• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

V5.WindowsUpdate

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Cache] >> General >> V5.WindowsUpdate Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
V5.WindowsUpdate - 22.Aug.2004 6:33:00 AM   
DamonM

 

Posts: 9
Joined: 22.Aug.2004
Status: offline
My ISA caches V4.Updates but not V5.Updates
from windows update site.
Is there an easy cure for this?
Post #: 1
RE: V5.WindowsUpdate - 22.Aug.2004 11:28:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi DamonM,

yesterday I've experienced the same problem on an ISA server installed in integrated mode. Here is an excerpt of the Web Proxy log:

172.31.1.2, anonymous, Microsoft WU Client/2.0, N, 8/21/2004, 15:27:10, w3proxy, GWISA, -, v5.windowsupdate.microsoft.com, -, 443, 0, 0, 0, SSL-tunnel, TCP, -, v5.windowsupdate.microsoft.com:443, -, Inet, 12209, 0x0, PR-SPECIAL, -
172.31.1.2, anonymous, Microsoft WU Client/2.0, N, 8/21/2004, 15:27:10, w3proxy, GWISA, -, v5.windowsupdate.microsoft.com, -, 443, 0, 0, 0, SSL-tunnel, TCP, -, v5.windowsupdate.microsoft.com:443, -, Inet, 0, 0x0, PR-SPECIAL, -
172.31.1.2, INTRANET\, Microsoft WU Client/2.0, Y, 8/21/2004, 15:27:10, w3proxy, GWISA, -, v5.windowsupdate.microsoft.com, -, 443, 0, 0, 0, SSL-tunnel, TCP, -, v5.windowsupdate.microsoft.com:443, -, Inet, 12202, 0x0, PR-SPECIAL, -
172.31.1.2, INTRANET\SP, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322), Y, 8/21/2004, 15:27:11, w3proxy, GWISA, -, v5.windowsupdate.microsoft.com, 64.4.21.188, 80, 188, 898, 6519, http, TCP, GET, http://v5.windowsupdate.microsoft.com/v5consumer/errorinformation.aspx?error=-2145107935&ln=en-us, text/html; charset=utf-8, Inet, 200, 0x40020001, PR-SPECIAL, SCR-USERS

There seems to be an authentication problem when the Microsoft WU Client/2.0 tries to connect. Turning of the user/group based membership in the site&content rule and apply the rule to any request or a client address set seems to solve the problem.

HTH,
Stefaan

(in reply to DamonM)
Post #: 2
RE: V5.WindowsUpdate - 26.Aug.2004 3:46:00 PM   
MJonkers

 

Posts: 63
Joined: 6.Jan.2004
Status: offline
Damn this works, is there already a MS patch available for this?

Thans !

Marc

(in reply to DamonM)
Post #: 3
RE: V5.WindowsUpdate - 26.Aug.2004 8:33:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Marc,

I have a support case open at Microsoft. PSS, Jim Harrison and I are working very hard to get that problem solved.

According to Jim and my testing, there's a very real bug in the Windows Update controls and the only current workaround is to use source address limitations for this destination for now.

HTH,
Stefaan

(in reply to DamonM)
Post #: 4
RE: V5.WindowsUpdate - 27.Aug.2004 5:55:00 AM   
DamonM

 

Posts: 9
Joined: 22.Aug.2004
Status: offline
I figured out how to drop back to v4.windowsupdate.
If this may help any one.
On the V5.windowsupdate site
http://v5.windowsupdate.microsoft.com
click on the Administrator Options link on the left pane.
Then click on the "Windows Update Cataloge" Link.
It will open a new window at the old V4.windowsupdate site.
http://v4.windowsupdate.microsoft.com/catalog/en/default.asp
Then click on the Windows Update link in the left pane.
Hope this helps someone out. It did me.

(in reply to DamonM)
Post #: 5
RE: V5.WindowsUpdate - 27.Aug.2004 12:00:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi DamonM,

thanks for that info! [Smile]

Stefaan

(in reply to DamonM)
Post #: 6
RE: V5.WindowsUpdate - 31.Aug.2004 5:08:00 PM   
Duality

 

Posts: 1
Joined: 31.Aug.2004
Status: offline
Has anyone heard any new information on this? After being unable to get updates from the v5 site (error: 0x80072EFD) behind our ISA server in the office I tried from home with the same laptop and was able to connect just fine. Now that I am back in the office my laptop gets the list of updates even though it is back behind the ISA server.

Could it be something that is being done the first time you try to get updates from the V5 site?

(in reply to DamonM)
Post #: 7
RE: V5.WindowsUpdate - 1.Sep.2004 8:44:00 PM   
Guest
Turning of the user/group based membership in the site&content rule and apply the rule to any request or a client address set seems to solve the problem. Didn't work for me neither did updating my laptop at home first. I'm still unable to update my machines without doing the workaround.

I wander if Microsoft is doing it on purpose because they are having so many problems with SP2??? [Wink]

(in reply to DamonM)
  Post #: 8
RE: V5.WindowsUpdate - 1.Sep.2004 10:37:00 PM   
shikwan

 

Posts: 15
Joined: 31.Oct.2002
From: PA USA
Status: offline
"Turning of the user/group based membership in the site&content rule and apply the rule to any request or a client address set seems to solve the problem."

This doesn't work for me as I always had the 'Site & Content' set to 'any request'.

I have Firewall clients and even if I stop the firewall service, I get the same results.

(in reply to DamonM)
Post #: 9
RE: V5.WindowsUpdate - 1.Sep.2004 11:21:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi shikwan,

as far as I know, that is the recommended workaround and it worked for me! [Cool]

Please, post an excerpt of the ISA logs of your Windows Update session.

HTH,
Stefaan

(in reply to DamonM)
Post #: 10
RE: V5.WindowsUpdate - 3.Sep.2004 1:30:00 AM   
Guest
This bug has been there for 10 days, and now there is a critical security update. As always, Microsoft cares soooo much for me...

(in reply to DamonM)
  Post #: 11
RE: V5.WindowsUpdate - 4.Sep.2004 6:55:00 AM   
Guest
Check out Knowledge base article 871260

specifically fixes issues with Windows Update v5 and IE

I think this is the fix !

Neil

(in reply to DamonM)
  Post #: 12
RE: V5.WindowsUpdate - 4.Sep.2004 11:50:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Neil,

are you sure about that? I don't!

I'm running XP SP2, so all latest updates and have the WindowsUpdate problem.

HTH,
Stefaan

(in reply to DamonM)
Post #: 13
RE: V5.WindowsUpdate - 5.Sep.2004 11:31:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hey guys,

here is the latest update to this problem:
quote:
From: Jim Harrison [jim@isatools.org]
Sent: zaterdag 4 september 2004 23:54
To: [ISAserver.org Discussion List]
Subject: [isalist] Windows Update v5 issues and workaround

Importance: High

http://www.ISAserver.org

Hello everyone,

The core cause of this problem is still being worked out, but a clear workaround is available and it boils down to two things:
- Disable authentication for Windows Update requests.
- Disable "global authentication" for web proxy requests

Note: you may have heard that the "ReturnDeniedIfAuthenticated registry setting explained in http://support.microsoft.com/?id=297324
is part of the problem. While applying this setting to ISA 2000 does help expose the WU authentication problems, it is not the cause. If you have applied this setting to your ISA 2000 Server, you did so with good reason to solve a specific problem. You should not remove this setting if you have applied it. By the same token, if you are not experiencing the problem outlined in this KB article, you don't need to and shouldn't apply it. The above article applies only to ISA 2000; you should not apply any ISA 2000 registry settings to ISA 2004 unless the relevant KB article explicitly instructs you to. Currently, none do.

Now let's get on with the workaround.
Per the WU team, there are four destinations that should be included for creating anonymous Windows Update access policies:

TABLE 1
Item FQDN
1 *.download.microsoft.com
2 *.windowsupdate.com
3 *.windowsupdate.microsoft.com
4 windowsupdate.microsoft.com

For ISA 2000
Disable "global" authentication for web proxy requests
1. Open the ISA Manglement MMC
2. Select View, then Advanced
3. Expand Servers and Arrays
4. R-click <ArrayName>, select Properties
5. Select Outgoing Web Requests
6. Uncheck Ask Unauthenticated users for identification
7. Click Apply,
8. When prompted, select Save the changes and restart the service(s)
9. Click OK

Create a destination set for Windows Update domains
1. Expand <ArrayName> and PolicyElements
2. R-click Destination Sets, select New, then Set
3. Enter WindowsUpdate in the Name field, click Next
4. Click Add
5. Enter *.download.microsoft.com in the Domain field
6. Leave the Path field blank
7. Click OK
8. Repeat steps 4 through 7 for each remaining entry in Table 1
9. Click OK

Create an anonymous Site and Content rule for Windows Update requests
1. Expand Access Policy
2. R-click Site and Content Rules, select New, then Rule
3. Enter Windows Update in the Name field, click Next
4. Select Allow, click Next
5. Select Allow access based on destination, click Next
6. In the Apply this rule to: drop-down list, select Specified Destination Set
7. In the Name: drop-down list, select Windows Update
8. Click Next, then Finish

For ISA 2004
Disable "global" authentication for web proxy requests
1. Open the ISA Manglement MMC
2. Expand <ArrayName>, then Configuration
3. Select Networks
4. In the middle pane, select the Networks tab
5. R-click Internal and select Properties
6. Select the Web Proxy tab
7. Click Authentication
8. In the Authentication window, uncheck Require all users to authenticate, click OK
9. Click Apply, then OK
10. Repeat steps 5 through 9 for each network object where you allow Web Proxy requests

Create an anonymous Access Rule for Windows Update
1. In the left pane, R-click Firewall Policy and select New, then Access Rule
2. Enter Windows Update in the Name field, click Next
3. Select Allow, click Next
4. In the This rule applies to: drop-down list, select Selected Protocols
5. Click Add
6. In the Add Protocols dialog, expand Web
7. Select HTTP and click Add
8. Select HTTPS and click Add
9. Click Close, then Next
10. In the Access Rule Sources dialog, click Add
11. In the Add Network Entities dialog, expand Networks
12. Select Internal and click Add
13. For each network where you unchecked Require all users to authenticate, select that network object and click Add
14. Click Close, then Next
15. In the Access Rule Destinations window, click Add
16. In the Add Network Entities window menu bar, click New, then Domain Name Set
17. In the New Domain Name Set Policy Element window, enter Windows Update in the Name field
18. Click New
19. In the Domain names included in this set list, change the new entry to *.download.microsoft.com
20. Repeat steps 19 and 20 for each remaining entry in Table 1
21. Click OK
22. In the New Domain Name Set Policy Element window, select Windows Update, click Add, then Close
23. Click Next, Next, then Finish
24. In the top part of the middle pane, Apply and Discard buttons will appear; click Apply
25. When Apply New Configuration dialog reports "Changes to the configuration were successfully applied", click OK

Make the Windows Update rule the first rule
NOTE: If you prefer to list all of your deny rules first, then you can make the Window Update rule the first rule following them
1. In the left pane, select Firewall Policy
2. If Windows Update is already the first rule in the list, stop here
3. In the middle pane, select Windows Update
4. In the right pane select the Tasks tab
5. Click Move the selected rule up until Windows Update is the first rule in the list
6. In the top part of the middle pane, Apply and Discard buttons should appear; click Apply
7. When Apply New Configuration dialog reports "Changes to the configuration were successfully applied", click OK

Look for a WU KB soon that details the that side of the issue and cross-links to an ISA KB with these instructions.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!


HTH,
Stefaan

(in reply to DamonM)
Post #: 14
RE: V5.WindowsUpdate - 5.Sep.2004 11:33:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hey guys,

here is the latest update for this problem:
quote:
From: Jim Harrison [jim@isatools.org]
Sent: zaterdag 4 september 2004 23:54
To: [ISAserver.org Discussion List]
Subject: [isalist] Windows Update v5 issues and workaround

Importance: High

http://www.ISAserver.org

Hello everyone,

The core cause of this problem is still being worked out, but a clear workaround is available and it boils down to two things:
- Disable authentication for Windows Update requests.
- Disable "global authentication" for web proxy requests

Note: you may have heard that the "ReturnDeniedIfAuthenticated registry setting explained in http://support.microsoft.com/?id=297324
is part of the problem. While applying this setting to ISA 2000 does help expose the WU authentication problems, it is not the cause. If you have applied this setting to your ISA 2000 Server, you did so with good reason to solve a specific problem. You should not remove this setting if you have applied it. By the same token, if you are not experiencing the problem outlined in this KB article, you don't need to and shouldn't apply it. The above article applies only to ISA 2000; you should not apply any ISA 2000 registry settings to ISA 2004 unless the relevant KB article explicitly instructs you to. Currently, none do.

Now let's get on with the workaround.
Per the WU team, there are four destinations that should be included for creating anonymous Windows Update access policies:

TABLE 1
Item FQDN
1 *.download.microsoft.com
2 *.windowsupdate.com
3 *.windowsupdate.microsoft.com
4 windowsupdate.microsoft.com

For ISA 2000
Disable "global" authentication for web proxy requests
1. Open the ISA Manglement MMC
2. Select View, then Advanced
3. Expand Servers and Arrays
4. R-click <ArrayName>, select Properties
5. Select Outgoing Web Requests
6. Uncheck Ask Unauthenticated users for identification
7. Click Apply,
8. When prompted, select Save the changes and restart the service(s)
9. Click OK

Create a destination set for Windows Update domains
1. Expand <ArrayName> and PolicyElements
2. R-click Destination Sets, select New, then Set
3. Enter WindowsUpdate in the Name field, click Next
4. Click Add
5. Enter *.download.microsoft.com in the Domain field
6. Leave the Path field blank
7. Click OK
8. Repeat steps 4 through 7 for each remaining entry in Table 1
9. Click OK

Create an anonymous Site and Content rule for Windows Update requests
1. Expand Access Policy
2. R-click Site and Content Rules, select New, then Rule
3. Enter Windows Update in the Name field, click Next
4. Select Allow, click Next
5. Select Allow access based on destination, click Next
6. In the Apply this rule to: drop-down list, select Specified Destination Set
7. In the Name: drop-down list, select Windows Update
8. Click Next, then Finish

For ISA 2004
Disable "global" authentication for web proxy requests
1. Open the ISA Manglement MMC
2. Expand <ArrayName>, then Configuration
3. Select Networks
4. In the middle pane, select the Networks tab
5. R-click Internal and select Properties
6. Select the Web Proxy tab
7. Click Authentication
8. In the Authentication window, uncheck Require all users to authenticate, click OK
9. Click Apply, then OK
10. Repeat steps 5 through 9 for each network object where you allow Web Proxy requests

Create an anonymous Access Rule for Windows Update
1. In the left pane, R-click Firewall Policy and select New, then Access Rule
2. Enter Windows Update in the Name field, click Next
3. Select Allow, click Next
4. In the This rule applies to: drop-down list, select Selected Protocols
5. Click Add
6. In the Add Protocols dialog, expand Web
7. Select HTTP and click Add
8. Select HTTPS and click Add
9. Click Close, then Next
10. In the Access Rule Sources dialog, click Add
11. In the Add Network Entities dialog, expand Networks
12. Select Internal and click Add
13. For each network where you unchecked Require all users to authenticate, select that network object and click Add
14. Click Close, then Next
15. In the Access Rule Destinations window, click Add
16. In the Add Network Entities window menu bar, click New, then Domain Name Set
17. In the New Domain Name Set Policy Element window, enter Windows Update in the Name field
18. Click New
19. In the Domain names included in this set list, change the new entry to *.download.microsoft.com
20. Repeat steps 19 and 20 for each remaining entry in Table 1
21. Click OK
22. In the New Domain Name Set Policy Element window, select Windows Update, click Add, then Close
23. Click Next, Next, then Finish
24. In the top part of the middle pane, Apply and Discard buttons will appear; click Apply
25. When Apply New Configuration dialog reports "Changes to the configuration were successfully applied", click OK

Make the Windows Update rule the first rule
NOTE: If you prefer to list all of your deny rules first, then you can make the Window Update rule the first rule following them
1. In the left pane, select Firewall Policy
2. If Windows Update is already the first rule in the list, stop here
3. In the middle pane, select Windows Update
4. In the right pane select the Tasks tab
5. Click Move the selected rule up until Windows Update is the first rule in the list
6. In the top part of the middle pane, Apply and Discard buttons should appear; click Apply
7. When Apply New Configuration dialog reports "Changes to the configuration were successfully applied", click OK

Look for a WU KB soon that details the that side of the issue and cross-links to an ISA KB with these instructions.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!

HTH,
Stefaan

(in reply to DamonM)
Post #: 15
RE: V5.WindowsUpdate - 7.Sep.2004 7:53:00 PM   
Guest
thanks...

(in reply to DamonM)
  Post #: 16
RE: V5.WindowsUpdate - 8.Sep.2004 4:06:00 PM   
vs1

 

Posts: 5
Joined: 6.Dec.2002
Status: offline
Is Microsoft ( WU team) going to fix this problem or they are going to rely on this work-around only?
We are using SurfControl plug-in with ISA2000 Cache and I can't use the latter. "Ask unauthenticated users for identification" is essential part how SurfControl is working.

(in reply to DamonM)
Post #: 17
RE: V5.WindowsUpdate - 8.Sep.2004 4:51:00 PM   
shikwan

 

Posts: 15
Joined: 31.Oct.2002
From: PA USA
Status: offline
MS has FINALLY posted a fix for this situation:

http://support.microsoft.com/default.aspx?scid=kb;en-us;842773&Product=winxp

Now we can get back to our normal routines....

(in reply to DamonM)
Post #: 18
RE: V5.WindowsUpdate - 8.Sep.2004 7:52:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi shikwan,

are you sure about that? I don't! [Wink]

I'm running XP SP2, so all latest updates including the one you referred to and have the WindowsUpdate problem.

HTH,
Stefaan

(in reply to DamonM)
Post #: 19
RE: V5.WindowsUpdate - 8.Sep.2004 7:54:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi mandzo,

I hope they will fix it! Unfortunately, with the current WU problems, those sites need to be anonymous for nową

HTH,
Stefaan

(in reply to DamonM)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Cache] >> General >> V5.WindowsUpdate Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts