• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1308
  • Last Modified:

Allowing an ISA Server 2004 SP2 computer to use WSUS

Hello there,

I'm running a Windows Server 2003 network and I use ISA Server 2004 SP2 and WSUS.
The problem is that the ISA Server computer does not show up in WSUS (note: WSUS and ISA Server are installed on two different machines, WSUS is installed on port 8530). All other clients in the the network show up normally and can download and install all updates, the issue is just with the ISA Server computer).
I have created an access rule in ISA Server to allow HTTP, HTTPS and Kerberos-Sec (UDP) from localhost to the WSUS computer for 'All Users', but still nothing. The result when running ClientDiag.exe on the ISA Server computer is the following:

Checking Connection to WSUS/SUS Server
                WUServer = http://SERVER:8530
                WUStatusServer = http://SERVER:8530
        UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS

VerifyWUServerURL() failed with hr=0x80072efd

A connection with the server could not be established

When I try to browse to the WSUS administration page (http://SERVER:8530/wsusadmin), I get a "Cannot find server or DNS error" in IE (note: IE on ISA Server computer is setup to use a web proxy, which is the ISA Server itself).

Any ideas?

Thanks in advance

Nick
0
ntossiou
Asked:
ntossiou
  • 9
  • 8
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
Can you confirm that you have an allow rule FROM internal & local host TO internal & local host?

open the ISA gui, select monitoring - logging - start query.
Do the refresh on the wsus server and see what appears in the isa live log.
0
 
Toni UranjekConsultant/TrainerCommented:
First, I would check if IE on ISA is configured to bypass proxy for local addresses and try again.
0
 
ntossiouAuthor Commented:
Keith_Alabaster,

I just modified the rule and added FROM internal TO internal & localhost.
Logging reports that connection was denied to destination IP (WSUS server IP) at port 8530 using FTP protocol (I was not aware that WSUS uses FTP???). I have modified the existing rule and included all outbound protocols from local host and internal network to local host and internal network, but still the same results on ISA logging.


toniur,

IE is configured to bypass proxy for local addresses.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Keith AlabasterEnterprise ArchitectCommented:
No offence but its just a straight configuration issue.
Its a common enough misunderstanding; all protocols actually means all protocols that ISA has in its defined protocols list. It does not mean allow any protocol regardless of what it is.

As you have set wsus on that particular port then that is what ISA will try and communicate with as well. Create an outbound protocol definition then the rule you have will use it. Once its operational you can change the rule to limit to just the protocols you want to use.
0
 
ntossiouAuthor Commented:
keith_alabaster,

No problem, I created an outbound protocol (HTTP for WSUS, outbound, TCP, port range 8530-8531, checked Web Proxy filter), but I still get the same error message in ISA logging (only now in protocol there is of course HTTP for WSUS).
By the way, it reported FTP previously because some time ago I was playing around with the FTP port range in ISA Server.
The problem still remains. Am I doing something wrong here?
0
 
ntossiouAuthor Commented:
I also forgot to tell you that it is denied by the default rule (deny all network traffic). I have placed my access rule right above it to make sure it's picked up before any other rule, but still the same.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Well, its not working so yes, something is not right :)
If it is being denied by the default rule then as far as the rules in the policy are concerned, they have not seen any traffic that meets their conditions so it has dropped right the way through to the bottom.

Have a look at this link which relates to your error message - 0x80072efd
http://support.microsoft.com/kb/836941

0
 
ntossiouAuthor Commented:
I'm wondering whether this has something to do with IIS permissions on the machine where WSUS is installed...
0
 
Keith AlabasterEnterprise ArchitectCommented:
Just as a matter of interest, and I may have to eat humble pie, in the ISA proxy settings select the advanced tab. Look in the exceptions.

if you are using for example, the 10.10.10.0 subnet internally, put in 10.* in the exceptions box and retry.
0
 
Keith AlabasterEnterprise ArchitectCommented:
If it was permissions, it would affect all of the machines. The failure is that a response was not received, not that it was denied.
0
 
ntossiouAuthor Commented:
Here's something interesting:
I've included subnet 10.* in the exceptions of IE. I was able to access the WSUS administration page by using the WSUS server's IP address AS WELL as its FQDN. But it will NOT work with just the server name.
Then I removed the exception from the IE advanced settings, the behavior remained the same (
The funny thing is that now the ISA log reports that it allows http protocol at port 8530, but clientdiag.exe still fails.
0
 
Keith AlabasterEnterprise ArchitectCommented:
When I installed my first wsus server I had a number of issues to start with. I worked on it for an hour then got fed up and went for a cigarette and a pizza. When I got back the ISA was showing up quite happily and had created a new section in the wsus server of Internet Security etc etc with my server listed.

I am not sure if it simply required a bit of time for the WSUS server to re-poll or whether the fairies got involved. I got rid of my wsus on my home labs purely because of the disk space and bandwidth it was generating so I can't test the clientdiag currently.

If you have set the registry key manually or through policy to tell the systems to get their updates from the wsus box now, does ISA get its updates?
0
 
ntossiouAuthor Commented:
Last comment for today:
Now I can open the WSUS administration page on the ISA Server machine normally and in the ISA log I see the communication between the two servers (including Kerberos protocol and http), but when I run the clientdiag.exe, it reports that it is unidentified traffic and therefore denies access.
I will let it be for tonight and I'll se tomorrow, maybe the ISA Server machine will appear in WSUS.
Thank you for now.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Welcome :)
0
 
ntossiouAuthor Commented:
It's been a while, but I'll give it another try...
The ISA Server still does not appear in WSUS, however, it receives and installs updates.
I have given up to make this work, but any new ideas or suggestions are welcome...

Best regards,

NT
0
 
Keith AlabasterEnterprise ArchitectCommented:
Question then is whether it is picking up the updates from the wsus server or directly from the Windows Update?
0
 
ntossiouAuthor Commented:
OK, here's what happened yesterday: after I approved the installation of ISA 2004 SP3 on WSUS and it was downloaded, the ISA server downloaded the update, installed it and after I restarted it, it appeared on WSUS, but it still does not report status. Without ISA 2004 SP3 it would not even appear in the WSUS console.
I haven't changed any firewall rules or anything, but it suddenly appeared in WSUS.
ANd of course this confirms that the ISA server is getting its updates through WSUS and not Windows Update (as configured in GP). If anyone has an idea how to make ISA report status, please let me know, otherwise I will consider this question closed after 2 days and the points will go to keith_alabaster for his effort.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Nice move - i am still testing sp3 myself so wasn't that comfortable recommending its deployment.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now