• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on allowing the ISA firewall to use Windows Update

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Discussion about article on allowing the ISA firewall to use Windows Update Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion about article on allowing the ISA firewall t... - 5.Apr.2005 3:55:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on how to allow the ISA firewall to use Windows Update at http://isaserver.org/articles/2004su1345.html

Thanks!
Tom

[ April 05, 2005, 03:58 AM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about article on allowing the ISA firewa... - 29.Apr.2005 9:35:00 PM   
rogerroger

 

Posts: 22
Joined: 17.Dec.2004
From: Indianapolis
Status: offline
Ok Tom, thanks for this short update to get WSUS to work correctly. My question is I have done this and my ISA box still does not show up in the WSUS console (after a couple days). All other servers which get the group policy show up fine. Ideas for troubleshooting? Thanks.

(in reply to tshinder)
Post #: 2
RE: Discussion about article on allowing the ISA firewa... - 9.May2005 9:47:00 PM   
rogerroger

 

Posts: 22
Joined: 17.Dec.2004
From: Indianapolis
Status: offline
Anyone have an answer for me or is everyone's ISA magically updating itself? Thanks.

(in reply to tshinder)
Post #: 3
RE: Discussion about article on allowing the ISA firewa... - 10.May2005 4:57:00 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
The way i got mine working is, i use the proxy service on my isa server. Create a rule to allow local host external access to http,https.

(in reply to tshinder)
Post #: 4
RE: Discussion about article on allowing the ISA firewa... - 9.Jun.2005 10:49:00 AM   
bcools@jvh.nl

 

Posts: 13
Joined: 20.Mar.2002
From: Netherlands
Status: offline
I've installed the new WSUS from Microsoft on an internal webserver.
I've created a rule and set it as the first of the rules in the Firewall Policy.
The protocols HTTP,HTTPS,Kerberos-Sec(UDP) are defined in the rule.
Now i can't synchronize the WSUS-server with the internet'.
I've set the proxy in the WSUS-admin-tool, but still no updates.
If i look in the real-time-log i see the message:
443 SSL-tunnel Failed Connection Attempt
Anyone knows a solution? It would be gratefull!

(in reply to tshinder)
Post #: 5
RE: Discussion about article on allowing the ISA firewa... - 16.Sep.2005 5:25:00 PM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
Thanks...this worked here, except that we're not using port 80 for WSUS, we're using port 8530. I created a new "HTTP for WSUS" protocol definition by duplicating the built-in HTTP protocol definition, but substituting port 8530. Added that to the WSUS Access Rule as described in the article, and it worked.

Note that since WSUS needs port 80 to update the automatic updater, you need to leave HTTP & HTTPS in the Access Rule.

My suggestion is to update the article to discuss configuration using alternate ports for WSUS. That might answer some of the above posters' questions, too.

(in reply to tshinder)
Post #: 6
RE: Discussion about article on allowing the ISA firewa... - 19.Sep.2005 4:00:00 PM   
nifita

 

Posts: 4
Joined: 27.Jan.2004
Status: offline
Do you happen to have an article for doing this on ISA 2000? I have as yet been unable to download updates on WSUS and don't know if ISA is the culprit or not.
Thank you!

(in reply to tshinder)
Post #: 7
RE: Discussion about article on allowing the ISA firewa... - 19.Sep.2005 4:41:00 PM   
nifita

 

Posts: 4
Joined: 27.Jan.2004
Status: offline
Never mind, I finally found the culprit...it was related to BITS, not ISA. Thanks!

(in reply to tshinder)
Post #: 8
RE: Discussion about article on allowing the ISA firewa... - 26.Oct.2005 11:09:00 AM   
rich@richware.net

 

Posts: 2
Joined: 26.Oct.2005
From: Dallas, Oregon
Status: offline
I found your article related to a problem I'm having performing Windows Update Services. Applied WUS Access rule and I'm still not able to update. Config: Windows Server 2003/ISA 2004 Standard (SP1). Issue: Getting Error Number: 0x80072EE2 when Express or Custom are selected. Any suggestions?

(in reply to tshinder)
Post #: 9
RE: Discussion about article on allowing the ISA firewa... - 8.Nov.2005 8:00:00 PM   
hunter54304

 

Posts: 1
Joined: 8.Nov.2005
Status: offline
I'm having problems performing Windows Update Services. Applied WUS Access rule and I'm still not able to update. Config: Windows Server 2000/ISA 2004 Standard (SP1). Issue: Getting Error Number: 0x80072EE2 when Express or Custom are selected. Any suggestions?

(in reply to tshinder)
Post #: 10
RE: Discussion about article on allowing the ISA firewa... - 16.Dec.2005 3:51:39 AM   
shinepj

 

Posts: 5
Joined: 23.Mar.2002
Status: offline
I am having the difficulty in getting the updates for WSUS. The cosole shows dowloading 0.00 of 1234.65MB. But, nothing is downloading. The realitime logging shows Failed connection while it's trying to run GET command on http/https.

I can dowload the Automatic Update files from the microsoft sites.
The access policy is created as per http://www.isaserver.org/articles/2004su1345.html

Does anybody has fresh ideas?

Thanks

(in reply to hunter54304)
Post #: 11
Windows update and ISA 2004 sp2 - 22.Mar.2006 1:34:44 AM   
Sir Didymus

 

Posts: 2
Joined: 22.Mar.2006
Status: offline
As far as I can tell, installing ISA 2004 SP2 has changed the way that the 'anonymous' user is treated.  When following these instructions on an ISA 2004 sp1 server, this works fine, but with the sp2 servers, the POST, GET, and HEAD data types appear to fall through to the 'default rule' (i.e. deny traffic) when WSUS attempts to connect as anonymous.  Has anyone else run into this?  Is there a work-around for this?

(in reply to tshinder)
Post #: 12
RE: Windows update and ISA 2004 sp2 - 22.Mar.2006 2:39:30 AM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
I have SP2 installed on my ISA2K4 and today tested my WSUS through it, no probs.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to Sir Didymus)
Post #: 13
RE: Windows update and ISA 2004 sp2 - 24.Mar.2006 1:16:50 AM   
Sir Didymus

 

Posts: 2
Joined: 22.Mar.2006
Status: offline
Yes, it appears you are right.

I've found the issue and it was not related to ISA nor this article.

For the sake of others trying to troubleshoot WSUS through ISA, the command 'wuauclt.exe /detectnow' will allow you to force an immediate update so you can watch your logs while it's updating.

Thanks.

< Message edited by Sir Didymus -- 24.Mar.2006 1:22:41 AM >

(in reply to LLigetfa)
Post #: 14
RE: Windows update and ISA 2004 sp2 - 16.Jun.2006 4:18:39 AM   
lbensky

 

Posts: 4
Joined: 29.Aug.2003
Status: offline
I was getting these errors as well and traced it to rule 26 on the system policies of ISA Server 2004.  It is the http rule for CRL's.  I enabled it and viola it started working like a champ.

(in reply to Sir Didymus)
Post #: 15
RE: Windows update and ISA 2004 sp2 - 10.Oct.2006 9:53:42 AM   
Janus

 

Posts: 1
Joined: 10.Oct.2006
Status: offline
to Sir Didymus
Please could you tell me how you solve a problem with 'anonymous' user in WSUS with ISA 2004 SP2.

Thanks

(in reply to Sir Didymus)
Post #: 16
RE: Windows update and ISA 2004 sp2 - 16.Oct.2006 11:50:55 AM   
kdibricida

 

Posts: 3
Joined: 20.Apr.2006
Status: offline
I have been working on this for a few weeks now and am getting nowhere.  I have created the access rule according to the article but continue to see the following error in the event logs on ISA.

Event Type: Error
Event Source: Windows Update Agent
Event Category: Software Sync
Event ID: 16
Date:  10/15/2006
Time:  11:42:47 AM
User:  N/A
Computer: ISA-1
Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

 
I an not sure if this is realated or not but when i try to access any websites on the internal network from the ISA browser i get
 
Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)

The server also has Surfcontrol Webfilter and Symantec Web security installed for external web browsing.

(in reply to Janus)
Post #: 17
RE: Windows update and ISA 2004 sp2 - 16.Nov.2006 5:18:31 PM   
heropsycho

 

Posts: 20
Joined: 3.Oct.2006
Status: offline
To get Windows Update to run, do the following:

Configure the ISA server to accept web proxy clients.

Next, configure IE to use the local host as a proxy server.  (127.0.0.1, port 8080 if this is set for default)

That should work!

< Message edited by heropsycho -- 16.Nov.2006 5:46:17 PM >

(in reply to kdibricida)
Post #: 18
WSUS error with isa 2004 sp3 - 21.Nov.2007 3:43:18 AM   
unmask_man

 

Posts: 24
Joined: 30.Aug.2004
From: Egypt
Status: offline

I got this error on the WSUS server The server is failing to download some updates.

Source: Windows Server Update Services
Category:Core
Type : error
Event id: 10032

before is it was working fine, i installed firewall client on this server and from that time i got this error

i created a rule to allow the wsus server to access windows updates site and allowed all protocols
but still got the error.

can anyone help ?

regards,
thanks

(in reply to heropsycho)
Post #: 19
RE: WSUS error with isa 2004 sp3 - 23.Jan.2009 1:59:37 AM   
mdac

 

Posts: 2
Joined: 23.Jan.2009
Status: offline
Hello, I think this will come in vain, but lets try...
I'm having really bad problem with ISA server 2004.
Apps & OS: ISA server 2004 Enterprise SP2, Windows 2003 Server R2 SP2

I run WSUS on separate server called s001, but as a precausion, i also implicated ISA server 2004 on server called s002.
WSUS only downloads the updates thru web proxy, no other contact. Updates distribution is based on secure identification by certificate, from s001.
Now GP is also configured to force clients to look for updates at https://s001.
No traffic thru proxy! Everything works fine on 1105 workstations and 15 other servers. BUT s002 with ISA on it is cursed.
WSUS config: SSL:443 for Website and Content+SelfUpdate normal HTTP:80
ISA config: rule and access configured, WSUS client tool says PASS on everything...
BUT
funny thing is that when i try to access from webbrowser this from any workstation or server, it works:
http://s001/Content/3D/ECCAAC25B009FFE40D6774CC4D30DE458030263D.exe
BUT
when you try from s002 where ISA is, it DOES NOT work, even it behaves strangely, because if you access it like this, over SSL encrypted port:
https://s001/Content/3D/ECCAAC25B009FFE40D6774CC4D30DE458030263D.exe,
it magically finds the update???
How can this be? The updates are to be requested over http protocol, not https...

I don't get it, but i would appreciate all the info...
Vladimir

(in reply to unmask_man)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Discussion about article on allowing the ISA firewall to use Windows Update Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts