Posts: 21
Joined: 15.Aug.2001
From: Chandler, AZ, US
Status: offline
Has anyone figured out how to allow the Adobe Updater (Adobe Reader -> Help -> Check for updates...) through ISA 2006? I did some searching on this, and apparently it's a known problem. ISA appears to be blocking it because it's trying to authenticate through the firewall as "anonymous", instead of the logged-in user. I tried creating an access rule that allows all internal subnets to the Adobe website, but it didn't seem to help.
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
It needs the Firewall Client to cover the Adobe product inability to authenticate correctly.
If the Adobe Updater has any place in it for "proxy settings" then they should be removed so that it operates as if there were no proxy. If it does not then you'll have to remove the proxy setting from IE to run the updater.
Posts: 21
Joined: 15.Aug.2001
From: Chandler, AZ, US
Status: offline
Thanks Phillip for the reply!
All of our machines do have the Firewall Client installed, and I noticed that there is a process called "Adobe_Updater.exe" that runs when you try to check for updates from within Adobe Reader. I actually created an exception for that in the FWC using the ISA console (Adobe_Updater, Disable, 1) but it didn't seem to help. Should I remove that?
From within Adobe Reader there is a place to specify Internet Settings. If you go to Edit > Preferences > Internet, there is a button labeled "Internet Settings", but all that does is launch the Internet Properties window from IE.
Is there some other tweak I can make to the FWC settings to allow this without having to manually remove the proxy settings from IE?
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
All of our machines do have the Firewall Client installed, and I noticed that there is a process called "Adobe_Updater.exe" that runs when you try to check for updates from within Adobe Reader. I actually created an exception for that in the FWC using the ISA console (Adobe_Updater, Disable, 1) but it didn't seem to help. Should I remove that?
Yes you have to remove that.
Is there some other tweak I can make to the FWC settings to allow this without having to manually remove the proxy settings from IE?
No. And the fault is Adobe's. Their products are a miserable mess when it comes to proxy servers. They force you to use the browser's proxy settings no matter what,...however thier products won't authenticate properly with a "web proxy". So you either have to remove the browser's proxy setting or create an anonymous Access Rule for the correct protocols to the server destinations that the Adobe products want to use.
Another product that was in the same mess is the Definition Updater within Ad-Aware anti-spyware product. I couldn't get that one to work no matter what I did.
You may have the same problem with some of their stuff when you try to activate the product. It may depend on the versions,...some of their newest versions of some products may have fixed some of the issues.
The latest Adobe Updater that you get with the latest Adobe Reader seems to work here with everything left as it should be,...and I do require authentication. But I would rather it didn't work because I don't want users automatically updating anything on their machine. The users are not local administrators so they are generally stopped from running any installations.
Posts: 21
Joined: 15.Aug.2001
From: Chandler, AZ, US
Status: offline
Thanks again, Phillip! I wish Adobe would get their act together! :)
Last question (hopefully)...
I created an Access Rule for Adobe Updater, but it doesn't seem to be working. It looks like this:
Action: Allow Protocols: All outbound traffic From: Internal & Local Host To: Adobe Updater URLs (http://crl.adobe.com/* & http://swupmf.adobe.com/*) Users: All Users Content Types: All
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Try using the IP# instead of Domain Name or URLs. Even if I used one of those it would only be the Domain Names, never the URL, and the Domain Name would be listed as *.adobe.com
I also noticed that all the Adobe stuff is working fine on my system without allowing anonymous Access, it used to act up, but doesn't seem to anymore. At least it works when I install the FlashPlayer in a browser and it downloads and invokes the Updater. So I don't know what the difference is between yours and mine, but I certainly have not done anything "special" to make it work.
Posts: 21
Joined: 15.Aug.2001
From: Chandler, AZ, US
Status: offline
I think we caught a break. Adobe just released the 9.2 version of Reader today, and now our users are actually receiving a proxy login prompt when they run Adobe Updater!
Posts: 21
Joined: 15.Aug.2001
From: Chandler, AZ, US
Status: offline
I think my problem is that I have my Internal network configured to "Require all users to authenticate". Unfortunately that's a requirement for us because we need to be able to track users through the proxy. Does anyone know of a way around this? In other words, is there a way to require authentication, but also specify web sites that do not require authentication?
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Force authentication at the individual Rule,...NOT globally.
I wish MS would have never inluded that ability with ISA because it misleads people to think that if you don't set that you will not be using authentication.
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: pwindell
Force authentication at the individual Rule,...NOT globally.
I wish MS would have never inluded that ability with ISA because it misleads people to think that if you don't set that you will not be using authentication.
Yeah, it should be only available via COM object...
Posts: 21
Joined: 15.Aug.2001
From: Chandler, AZ, US
Status: offline
Yeah, I figured that out. I actually have a test ISA machine that I tried the configuration on...worked like a charm. Now to make the changes to my production ISA servers...
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
However I don't see why it seems to be requiring anonymous access,...the Adobe updater communicates fine with ours and all our machines (that have Adobe products on them) require authentication to get to the Internet.
Of course it still fails in the end because the users are NOT local Administrators on their machines so it cannot update any of the Adobe products even if it can get to the Internet. So I have to log into the machines as an Administrator for it to update properly.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Allow Adobe Updater thru ISA 
Allow Adobe Updater thru ISA - 
RE: Allow Adobe Updater thru ISA - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread