Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

wsus sync w/ isa2004

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> wsus sync w/ isa2004 Page: [1]
Login
Message << Older Topic   Newer Topic >>
wsus sync w/ isa2004 - 25.Sep.2005 10:51:00 PM   
canamcse

 

Posts: 28
Joined: 20.Dec.2002
Status: offline 		Dear, all.

There's a WSUS server in inside network, it's the secure NAT client of a isa
2004 server on the edge. For better protect wsus, I only want wsus server to
sync with windows update site.
I set following rule:
opereation as allow, source as wsus server, destination as a special aggregation of domain, member is "*.update.microsoft.com", and so on( as wsus manual require), protocol is http&https
But wsus couldn't sync with windows update. Through isa log query( source is wsus server), there're many netbios name-service broadcast from wsus server that was denied by isa, and few closed http connections by outside host. If i
define destination as outside, the wsus could sync well.

Is something wrong with aggregation of domain? Need i enable
Kerberos-sec(udp) except http&https as some artical said?

Thank you.
Frank
Post #: 1
RE: wsus sync w/ isa2004 - 26.Sep.2005 4:54:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Frank,

Allow the WSUS server anonymous access to the WSUS sites.

HTH,
Tom

(in reply to canamcse)
Post #: 2
RE: wsus sync w/ isa2004 - 26.Sep.2005 6:22:00 PM   
Jason Jones

 

Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		http://support.microsoft.com/default.aspx?scid=kb;en-us;885819

As Tom say, you need to allow anonymous access this can be done by creating a rule which is configured for "All Users" and ensuring the "Ask all users for identification" option is disbaled on the localhost listener.

JJ

(in reply to canamcse)
Post #: 3
RE: wsus sync w/ isa2004 - 27.Sep.2005 12:25:00 AM   
canamcse

 

Posts: 28
Joined: 20.Dec.2002
Status: offline 		Thanks, Tom and JJ.
But what's you mean:anonymous logon, and how to defind here? I define all users, it's that right?

Thanks again.
Frank

(in reply to canamcse)
Post #: 4
RE: wsus sync w/ isa2004 - 27.Sep.2005 7:10:00 AM   
Jason Jones

 

Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Yes, all users = anonymous

(in reply to canamcse)
Post #: 5
RE: wsus sync w/ isa2004 - 27.Sep.2005 9:58:00 AM   
canamcse

 

Posts: 28
Joined: 20.Dec.2002
Status: offline 		Thanks, JJ.

Everything seems all right: protocol as http&https, source as wsus server inside, destination as url aggregation( i evne try domain aggregation), such as "http://*.windowsupdate.com", users as all users. And i don't require all user's authentication in web proxy configuration.

It's couldn't work. Is something wrong? Or still someting need to config?

Thank you very much.
Frank

(in reply to canamcse)
Post #: 6
RE: wsus sync w/ isa2004 - 27.Sep.2005 2:30:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Frank,

two conditions must be met:
1. allow anonymous access to the domain name set 'system policy allowed sites'.
2. make sure you have a working WPAD infrastructure.

If you try Windows Update as a SecureNAT client it won't work because at some point an SSL connection is setted up. This request is obviously made by IP address. As a result, ISA must perform a reverse DNS in order to match the request to a Domain Name or URL set. This will *not* succeed because no proper reverse DNS entries exists for the Windows Update sites.

Moreover, the Windows Update Agent makes use of the Windows Autoproxy Service and this has no relation whatsoever with the IE settings. The Windows Autoproxy Service uses WPAD to determine if a Web Proxy server should be used. If you don't have a proper WPAD infrastructure, check out http://support.microsoft.com/kb/900935/ how to configure a proxy server manually.

HTH,
Stefaan

(in reply to canamcse)
Post #: 7
RE: wsus sync w/ isa2004 - 27.Sep.2005 11:10:00 PM   
canamcse

 

Posts: 28
Joined: 20.Dec.2002
Status: offline 		Thanks, Stefaan.

It's that mean, even i safisfied the wpad condition, windows update site reverse lookup couldn't finished, and SSL connettion couldn't be set up, i notice the wsus computer have TIME-WAIT SSL connetion.
And result is, no way to protect wsus server by defining url or domain aggregation w/ isa 2004,right.

Thank you.
Frank

(in reply to canamcse)
Post #: 8
RE: wsus sync w/ isa2004 - 28.Sep.2005 3:24:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Frank,

No! When you have a working WPAD infrastructure, the Windows Update Agent will determine a proxy server must be used. Therefore, the agent will setup a connection to TCP port 8080 on the ISA internal interface (the Web Proxy listener). Then the agent will launch a 'connect FQDN:443' HTTP method to the Web Proxy component. Therefore the ISA will have access to the requested FQDN and no reverse DNS problem must be done to check the domain name or URL set.

BTW --- you can see that yourself by taking a netmon trace on the ISA internal interface.

HTH,
Stefaan

(in reply to canamcse)
Post #: 9
RE: wsus sync w/ isa2004 - 28.Sep.2005 3:35:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Frank,

Oops... I should have read better the topic! [Embarrassed]

This topic is not about the Windows Update Agent for clients but about a WSUS server who must connect to the Windows Update site. Right?

In that case, check out the document http://www.microsoft.com/downloads/details.aspx?FamilyId=3BA03939- A5A9-407B-A4B0-1290BA5182F8&displaylang=en step 3. That explains how to configure the WSUS server as a Web Proxy client. This is vital because ISA must be able to check a domain name or URL set. So, the fundamental configuration problem is the same as with the Windows Update Agent for clients. [Wink]

BTW --- I've not tested yet if the WSUS server could also use the WPAD infrastructure for automatically detecting the proxy server. However, I would not be surprised if it does work too.

HTH,
Stefaan

[ September 28, 2005, 03:58 PM: Message edited by: spouseele ]

(in reply to canamcse)
Post #: 10
RE: wsus sync w/ isa2004 - 28.Sep.2005 6:14:00 PM   
Jason Jones

 

Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Cheers Stefaan, some good insight...

(in reply to canamcse)
Post #: 11
RE: wsus sync w/ isa2004 - 29.Sep.2005 7:36:00 AM   
canamcse

 

Posts: 28
Joined: 20.Dec.2002
Status: offline 		When don't set proxy server in wsus\option\sync option, wsus server as secure-NAT client, and enable wsus server access outside, not limited to windows update site, it could work.
Now i set proxy server as isa2004, and port as 8080( isa default web proxy port), use isa monitor when sync, many packages denied, source is wsus, and det is isa, dst-port 8080, cause unknown traffic?
Wsus couldn't be a web-proxy client? Or other problem settings?

Thanks, Stefaan.
Frank

(in reply to canamcse)
Post #: 12
RE: wsus sync w/ isa2004 - 29.Sep.2005 4:07:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Frank,

quote:
When don't set proxy server in wsus\option\sync option, wsus server as secure-NAT client, and enable wsus server access outside, not limited to windows update site, it could work.
That's OK. If you allow any destination then no reverse DNS lookup must be done. [Wink]

quote:
Now i set proxy server as isa2004, and port as 8080( isa default web proxy port), use isa monitor when sync, many packages denied, source is wsus, and det is isa, dst-port 8080, cause unknown traffic?
Wsus couldn't be a web-proxy client? Or other problem settings?
I suggest you first create the following three protocol definition:
1. Web Proxy, TCP port 8080 outbound.
2. RWSP (TCP), TCP port 1745 outbound.
3. RWSP (UDP), UDP port 1745 send/receive.
This will get rid of the unknown traffic entries. RWSP is the Remote WinSock Protocol used by the Firewall client.

Is the 'Require all users to authenticate' Web Proxy setting configured for the Internal interface of your ISA 2004 server? You should never do that. Instead ask authentication on a per rule base. Also, take note it is strongly adviced to allow anonymous access to the Windows Update sites (domain name set System Policy Allowed Sites).

If it still wouldn't work, place post an excerpt of the ISA logging.

HTH,
Stefaan

[ September 30, 2005, 01:32 PM: Message edited by: spouseele ]

(in reply to canamcse)
Post #: 13
RE: wsus sync w/ isa2004 - 3.Oct.2005 9:28:00 AM   
canamcse

 

Posts: 28
Joined: 20.Dec.2002
Status: offline 		Thanks, Stefaan.
Unknow traffic few, i'll stick to this quesiton.

Frank

(in reply to canamcse)
Post #: 14
RE: wsus sync w/ isa2004 - 3.Oct.2005 2:28:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Frank,

I've tested it this weekend and I can assure you that WSUS has no problems whatsoever to connect through an ISA 2004. The only steps I needed to do were:
- configure WSUS as a Web Proxy client (menu option).
- allow HTTP/HTTPS to the domain name set System Policy Allowed Sites.

Please, post an excerpt of the ISA logging.

HTH,
Stefaan

(in reply to canamcse)
Post #: 15

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> wsus sync w/ isa2004 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts