ISA blocks client Automatic Updates
|
Prev: SBS 2003 running WSUS disk space low
Next: Email senden
From: Dave Solly on 11 Nov 2009 18:20 I have just become aware that Automatic Updates (whether Windows or Microsoft) are no longer working on XP clients on our SBS2003 Premium network. Monitoring ISA 2004 shows that it initially allows HTTP access under the builtin "Microsoft Update Sites" rule, but then denies an HTTPS connection to another site (65.55.184.16 on one instance, but this seems to vary). I can't obtain a reverse DNS lookup on these sites (not sure why ?), so that means this URL-based rule (*.windowsupdate.com etc) wouldn't be expected to work. I guess this is a recent change to Windows Update ? I can't resolve it by creating an IP-based rule instead, since I don't know all the IP addresses MS might use here. SO, how do I get Automatic Updates going again ? This is very frustrating as I'm having to update all clients manually ! Any ideas appreciated. -- Dave Solly
From: SteveB on 11 Nov 2009 22:17 Have you checked out this kb? http://support.microsoft.com/kb/885819 You might also consider installing WSUS so you can centrally manage the MS updates for the XP clients. "Dave Solly" <DaveS(a)discussions.microsoft.com> wrote in message news:2AF1BC9F-91B0-48BE-8CBA-139525AFD701(a)microsoft.com... >I have just become aware that Automatic Updates (whether Windows or > Microsoft) are no longer working on XP clients on our SBS2003 Premium > network. Monitoring ISA 2004 shows that it initially allows HTTP access > under the builtin "Microsoft Update Sites" rule, but then denies an HTTPS > connection to another site (65.55.184.16 on one instance, but this seems > to > vary). I can't obtain a reverse DNS lookup on these sites (not sure why > ?), > so that means this URL-based rule (*.windowsupdate.com etc) wouldn't be > expected to work. I guess this is a recent change to Windows Update ? I > can't resolve it by creating an IP-based rule instead, since I don't know > all > the IP addresses MS might use here. SO, how do I get Automatic Updates > going > again ? This is very frustrating as I'm having to update all clients > manually ! > Any ideas appreciated. > -- > Dave Solly
From: Dave Solly on 12 Nov 2009 16:22 Thanks for the suggestion Steve. I've already added *.download.microsoft.com and *.windowsupdate.microsoft.com to the existing *.windowsupdate.com in theMicrosoft Update Sites rule and this made no difference. IE6 is at SP3 so should include the 871260 fix. WSUS is an option, though this seems rather overkill for a dozen clients. It would be good to understand what this HTTPS access is for - can't see why SSL is needed for windows update. -- Dave Solly "SteveB" wrote: > Have you checked out this kb? http://support.microsoft.com/kb/885819 > > You might also consider installing WSUS so you can centrally manage the MS > updates for the XP clients. > > "Dave Solly" <DaveS(a)discussions.microsoft.com> wrote in message > news:2AF1BC9F-91B0-48BE-8CBA-139525AFD701(a)microsoft.com... > >I have just become aware that Automatic Updates (whether Windows or > > Microsoft) are no longer working on XP clients on our SBS2003 Premium > > network. Monitoring ISA 2004 shows that it initially allows HTTP access > > under the builtin "Microsoft Update Sites" rule, but then denies an HTTPS > > connection to another site (65.55.184.16 on one instance, but this seems > > to > > vary). I can't obtain a reverse DNS lookup on these sites (not sure why > > ?), > > so that means this URL-based rule (*.windowsupdate.com etc) wouldn't be > > expected to work. I guess this is a recent change to Windows Update ? I > > can't resolve it by creating an IP-based rule instead, since I don't know > > all > > the IP addresses MS might use here. SO, how do I get Automatic Updates > > going > > again ? This is very frustrating as I'm having to update all clients > > manually ! > > Any ideas appreciated. > > -- > > Dave Solly > > > . >
From: SteveB on 12 Nov 2009 20:56 I find WSUS useful even with my smaller clients. I'd definitely use it with a dozen workstations involved. "Dave Solly" <DaveS(a)discussions.microsoft.com> wrote in message news:FD06CFEB-03C2-49A1-A62A-2C2E7FFCBDA4(a)microsoft.com... > Thanks for the suggestion Steve. > > I've already added *.download.microsoft.com and > *.windowsupdate.microsoft.com to the existing *.windowsupdate.com in > theMicrosoft Update Sites rule and this made no difference. IE6 is at SP3 > so > should include the 871260 fix. > WSUS is an option, though this seems rather overkill for a dozen clients. > It would be good to understand what this HTTPS access is for - can't see > why > SSL is needed for windows update. > -- > Dave Solly > > > "SteveB" wrote: > >> Have you checked out this kb? http://support.microsoft.com/kb/885819 >> >> You might also consider installing WSUS so you can centrally manage the >> MS >> updates for the XP clients. >> >> "Dave Solly" <DaveS(a)discussions.microsoft.com> wrote in message >> news:2AF1BC9F-91B0-48BE-8CBA-139525AFD701(a)microsoft.com... >> >I have just become aware that Automatic Updates (whether Windows or >> > Microsoft) are no longer working on XP clients on our SBS2003 Premium >> > network. Monitoring ISA 2004 shows that it initially allows HTTP >> > access >> > under the builtin "Microsoft Update Sites" rule, but then denies an >> > HTTPS >> > connection to another site (65.55.184.16 on one instance, but this >> > seems >> > to >> > vary). I can't obtain a reverse DNS lookup on these sites (not sure >> > why >> > ?), >> > so that means this URL-based rule (*.windowsupdate.com etc) wouldn't be >> > expected to work. I guess this is a recent change to Windows Update ? >> > I >> > can't resolve it by creating an IP-based rule instead, since I don't >> > know >> > all >> > the IP addresses MS might use here. SO, how do I get Automatic Updates >> > going >> > again ? This is very frustrating as I'm having to update all clients >> > manually ! >> > Any ideas appreciated. >> > -- >> > Dave Solly >> >> >> . >>
From: Dave Solly on 15 Nov 2009 15:56 Thanks Steve - I'll investigate WSUS (though I'd really rather just continue with automatic updates as before !) Have you any idea why MS found it necessary to introduce an SSL session in the update process anyway ? And with a variety of servers which break normal internet convention by having no reverse DNS altogether ? All seems a bit messy. Thanks anyway for your help -- Dave Solly "SteveB" wrote: > I find WSUS useful even with my smaller clients. I'd definitely use it with > a dozen workstations involved. > > "Dave Solly" <DaveS(a)discussions.microsoft.com> wrote in message > news:FD06CFEB-03C2-49A1-A62A-2C2E7FFCBDA4(a)microsoft.com... > > Thanks for the suggestion Steve. > > > > I've already added *.download.microsoft.com and > > *.windowsupdate.microsoft.com to the existing *.windowsupdate.com in > > theMicrosoft Update Sites rule and this made no difference. IE6 is at SP3 > > so > > should include the 871260 fix. > > WSUS is an option, though this seems rather overkill for a dozen clients. > > It would be good to understand what this HTTPS access is for - can't see > > why > > SSL is needed for windows update. > > -- > > Dave Solly > > > > > > "SteveB" wrote: > > > >> Have you checked out this kb? http://support.microsoft.com/kb/885819 > >> > >> You might also consider installing WSUS so you can centrally manage the > >> MS > >> updates for the XP clients. > >> > >> "Dave Solly" <DaveS(a)discussions.microsoft.com> wrote in message > >> news:2AF1BC9F-91B0-48BE-8CBA-139525AFD701(a)microsoft.com... > >> >I have just become aware that Automatic Updates (whether Windows or > >> > Microsoft) are no longer working on XP clients on our SBS2003 Premium > >> > network. Monitoring ISA 2004 shows that it initially allows HTTP > >> > access > >> > under the builtin "Microsoft Update Sites" rule, but then denies an > >> > HTTPS > >> > connection to another site (65.55.184.16 on one instance, but this > >> > seems > >> > to > >> > vary). I can't obtain a reverse DNS lookup on these sites (not sure > >> > why > >> > ?), > >> > so that means this URL-based rule (*.windowsupdate.com etc) wouldn't be > >> > expected to work. I guess this is a recent change to Windows Update ? > >> > I > >> > can't resolve it by creating an IP-based rule instead, since I don't > >> > know > >> > all > >> > the IP addresses MS might use here. SO, how do I get Automatic Updates > >> > going > >> > again ? This is very frustrating as I'm having to update all clients > >> > manually ! > >> > Any ideas appreciated. > >> > -- > >> > Dave Solly > >> > >> > >> . > >> > > > . >
|
Pages: 1 Prev: SBS 2003 running WSUS disk space low Next: Email senden |