• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Windows Update proxy rule

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> General >> Windows Update proxy rule Page: [1]
Login
Message << Older Topic   Newer Topic >>
Windows Update proxy rule - 22.Sep.2009 9:24:30 AM   
Doc Dish

 

Posts: 9
Joined: 15.Jun.2006
Status: offline
I have a tri-homed ISA server (2006 Standard) that has our corporate network connected to one interface, the border firewall on the second and a DMZ on the third.

I have been asked to allow client in the DMZ to have access to Microsoft Windows Update web sites, so they can be patched. I enabled the Web Proxy on the 'Perimeter' network (connected via the ISAs DMZ interface) and created a rule in the ISAs ruleset allowing the Perimeter network access to the pre-defined 'Microsoft Update Domain Name Set' via HTTP and HTTPS for 'All Users'.

I configured the client's browser settings to use the ISA server's perimeter network IP address as the proxy server (on port 8080) and attempted to access Windows Update, but got a 'page cannot be displayed message with the following technical information:


  • Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
  • IP Address: {IP of ISA on Perimeter network}
  • Date: 9/22/2009 11:13:32 AM [GMT]
  • Server: {Hostname of ISA server}
  • Source: proxy

Monitoring the traffic from the DMZ client to the perimeter, I see the rule I created allowing connections to windowsupdate.microsoft.com, but then the client attempts to connect to the perimeter IP address of the ISA server on port 8080, but via HTTP (not HTTP Proxy protocol) and appears to be performing a GET request for http://update.microsoft.com/windowsupdate/v6/default.aspx. This is denied by the Default rule.

Can anyone suggest what is occurring here? The ISA server itself can access the Windows Update site (through System Policy rules)

Many thanks, Doc.
Post #: 1
RE: Windows Update proxy rule - 22.Sep.2009 12:57:25 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Does it work if you define the destination as External (for testing purposes only)?



_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Doc Dish)
Post #: 2
RE: Windows Update proxy rule - 23.Sep.2009 3:39:34 AM   
Doc Dish

 

Posts: 9
Joined: 15.Jun.2006
Status: offline
The destination is the Microsoft Update Domain Name Set, whose IPs are not in any of our defined networks, so I guess they are in External by default(?)

Cheers, Doc.

(in reply to Jason Jones)
Post #: 3
RE: Windows Update proxy rule - 23.Sep.2009 3:46:23 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
No, you misunderstand - try changing the destination to 'External' and re-test...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Doc Dish)
Post #: 4
RE: Windows Update proxy rule - 23.Sep.2009 5:25:44 AM   
Doc Dish

 

Posts: 9
Joined: 15.Jun.2006
Status: offline
Sorry, being dense this morning!

That works just fine.

(in reply to Jason Jones)
Post #: 5
RE: Windows Update proxy rule - 23.Sep.2009 5:33:14 AM   
Doc Dish

 

Posts: 9
Joined: 15.Jun.2006
Status: offline
Argh! I obviously overdosed on stupid yesterday, too.

While the pre-defined "Microsoft Update Domain Name Set" contains "*.update.microsoft.com", it doesn't contain "update.microsoft.com" which was the host of the URL causing the bother.

I've added that host into the Domain Name Set and Windows Update is accessible (without allowing the clients access to every other website in the world).

Jason, many thanks for putting up with me and pointing me in the right direction!

Doc.

(in reply to Doc Dish)
Post #: 6
RE: Windows Update proxy rule - 23.Sep.2009 11:34:12 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Cool

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Doc Dish)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> General >> Windows Update proxy rule Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts