HI. I have 2x ISA 2006 on 2003 R2, both are fully updated and live on different sides of the world.
Recently I noticed my WSUS is not able to synchronize with the Microsoft servers anymore. I checked the URL set as per KB http://support.microsoft.com/kb/885819 and have all of those URL's configured. The rule is simple, allow server X, HTTP and HTTPS access to the WSUS url set, for all users at any time.
When I change the "to" part in the rule and add "external" it works fine. I can synchronize my WSUS servers. I notice requests going out to a 207.46 address range are being denied, and these are the update servers at microsoft.
This is obviously not ideal and any assistance in this regard will be appreciated. Thank You. Morne.
I have checked the log and the log states that rule 22 blocks the access but it does not tell me why. The rule granting access is rule 13. Surely this rule is checked before rule 22 and is supposed to allow the access?
rule 13: action: allow Protocols: HTTP, HTTPS From: WSUS Server To: WSUS Websites (URL Set) Should this maybe be a domain name set? Users: All Users Schedule: Always Content: All content
rule 22: action: allow Protocols: HTTP, HTTPS From: Internal To: External Users: Power Users (Research) Schedule: Always Content: All content
rule 13: action: allow Protocols: HTTP, HTTPS From: WSUS Server To: WSUS Websites (URL Set) Should this maybe be a domain name set? Users: All Users Schedule: Always Content: All content
rule 22: action: allow Protocols: HTTP, HTTPS From: Internal To: External Users: Power Users (Research) Schedule: Always Content: All content
HI. The domain set does not work either. It is getting denied on the same rule. What is interesting is that when i remove the domain or url set and just add "external" it works fine.
What has blocked me more times is the port number the site uses. Some sites specifically mention the portnumber. I resolved it by adding to the url set with the url:portnumber notation. Forinstance https://*.microsoft.com:443
Nope, still getting denied on rule 22. from IP 10.20.0.4 to IP 65.55.13.88 denied port 443. I have worked with ISA servers a long time and this is the first time i have come across a problem like this.
Hi. I have multiple external address's and there are multiple rules allowing access to other sites for other servers that work fine. It is just this one rule that has a problem when it is locked down to specific sites. i have two isa servers and both have this issuea and they are on different networks on opposite sides of the globe. When i grant the rule access to ecternal it works fine.
Nope, still getting denied on rule 22. from IP 10.20.0.4 to IP 65.55.13.88 denied port 443. I have worked with ISA servers a long time and this is the first time i have come across a problem like this.
I don't understand why it is even getting to rule 22? Surely it should be using rule 13???
Rule 22 will probably not work as it is requring user authentication...
rule 13: action: allow Protocols: HTTP, HTTPS From: WSUS Server To: WSUS Websites (URL Set) and WSUS domain set Users: All Users Schedule: Always Content: All content
To enable access to the Windows Update servers, create an access rule allowing access for users to the Microsoft Update Domain Name Set. This rule should be placed high in the ordered list of firewall policy rules. In particular, it must precede Web access rules that require authentication, which may block some users from obtaining updates from Windows Update.
Are you using the "Microsoft Update Domain Name Set" in your rule?
The only reason that it goes to 22 is because it doesnot comply to rule 13 and it is an internal machine. Have you doublechecked the ip adress in the wsusserver? Checked the log (filter on client ip from wsus server) where it is heading to and which protocol? Portnumber?
Posts: 115
Joined: 16.Jul.2009
From: Bangalore, India
Status: offline
Hi Try using the built in Domain Name Sets "System Policy Allowed Sites" & "Microsoft Update Domain Name Set" in the to tab of your Access rule insted of your domain set
Hi Morne, with your rule, it should be working fine. Please try to create the problme again and check with your log file. Copy the log result where the problem occure and paste the result in Microsoft Excel.
Navigate to the last column, and check its URL. Then compare this URL with the Microsoft WSUS domain name set or your URL set. Also compare it with your success rule when you apply to External (not WSUS URL set).
I hope you could find the difference. If possible, please post this log result on this forum.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> WSUS servers not able to update via ISA servers 
WSUS servers not able to update via ISA servers - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread