• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: XP SP2 and Windows Update

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> RE: XP SP2 and Windows Update Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: XP SP2 and Windows Update - 13.Sep.2004 9:42:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jason,

the best method to debug such issues is to take a NetMon trace at the ISA internal interface. Analyzing those traces and match them with the ISA logs should reveal what is the cause of your problems with Windows Update.

What happens if you create an all open protocol (all IP traffic, any request) and site&content (all destinations, any content, any request) rule?

According to my and Jim's testing it should work as long as no authenticated rules are used for the Windows Update sites.

HTH,
Stefaan

(in reply to bayowin)
Post #: 21
RE: XP SP2 and Windows Update - 13.Sep.2004 10:03:00 PM   
Jason

 

Posts: 49
Joined: 7.May2001
From: US
Status: offline
Stefaan,

Did your testing include a default gateway on the client? If I put the default gateway on a client that has the firewall client - it will run but without it - it will fail.

Jason

[ September 13, 2004, 10:20 PM: Message edited by: Jason ]

(in reply to bayowin)
Post #: 22
RE: XP SP2 and Windows Update - 14.Sep.2004 8:57:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jason,

oops... that doesn't sounds good! [Eek!]

If the Firewall client is working correctly, it doesn't matter at all for UDP/TCP based protocols if the client is also a SecureNAT. To understand why, reread my post on September 04, 2004 11:16 AM in this topic.

The Firewall client will not redirect a TCP/UDP request if:
- the destination is on the LAT on ISA.
- the destination is on the 'locallat.txt' file in the Firewall client directory on the client.
- the application is disabled in the Firewall client settings on ISA.

Could one of the above be true?

HTH,
Stefaan

(in reply to bayowin)
Post #: 23
RE: XP SP2 and Windows Update - 15.Sep.2004 10:39:00 PM   
Jason

 

Posts: 49
Joined: 7.May2001
From: US
Status: offline
Hey Stefaan,

Its definitely possible that its in one of those but I really dont see anything wrong. I presume the firewall client is working as thats all thats on these machines - the proxy info is not in IE, there is no default gateway, and the firewall client is installed. So I presume it has to be working correctly as this is really the only problem I have been seeing.

For the LAT on ISA I have these:
10.0.0.0 - 10.255.255.255, 169.254.0.0 - 169.254.255.255, 172.16.0.0 - 172.31.255.255, and my local subnet 192.168.0.0 - 192.168.0.255

LOCALLAT.TXT file is not present on my system.

I dont see anything related to Windows Update being disabled in the firewall client settings on ISA but not exactly sure on the executable name?

Jason

(in reply to bayowin)
Post #: 24
RE: XP SP2 and Windows Update - 15.Sep.2004 11:04:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jason,

the LAT on ISA should only contain your internal IP range; nothing more, nothing less! Assuming your internal network is 192.168.0.0/24 then the LAT should only contain the single entry '192.168.0.0 - 192.168.0.255'.

HTH,
Stefaan

(in reply to bayowin)
Post #: 25
RE: XP SP2 and Windows Update - 16.Sep.2004 5:13:00 PM   
Jason

 

Posts: 49
Joined: 7.May2001
From: US
Status: offline
Stefaan,

Will change it and see what happens.

Thanks again,
Jason

(in reply to bayowin)
Post #: 26
RE: XP SP2 and Windows Update - 16.Sep.2004 5:37:00 PM   
Jason

 

Posts: 49
Joined: 7.May2001
From: US
Status: offline
Still no go!

Jason

(in reply to bayowin)
Post #: 27
RE: XP SP2 and Windows Update - 16.Sep.2004 8:28:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jason,

OK, I suggest you do the following:
- go to http://www.isatools.org and download the script 'ISAInfo for ISA 2000'
- run it on your ISA server
- post here the URL where we can view the result

Hopefully we will find out what is going on.

HTH,
Stefaan

(in reply to bayowin)
Post #: 28
RE: XP SP2 and Windows Update - 18.Sep.2004 4:02:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hey guys,

here is the latest update to this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;885819 .

HTH,
Stefaan

(in reply to bayowin)
Post #: 29
RE: XP SP2 and Windows Update - 22.Sep.2004 8:18:00 PM   
Jason

 

Posts: 49
Joined: 7.May2001
From: US
Status: offline
Hey Stefaan,

How bout I give you some directions to reproduce it? Microsoft called me today and I was able to get them to reproduce it and then a little bit later they called back and basically said that their work arounds will not fix it the way I have ISA deployed - which is just the firewall client with no default gateway and no web proxy info set.

To reproduce it - take away the default gateway, have the firewall client deployed, and have no proxy info set. Then for whatever reason, you have to reboot to see the error (MS guy would try it after taking out the default gateway but it would still work until the reboot). Once rebooted you should get the error on Windows Update.

On a worse note, they basically said to either deploy an SUS server or pass out the default gateway. They also said that they are not considering this high priority and thus a fix will not be coming for a long while. Gotta love that!

Anyways, since I could get them to reproduce it - I dont think its my config but if that is not reproducable on your end - let me know and I will get the config to you.

Jason

(in reply to bayowin)
Post #: 30
RE: XP SP2 and Windows Update - 23.Sep.2004 10:18:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jason,

hmm... I can't reproduce the problem at my end because the internal network is a routed one with the ISA server internal interface on a stub subnet (cfr http://www.isaserver.org/articles/How_to_Implement_VPN_OffSubnet_IP_Addresses.html). So, each and every client must be a SecureNAT client too. [Big Grin]

Nevertheless, I made another test and saw something unexpected. In IE I disabled all proxy settings and rebooted the workstation. Then I started Ethereal (excellent network sniffer) and Windows Update. As expected, all IE requests are properly handled by the Firewall client. So far so good. However, at a certain point I saw the Web Proxy Autodiscovery procedure happening. Why?

After further analyzing, it seems that the Microsoft WU client v2.0 uses his own methods to discover a Web Proxy server. Because wpad is defined at my end, those requests were send to the Web Proxy service. I expected that the WU client would pick-up the proxy settings from IE but that's clearly not the case.

Therefore, it could well be that the Microsoft WU client v2.0 doesn't use the normal WinSock API. In that case I suspect that the Firewall client never see those requests and then the client must be a SecureNAT client too.

BTW --- why do you not configure all the clients as Web Proxy *and* Firewall clients?

HTH,
Stefaan

(in reply to bayowin)
Post #: 31
RE: XP SP2 and Windows Update - 23.Sep.2004 10:47:00 PM   
Jason

 

Posts: 49
Joined: 7.May2001
From: US
Status: offline
Stefaan,

Thanks for looking into it further - I believe what you are describing is essentially what is happening.

My problem with making the clients both web and firewall clients is teaching the users another thing to shut off when on the road. Its not a huge operation but one that would cause some problems for users until they got used to it.

Really it should work and since they have admitted that its a bug - they should fix it. They say they plan on it but no specific time frame and they dont consider it a high priority so it probably wont be very quick.

So I guess in my case - besides changing either the clients or installing a WUS server - it just wont work until they fix it. My main reason for posting was that everyone else seemed to be getting by with the workarounds but I never could but it looks like its the clients not the config of the server.

I was also told by them that ISA 2004 with only the firewall client installed and no other client installed it will work - which I find odd as they say the problem isnt with ISA but the windows update control - so im kind of wondering why 04 will work but 00 wont?

Anyways - I appreciate all the help - you da man!
J

(in reply to bayowin)
Post #: 32
RE: XP SP2 and Windows Update - 23.Sep.2004 11:56:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jason,

I work always with autodiscovery (wpad DNS method) for Firewall and Web Proxy client. In that case nothing should be changed or disabled when off-site.

quote:
I was also told by them that ISA 2004 with only the firewall client installed and no other client installed it will work.
Ha... crazy guys! [Razz]

HTH,
Stefaan

(in reply to bayowin)
Post #: 33
RE: XP SP2 and Windows Update - 24.Sep.2004 7:14:00 PM   
Jason

 

Posts: 49
Joined: 7.May2001
From: US
Status: offline
Stefaan,

Good point - I think thats the way Im going to have to go.

Thanks again for all the help! This site really is invaluable!

J

(in reply to bayowin)
Post #: 34
RE: XP SP2 and Windows Update - 24.Sep.2004 8:37:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jason,

thanks for the complements! [Smile]

Stefaan

(in reply to bayowin)
Post #: 35
RE: XP SP2 and Windows Update - 10.Aug.2005 4:39:00 AM   
remix1919

 

Posts: 1
Joined: 10.Aug.2005
Status: offline
Hi all, I have this problem with WU6
Is there is some other guys with same pb ? [Confused]

tks

remix1919

(in reply to bayowin)
Post #: 36
RE: XP SP2 and Windows Update - 15.Sep.2005 9:17:00 PM   
Herman_Swartz

 

Posts: 21
Joined: 10.Apr.2002
Status: offline
I am having same problems with Web Proxy authentication enabled and using browser proxy settings (Web Proxy Client).

Windows Update does slip around the proxy settings and tries to use port 80, which I intentionally block.

Windows Update is a Microsoft product, ISA server is a Microsoft product, IE is a Microsoft product. Yet they don't work together.

What am I missing?

Herman

(in reply to bayowin)
Post #: 37
RE: XP SP2 and Windows Update - 15.Sep.2005 9:56:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
They DO all work together if you write your rule as documented in this thread, namely anonymous.

(in reply to bayowin)
Post #: 38

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> RE: XP SP2 and Windows Update Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts