?
Solved

Allowing an ISA Server 2004 SP2 computer to use WSUS

Posted on 2007-04-04
20
Medium Priority
?
1,291 Views
Last Modified: 2012-06-21
Hello there,

I'm running a Windows Server 2003 network and I use ISA Server 2004 SP2 and WSUS.
The problem is that the ISA Server computer does not show up in WSUS (note: WSUS and ISA Server are installed on two different machines, WSUS is installed on port 8530). All other clients in the the network show up normally and can download and install all updates, the issue is just with the ISA Server computer).
I have created an access rule in ISA Server to allow HTTP, HTTPS and Kerberos-Sec (UDP) from localhost to the WSUS computer for 'All Users', but still nothing. The result when running ClientDiag.exe on the ISA Server computer is the following:

Checking Connection to WSUS/SUS Server
                WUServer = http://SERVER:8530
                WUStatusServer = http://SERVER:8530
        UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS

VerifyWUServerURL() failed with hr=0x80072efd

A connection with the server could not be established

When I try to browse to the WSUS administration page (http://SERVER:8530/wsusadmin), I get a "Cannot find server or DNS error" in IE (note: IE on ISA Server computer is setup to use a web proxy, which is the ISA Server itself).

Any ideas?

Thanks in advance

Nick
0
Comment
Question by:ntossiou
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
20 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18852070
Can you confirm that you have an allow rule FROM internal & local host TO internal & local host?

open the ISA gui, select monitoring - logging - start query.
Do the refresh on the wsus server and see what appears in the isa live log.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18852094
First, I would check if IE on ISA is configured to bypass proxy for local addresses and try again.
0
 

Author Comment

by:ntossiou
ID: 18852192
Keith_Alabaster,

I just modified the rule and added FROM internal TO internal & localhost.
Logging reports that connection was denied to destination IP (WSUS server IP) at port 8530 using FTP protocol (I was not aware that WSUS uses FTP???). I have modified the existing rule and included all outbound protocols from local host and internal network to local host and internal network, but still the same results on ISA logging.


toniur,

IE is configured to bypass proxy for local addresses.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18852244
No offence but its just a straight configuration issue.
Its a common enough misunderstanding; all protocols actually means all protocols that ISA has in its defined protocols list. It does not mean allow any protocol regardless of what it is.

As you have set wsus on that particular port then that is what ISA will try and communicate with as well. Create an outbound protocol definition then the rule you have will use it. Once its operational you can change the rule to limit to just the protocols you want to use.
0
 

Author Comment

by:ntossiou
ID: 18852288
keith_alabaster,

No problem, I created an outbound protocol (HTTP for WSUS, outbound, TCP, port range 8530-8531, checked Web Proxy filter), but I still get the same error message in ISA logging (only now in protocol there is of course HTTP for WSUS).
By the way, it reported FTP previously because some time ago I was playing around with the FTP port range in ISA Server.
The problem still remains. Am I doing something wrong here?
0
 

Author Comment

by:ntossiou
ID: 18852293
I also forgot to tell you that it is denied by the default rule (deny all network traffic). I have placed my access rule right above it to make sure it's picked up before any other rule, but still the same.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18852353
Well, its not working so yes, something is not right :)
If it is being denied by the default rule then as far as the rules in the policy are concerned, they have not seen any traffic that meets their conditions so it has dropped right the way through to the bottom.

Have a look at this link which relates to your error message - 0x80072efd
http://support.microsoft.com/kb/836941

0
 

Author Comment

by:ntossiou
ID: 18852354
I'm wondering whether this has something to do with IIS permissions on the machine where WSUS is installed...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18852379
Just as a matter of interest, and I may have to eat humble pie, in the ISA proxy settings select the advanced tab. Look in the exceptions.

if you are using for example, the 10.10.10.0 subnet internally, put in 10.* in the exceptions box and retry.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18852385
If it was permissions, it would affect all of the machines. The failure is that a response was not received, not that it was denied.
0
 

Author Comment

by:ntossiou
ID: 18852459
Here's something interesting:
I've included subnet 10.* in the exceptions of IE. I was able to access the WSUS administration page by using the WSUS server's IP address AS WELL as its FQDN. But it will NOT work with just the server name.
Then I removed the exception from the IE advanced settings, the behavior remained the same (
The funny thing is that now the ISA log reports that it allows http protocol at port 8530, but clientdiag.exe still fails.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1000 total points
ID: 18852517
When I installed my first wsus server I had a number of issues to start with. I worked on it for an hour then got fed up and went for a cigarette and a pizza. When I got back the ISA was showing up quite happily and had created a new section in the wsus server of Internet Security etc etc with my server listed.

I am not sure if it simply required a bit of time for the WSUS server to re-poll or whether the fairies got involved. I got rid of my wsus on my home labs purely because of the disk space and bandwidth it was generating so I can't test the clientdiag currently.

If you have set the registry key manually or through policy to tell the systems to get their updates from the wsus box now, does ISA get its updates?
0
 

Author Comment

by:ntossiou
ID: 18852549
Last comment for today:
Now I can open the WSUS administration page on the ISA Server machine normally and in the ISA log I see the communication between the two servers (including Kerberos protocol and http), but when I run the clientdiag.exe, it reports that it is unidentified traffic and therefore denies access.
I will let it be for tonight and I'll se tomorrow, maybe the ISA Server machine will appear in WSUS.
Thank you for now.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18852594
Welcome :)
0
 

Author Comment

by:ntossiou
ID: 18983023
It's been a while, but I'll give it another try...
The ISA Server still does not appear in WSUS, however, it receives and installs updates.
I have given up to make this work, but any new ideas or suggestions are welcome...

Best regards,

NT
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18983547
Question then is whether it is picking up the updates from the wsus server or directly from the Windows Update?
0
 

Author Comment

by:ntossiou
ID: 19021447
OK, here's what happened yesterday: after I approved the installation of ISA 2004 SP3 on WSUS and it was downloaded, the ISA server downloaded the update, installed it and after I restarted it, it appeared on WSUS, but it still does not report status. Without ISA 2004 SP3 it would not even appear in the WSUS console.
I haven't changed any firewall rules or anything, but it suddenly appeared in WSUS.
ANd of course this confirms that the ISA server is getting its updates through WSUS and not Windows Update (as configured in GP). If anyone has an idea how to make ISA report status, please let me know, otherwise I will consider this question closed after 2 days and the points will go to keith_alabaster for his effort.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19021460
Nice move - i am still testing sp3 myself so wasn't that comfortable recommending its deployment.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses
Course of the Month11 days, 16 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question