    http://*.download.windowsupdate.com
    http://update.microsoft.com
    http://*.windowsupdate.com
    http://download.microsoft.com
    http://windowsupdate.microsoft.com
    http://ntservicepack.microsoft.com
    http://wustat.windows.com
    https://*.update.microsoft.com
    https://update.microsoft.com

    (in reply to Hapexamendios)
    Post #: 2
    RE: "Failed Connection Attempt" for MSBITS cl... - 3.Oct.2008 5:13:50 AM   
    Hapexamendios

     

    Posts: 7
    Joined: 2.Oct.2008
    Status: offline
    Thanks for the reply,  hsdhilon

    Yes; though I don't see a System firewall rule for that in ISA 2006. Mines is a custom rule, created as outlined in kb885819 (in the "More Information" section, though I'm disturbed by the fact that ISA 2006 isn't mentioned in the article. It contains all those sites in a URL set, it allows "All protocols" and "All content types".

    Also, my issue isn't identical to the kb article Scenarios - the issue for me arises at the "Downloading updates" phase, having successfully scanned for, selected and clicked to "Install Updates". The downloads all fail, and I see "0x80244019" in the update history for the client.

    I am thinking it's these .psf extensions, which I think are for the Packager for Windows handler (can't remember the handler's name, no time to look it up!)
    Since my rule doesn't dicriminate by content type, I can't understand why this would be the case, but it seems so.

    Any more ideas - or anyone else have any advice as to how to troubleshoot this issue further?

    Thanks...

    (in reply to hsdhilon)
    Post #: 3
    RE: "Failed Connection Attempt" for MSBITS cl... - 3.Oct.2008 5:13:51 AM   
    Hapexamendios

     

    Posts: 7
    Joined: 2.Oct.2008
    Status: offline
    <Removed spurious double post - another "feature" of our ISA server...>

    < Message edited by Hapexamendios -- 3.Oct.2008 8:07:49 AM >

    (in reply to hsdhilon)
    Post #: 4
    RE: "Failed Connection Attempt" for MSBITS cl... - 8.Oct.2008 9:43:07 AM   
    tshinder

     

    Posts: 50013
    Joined: 10.Jan.2001
    From: Texas
    Status: offline
    Did you configure these sites for Direct Access in the Web Proxy settings on the firewall?

    Thanks!
    Tom

    _____________________________

    Thomas W Shinder, M.D.

    (in reply to Hapexamendios)
    Post #: 5
    RE: "Failed Connection Attempt" for MSBITS cl... - 8.Oct.2008 11:19:45 AM   
    Hapexamendios

     

    Posts: 7
    Joined: 2.Oct.2008
    Status: offline
    Hi Tom,

    I'm not sure what you mean there; however it sounds close to one fo the tests I performed: I edited the "Internal" network's properties, and on the "Web Browser" tab, I set the domains cited in kb885819 in the Direct Access field there.

    However, we don't use the automatic configuration script to set browser settings; we use Group Policy, with a GPO attached to each AD site.

    I've just tested it again; I have the Firewall Client running on my machine, so clicking the "Configure Now" button on the Web Browser tab sets IE to use the auto-configuration script

    :8080/array.dll?Get.Routing.Script">http://<proxyserver>:8080/array.dll?Get.Routing.Script

    Sadly, this still fails.

    How would I check that all the pre-requisites for using the method above have been met? For example, if the auto-config script is needed, how to check that the script exists and is configured correctly; does the type of network template involved have an impact (this box is uni-homed).

    Thanks for taking the time to reply, Tom,

    (in reply to tshinder)
    Post #: 6
    RE: "Failed Connection Attempt" for MSBITS cl... - 8.Oct.2008 11:19:46 AM   
    Hapexamendios

     

    Posts: 7
    Joined: 2.Oct.2008
    Status: offline
    <Removing another double-post...>

    <Annoyingly, my superior insists that this "feature" of double and triple posting is caused by the site - i.e. he's blaming your site in this case; however, I'm sure it's another sign of complete mis-configuration of the proxy I'm trying to fix, which I built, copying from his original build verbatum>

    <FRUSTRATION!!!>

    < Message edited by Hapexamendios -- 8.Oct.2008 11:23:24 AM >

    (in reply to tshinder)
    Post #: 7
    RE: "Failed Connection Attempt" for MSBITS cl... - 9.Oct.2008 9:06:15 AM   
    tshinder

     

    Posts: 50013
    Joined: 10.Jan.2001
    From: Texas
    Status: offline
    Hi Hap,

    I think you mentioned that there was a device that was handling traffic in addition to the ISA firewall, is that right? Is that device behind of, along side, or in front of the firewall?

    Thanks!
    Tom

    _____________________________

    Thomas W Shinder, M.D.

    (in reply to Hapexamendios)
    Post #: 8
    RE: "Failed Connection Attempt" for MSBITS cl... - 13.Oct.2008 5:05:43 AM   
    Hapexamendios

     

    Posts: 7
    Joined: 2.Oct.2008
    Status: offline
    HI Tom,, all,

    Yes, we have a server running Clearswift's MIMESweeper for Web.

    This is the Internet-facing device, with ISA connecting through it to the web.

    Its purpose is really content-filtering. Haven't found anything on their forums indicating a known issue or mis-configuration.

    I've confirmed it's not that - at least, I can browse the web directly through it with no issues (using it as my browser's proxy), so none of its "scenarios" are directly responsible for stopping the traffic.
    It could still be that the issue is for ISA downloading certain copntent types through it, although that doesn't really make sense if I can browse through it.

    Still stumped...:)

    (in reply to tshinder)
    Post #: 9
    RE: "Failed Connection Attempt" for MSBITS cl... - 13.Oct.2008 5:05:43 AM   
    Hapexamendios

     

    Posts: 7
    Joined: 2.Oct.2008
    Status: offline
    <darn thing...>

    (in reply to tshinder)
    Post #: 10
    RE: "Failed Connection Attempt" for MSBITS cl... - 13.Oct.2008 9:14:43 AM   
    tshinder

     

    Posts: 50013
    Joined: 10.Jan.2001
    From: Texas
    Status: offline
    Hi Hap,

    The true test is not to bypass the ISA firewall, but to bypass the device in front of the ISA firewall. It could be that the device in front of the firewall is returning non-RFC responses, and so the ISA firewall is dropping the connections.

    Check out http://blogs.isaserver.org/shinder/2008/10/11/its-not-the-isa-firewalls-fault-example-9998937/

    HTH,
    Tom

    _____________________________

    Thomas W Shinder, M.D.

    (in reply to Hapexamendios)
    Post #: 11
    RE: "Failed Connection Attempt" for MSBITS cl... - 7.May2009 8:33:50 AM   
    DanM

     

    Posts: 17
    Joined: 23.Oct.2008
    Status: offline
    Has anyone else experienced or found a solution to this problem? I have encountered much the same issue.

    Windows update works fine via our firewalls but for MSBITS clients via the ISA servers it fails

    All of the anon access sites have been added (the fact I have to make exceptions to an authenticated internet policy for the sake of MS is annoying but a separate matter).

    MSBITS now dowloads .cab's and .exe's but always fails on .psf files

    Recently, in order to get updates onto the ISA servers themselves I had to stop the ISA services at which point the .psf files downloaded successfully.

    Any thoughts??

    many thanks,
    Dan

    (in reply to tshinder)
    Post #: 12
    RE: "Failed Connection Attempt" for MSBITS cl... - 7.May2009 8:33:51 AM   
    DanM

     

    Posts: 17
    Joined: 23.Oct.2008
    Status: offline
    Has anyone else experienced or found a solution to this problem? I have encountered much the same issue.

    Windows update works fine via our firewalls but for MSBITS clients via the ISA servers it fails

    All of the anon access sites have been added (the fact I have to make exceptions to an authenticated internet policy for the sake of MS is annoying but a separate matter).

    MSBITS now dowloads .cab's and .exe's but always fails on .psf files

    Recently, in order to get updates onto the ISA servers themselves I had to stop the ISA services at which point the .psf files downloaded successfully.

    Any thoughts??

    many thanks,
    Dan

    (in reply to tshinder)
    Post #: 13
    RE: "Failed Connection Attempt" for MSBITS cl... - 7.May2009 8:35:56 AM   
    DanM

     

    Posts: 17
    Joined: 23.Oct.2008
    Status: offline
    hmm.... seems that as well as the download problem I also have the double-post issue!!

    (in reply to DanM)
    Post #: 14
    RE: "Failed Connection Attempt" for MSBITS cl... - 7.May2009 11:55:36 AM   
    tshinder

     

    Posts: 50013
    Joined: 10.Jan.2001
    From: Texas
    Status: offline
    Are you wanting to enable BITS caching for sites other than MS Update?

    Tom

    _____________________________

    Thomas W Shinder, M.D.

    (in reply to DanM)
    Post #: 15
    RE: "Failed Connection Attempt" for MSBITS cl... - 8.May2009 6:18:20 AM   
    DanM

     

    Posts: 17
    Joined: 23.Oct.2008
    Status: offline
    Hi Tom

    what Im looking to achieve is for windowsupdate to succeed via the ISA rather than having to go directly out of our firewalls.
     
    If Windows update is initiated on a host behind ISA, the BITS download fails, ISA logs show the following:
     
    0.0.0.0   Microsoft BITS/7.0           Yes         Proxy                   
    download.windowsupdate.com               TCP        GET                        Internet               -              -                              -             
    Req ID: 0e28619b; Compression: client=No, server=No, compress rate=0% decompress rate=0%, Range=32768-32993;33221-33451;33684-33937;35956-36580;37210-37960;38732-39520;60693-63301;65953-68843            -              -              -               
    08/05/2009 08:12:54        0              563         1711       430         0x10802040         0x400                    08/05/2009 09:12:54       
    [x.x.x.x]               87.248.212.62     80           http       Failed Connection Attempt       
    [Enterprise] Allow Windowsupdate                       12158    anonymous        Internal                External
    http://download.windowsupdate.com/msdownload/update/software/secu/2008/07/windows6.0-kb938464-x64_dcf125e26831b3ee76418d0a6150c46527470e12.psf
     
     
    If the URL of the failed download is then copied & pasted from these logs into IE on the same host, it hits the same access rule but this time the download is successful:
     
     
    0.0.0.0   Mozilla/4.0         Yes         Proxy   
    download.windowsupdate.com               TCP        GET                        Internet               -              -                              -             
    Req ID: 0e29b2ea; Compression: client=No, server=No, compress rate=0% decompress rate=0%              -              -              -               
    08/05/2009 09:34:54        0              32187    22851310             591         0x10800000         0x400                    08/05/2009 10:34:54       
    [x.x.x.x]               87.248.208.53     80           http       Allowed Connection     
    [Enterprise] Allow Windowsupdate                       200 OK. anonymous        Internal                External
    http://download.windowsupdate.com/msdownload/update/software/secu/2008/07/windows6.0-kb938464-x64_dcf125e26831b3ee76418d0a6150c46527470e12.psf
     

    (some details removed for privacy)
     

    Any thoughts on why the first fails?

    Many thanks,
    Dan

    (in reply to tshinder)
    Post #: 16
    RE: "Failed Connection Attempt" for MSBITS cl... - 9.May2009 9:16:05 AM   
    tshinder

     

    Posts: 50013
    Joined: 10.Jan.2001
    From: Texas
    Status: offline
    Hi Dan,

    Configure the clients to use HTTP 1.1 through Web proxies.

    HTH,
    Tom

    _____________________________

    Thomas W Shinder, M.D.

    (in reply to DanM)
    Post #: 17
    RE: "Failed Connection Attempt" for MSBITS cl... - 20.May2009 6:10:30 AM   
    DanM

     

    Posts: 17
    Joined: 23.Oct.2008
    Status: offline
    that was already set in IE, tried turning it off but no change - not sure if this should be configured elsewhere to affect MSBITS?

    The only obvious difference I can see when comparing the logs is that the MSBITS filterinfo has stats for "range" which dont appear when the request is generated by IE - any significance there?



    (in reply to tshinder)
    Post #: 18
    RE: "Failed Connection Attempt" for MSBITS cl... - 20.May2009 6:10:31 AM   
    DanM

     

    Posts: 17
    Joined: 23.Oct.2008
    Status: offline
    that was already set in IE, tried turning it off but no change - not sure if this should be configured elsewhere to affect MSBITS?

    The only obvious difference I can see when comparing the logs is that the MSBITS filterinfo has stats for "range" which dont appear when the request is generated by IE - any significance there?



    (in reply to tshinder)
    Post #: 19
    RE: "Failed Connection Attempt" for MSBITS cl... - 20.May2009 6:21:06 AM   
    DanM

     

    Posts: 17
    Joined: 23.Oct.2008
    Status: offline
    PS...

    anyone know how to fix this double-post issue?

    Only happens when I post via my ISA...

    (in reply to DanM)
    Post #: 20

    Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
    All Forums >> [ISA 2006 General] >> General >> "Failed Connection Attempt" for MSBITS client - WIndows Update Page: [1] 2   next >   >>
    Jump to:

    New Messages No New Messages
    Hot Topic w/ New Messages Hot Topic w/o New Messages
    Locked w/ New Messages Locked w/o New Messages
     Post New Thread
     Reply to Message
     Post New Poll
     Submit Vote
     Delete My Own Post
     Delete My Own Thread
     Rate Posts