• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to allow MS update sites using Domain name sets

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> HTTP Filtering >> How to allow MS update sites using Domain name sets Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to allow MS update sites using Domain name sets - 8.Dec.2009 5:20:44 AM   
bingyeo

 

Posts: 23
Joined: 4.Dec.2008
Status: offline
I would like to allow my servers to be able to access MS update websites.
They do not have access to external network right now.

I create an access rule on ISA 06 Edge Firewall with the following settings:

Protocol: http, https
Action: Allow
From: Servername
To: Microsoft Update Domain name set
Users: All users

This rule is placed right at the top of the firewall rules list.

When I try to run Windows update on IE using a server with static IP addressing, it does not work.
Under Monitoring, I see that the connection to the website is Initiated, then Denied and Closed.

The Denied log is as follows:
Denied Connection A Log type: Web Proxy (Forward) Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL). Rule: [Enterprise] Default rule Source: Internal (10.10.10.10) Destination: External (65.55.13.91:80) Request: GET http://65.55.13.91/windowsupdate/v6/default.aspx Filter information: Req ID: 08471fbb; Compression: client=No, server=No, compress rate=0% decompress rate=0% Protocol: http User: anonymous
Any help would be greatly appreciated.
Post #: 1
RE: How to allow MS update sites using Domain name sets - 9.Dec.2009 2:43:54 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

make your servers web proxy clients or install Hostname Logger on ISA.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to bingyeo)
Post #: 2
RE: How to allow MS update sites using Domain name sets - 10.Dec.2009 11:12:47 PM   
bingyeo

 

Posts: 23
Joined: 4.Dec.2008
Status: offline
Hi

to configure a client server as a web proxy client, do I simply input the ISA internal IP as the proxy server address and port 8080 under LAN settings in IE connection options?
I am not too familiar with web proxy client as I have been using Securenat all this while.
However these proxy settings have been configured for my ISA firewall servers and they are able to access the WU websites.

I have also tried installing the Hostname logger software on the ISA firewalls and CSS servers, and restarted the Firewall service. However it does not seem to work as well.
I still get denied by the Enterprise default rule, with either method.

Are there any other rules that I need to implement, apart from allowing the servers access to the domain name set?

(in reply to paulo.oliveira)
Post #: 3
RE: How to allow MS update sites using Domain name sets - 11.Dec.2009 1:01:20 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,
quote:

to configure a client server as a web proxy client, do I simply input the ISA internal IP as the proxy server address and port 8080 under LAN settings in IE connection options?

Yes.

How´s configured your ISA NICs (ip, mask, gw and dns)?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to bingyeo)
Post #: 4
RE: How to allow MS update sites using Domain name sets - 12.Dec.2009 5:12:11 AM   
bingyeo

 

Posts: 23
Joined: 4.Dec.2008
Status: offline
Hi

I have 2 ISA edge firewalls in the array, with 2 CSS servers.
The ISA firewalls are configured as follows:

Public facing NIC:
IP: ISP provided
Subnet mask: ISP provided
GW: ISP provided
DNS: none

Internal facing NIC:
VIP: 10.10.10.254
Subnet mask: 255.255.0.0
GW: none
DNS: IPs of caching only Internal DNS servers for internet DNS resolution

(in reply to paulo.oliveira)
Post #: 5
RE: How to allow MS update sites using Domain name sets - 12.Dec.2009 7:47:44 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

it seems fine.

Is ISA firewall your edge firewall?

Also, check this KB: http://support.microsoft.com/kb/885819

What does ISA logging telling you after installation of Hosname Logger?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to bingyeo)
Post #: 6
RE: How to allow MS update sites using Domain name sets - 15.Dec.2009 9:43:21 PM   
bingyeo

 

Posts: 23
Joined: 4.Dec.2008
Status: offline
Hi

Yes my ISA is in a Edge Firewall array config.

I have checked the KB. Both scenarios do not apply as I do not even reach the scanning of the latest version of the WU software, let alone seeing the main site with Express/Custom Install options.

Here are the errors I get on IE when I try to run WU:

Without Proxy configured:
Technical Information (for support personnel) Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 207.46.21.124 Date: 12/16/2009 2:24:51 AM [GMT] Server: xxxxxxxxxxxxxSource: proxy With Proxy configured:
Technical Information (for support personnel) Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 10.10.10.254 Date: 12/16/2009 2:32:53 AM [GMT] Server: xxxxxxxxxxxxxxSource: proxy

Initially I installed the Hostname Logger on both ISA firewalls only, and not on the CSS servers.
I received an alert:
Description: Web filter 'Hostname Logger' is not installed on this server. Install the filter and then restart the Firewall service.

After I installed them on the CSS servers as well, there wasn't anymore alerts.
All instances of installation of Hostname Logger ended with a pop-up saying that installation was successful. I then restarted the Firewall service.

I have checked the main firewall logs but am unable to find any 'Hostname logger' entry in them.

Where else may I find logs for the installation?

(in reply to paulo.oliveira)
Post #: 7
RE: How to allow MS update sites using Domain name sets - 16.Dec.2009 7:25:24 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,
quote:

Without Proxy configured:
Technical Information (for support personnel) Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 207.46.21.124 Date: 12/16/2009 2:24:51 AM [GMT] Server: xxxxxxxxxxxxxSource: proxy

    With Proxy configured:
    Technical Information (for support personnel) Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 10.10.10.254 Date: 12/16/2009 2:32:53 AM [GMT] Server: xxxxxxxxxxxxxxSource: proxy

    Why the IP address are different? The error is clear, ISA is denying the URL. Check the KB I´ve posted for more WU websites and add them to your access rule.

    From which machine is the IP address 10.10.10.254? Is it internal?

    Regards,
    Paulo Oliveira.

    _____________________________

    Microsoft Premier Field Engineer (PFE)
    Blog: http://poliveirasilva.wordpress.com/
    Twitter: https://twitter.com/poliveirasilva

    (in reply to bingyeo)
    Post #: 8
    RE: How to allow MS update sites using Domain name sets - 17.Dec.2009 9:28:16 PM   
    bingyeo

     

    Posts: 23
    Joined: 4.Dec.2008
    Status: offline
    Hi

    sorry think I pasted the wrong error:
    here they are again,

    Without Proxy settings on the server running WU:

    Technical Information (for support personnel)
    Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 65.55.184.27 Date: 12/18/2009 2:03:27 AM [GMT] Server: xxxxxxxxxxxxxxSource: proxy
    ISA logging:

    Denied Connection xxxxxxxx 12/18/2009 10:03:27 AM Log type: Web Proxy (Forward) Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL). Rule: [Enterprise] Default rule Source: Internal (10.10.9.51) Destination: External (65.55.184.27:80) Request: GET http://update.microsoft.com/windowsupdate/v6/default.aspx Filter information: Req ID: 0fdc0994; Compression: client=No, server=No, compress rate=0% decompress rate=0% Protocol: http User: anonymous


    65.55.184.27 is the IP for update.microsoft.com website.


    With Proxy settings on server running WU:

    Technical Information (for support personnel) Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) IP Address: 10.10.10.254 Date: 12/18/2009 2:17:54 AM [GMT] Server: APLISA01.aksaas.local Source: proxy

    ISA logging:

    Denied Connection xxxxxxxx 12/18/2009 10:03:27 AM Log type: Web Proxy (Forward) Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL). Rule: [Enterprise] Default rule Source: Internal (10.10.9.51) Destination: External (65.55.184.27:80) Request: GET http://update.microsoft.com/windowsupdate/v6/default.aspx Filter information: Req ID: 0fdc0998; Compression: client=No, server=No, compress rate=0% decompress rate=0% Protocol: http User: anonymous

    10.10.10.254 is the VIP for ISA array, which I have configured as the proxy server with port 8080 in the Proxy LAN settings for the server trying to run WU.
    This IP is also used for DG for SecureNAT.

    The access rule is using the default Microsoft Update Domain Name set.
    *.update.microsoft.com is included in this set.

    The config for this access rule is:
    Allow Http, Https from Internal network to Microsoft Update Domain Name set, Always for All Users.

    Cheers


    (in reply to paulo.oliveira)
    Post #: 9
    RE: How to allow MS update sites using Domain name sets - 18.Dec.2009 8:32:16 AM   
    paulo.oliveira

     

    Posts: 3472
    Joined: 3.Jan.2008
    From: Amazon, Brazil
    Status: offline
    Hi,

    it is clearly that something is wrong with your access rules. Check on ISA logs if there´s other Microsoft domains being denied...

    Regards,
    Paulo Oliveira.

    _____________________________

    Microsoft Premier Field Engineer (PFE)
    Blog: http://poliveirasilva.wordpress.com/
    Twitter: https://twitter.com/poliveirasilva

    (in reply to bingyeo)
    Post #: 10
    RE: How to allow MS update sites using Domain name sets - 7.Jan.2010 5:07:32 AM   
    bingyeo

     

    Posts: 23
    Joined: 4.Dec.2008
    Status: offline
    Hi

    the strange thing is that I don't have any Deny rules apart from the Enterprise default rule and this rule is right at the top of the list.

    I have tried creating a custom Domain Name set with *.update.microsoft.com and *.windowsupdate.microsoft.com and trying to run WU site from the server but I still get the same 403 error on IE, and ISA monitoring shows that the Enterprise default rule is blocking.

    Anyone else has any ideas?

    (in reply to paulo.oliveira)
    Post #: 11

    Page:   [1] << Older Topic    Newer Topic >>
    All Forums >> [ISA 2006 Firewall] >> HTTP Filtering >> How to allow MS update sites using Domain name sets Page: [1]
    Jump to:

    New Messages No New Messages
    Hot Topic w/ New Messages Hot Topic w/o New Messages
    Locked w/ New Messages Locked w/o New Messages
     Post New Thread
     Reply to Message
     Post New Poll
     Submit Vote
     Delete My Own Post
     Delete My Own Thread
     Rate Posts