Solved

Allowing an ISA Server 2004 SP2 computer to use WSUS

Posted on 2007-04-04
20
1,251 Views
Last Modified: 2012-06-21
Hello there,

I'm running a Windows Server 2003 network and I use ISA Server 2004 SP2 and WSUS.
The problem is that the ISA Server computer does not show up in WSUS (note: WSUS and ISA Server are installed on two different machines, WSUS is installed on port 8530). All other clients in the the network show up normally and can download and install all updates, the issue is just with the ISA Server computer).
I have created an access rule in ISA Server to allow HTTP, HTTPS and Kerberos-Sec (UDP) from localhost to the WSUS computer for 'All Users', but still nothing. The result when running ClientDiag.exe on the ISA Server computer is the following:

Checking Connection to WSUS/SUS Server
                WUServer = http://SERVER:8530
                WUStatusServer = http://SERVER:8530
        UseWuServer is enabled. . . . . . . . . . . . . . . . . PASS

VerifyWUServerURL() failed with hr=0x80072efd

A connection with the server could not be established

When I try to browse to the WSUS administration page (http://SERVER:8530/wsusadmin), I get a "Cannot find server or DNS error" in IE (note: IE on ISA Server computer is setup to use a web proxy, which is the ISA Server itself).

Any ideas?

Thanks in advance

Nick
0
Comment
Question by:ntossiou
  • 9
  • 8
20 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Can you confirm that you have an allow rule FROM internal & local host TO internal & local host?

open the ISA gui, select monitoring - logging - start query.
Do the refresh on the wsus server and see what appears in the isa live log.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
Comment Utility
First, I would check if IE on ISA is configured to bypass proxy for local addresses and try again.
0
 

Author Comment

by:ntossiou
Comment Utility
Keith_Alabaster,

I just modified the rule and added FROM internal TO internal & localhost.
Logging reports that connection was denied to destination IP (WSUS server IP) at port 8530 using FTP protocol (I was not aware that WSUS uses FTP???). I have modified the existing rule and included all outbound protocols from local host and internal network to local host and internal network, but still the same results on ISA logging.


toniur,

IE is configured to bypass proxy for local addresses.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
No offence but its just a straight configuration issue.
Its a common enough misunderstanding; all protocols actually means all protocols that ISA has in its defined protocols list. It does not mean allow any protocol regardless of what it is.

As you have set wsus on that particular port then that is what ISA will try and communicate with as well. Create an outbound protocol definition then the rule you have will use it. Once its operational you can change the rule to limit to just the protocols you want to use.
0
 

Author Comment

by:ntossiou
Comment Utility
keith_alabaster,

No problem, I created an outbound protocol (HTTP for WSUS, outbound, TCP, port range 8530-8531, checked Web Proxy filter), but I still get the same error message in ISA logging (only now in protocol there is of course HTTP for WSUS).
By the way, it reported FTP previously because some time ago I was playing around with the FTP port range in ISA Server.
The problem still remains. Am I doing something wrong here?
0
 

Author Comment

by:ntossiou
Comment Utility
I also forgot to tell you that it is denied by the default rule (deny all network traffic). I have placed my access rule right above it to make sure it's picked up before any other rule, but still the same.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Well, its not working so yes, something is not right :)
If it is being denied by the default rule then as far as the rules in the policy are concerned, they have not seen any traffic that meets their conditions so it has dropped right the way through to the bottom.

Have a look at this link which relates to your error message - 0x80072efd
http://support.microsoft.com/kb/836941

0
 

Author Comment

by:ntossiou
Comment Utility
I'm wondering whether this has something to do with IIS permissions on the machine where WSUS is installed...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Just as a matter of interest, and I may have to eat humble pie, in the ISA proxy settings select the advanced tab. Look in the exceptions.

if you are using for example, the 10.10.10.0 subnet internally, put in 10.* in the exceptions box and retry.
0
Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
If it was permissions, it would affect all of the machines. The failure is that a response was not received, not that it was denied.
0
 

Author Comment

by:ntossiou
Comment Utility
Here's something interesting:
I've included subnet 10.* in the exceptions of IE. I was able to access the WSUS administration page by using the WSUS server's IP address AS WELL as its FQDN. But it will NOT work with just the server name.
Then I removed the exception from the IE advanced settings, the behavior remained the same (
The funny thing is that now the ISA log reports that it allows http protocol at port 8530, but clientdiag.exe still fails.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
Comment Utility
When I installed my first wsus server I had a number of issues to start with. I worked on it for an hour then got fed up and went for a cigarette and a pizza. When I got back the ISA was showing up quite happily and had created a new section in the wsus server of Internet Security etc etc with my server listed.

I am not sure if it simply required a bit of time for the WSUS server to re-poll or whether the fairies got involved. I got rid of my wsus on my home labs purely because of the disk space and bandwidth it was generating so I can't test the clientdiag currently.

If you have set the registry key manually or through policy to tell the systems to get their updates from the wsus box now, does ISA get its updates?
0
 

Author Comment

by:ntossiou
Comment Utility
Last comment for today:
Now I can open the WSUS administration page on the ISA Server machine normally and in the ISA log I see the communication between the two servers (including Kerberos protocol and http), but when I run the clientdiag.exe, it reports that it is unidentified traffic and therefore denies access.
I will let it be for tonight and I'll se tomorrow, maybe the ISA Server machine will appear in WSUS.
Thank you for now.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Welcome :)
0
 

Author Comment

by:ntossiou
Comment Utility
It's been a while, but I'll give it another try...
The ISA Server still does not appear in WSUS, however, it receives and installs updates.
I have given up to make this work, but any new ideas or suggestions are welcome...

Best regards,

NT
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Question then is whether it is picking up the updates from the wsus server or directly from the Windows Update?
0
 

Author Comment

by:ntossiou
Comment Utility
OK, here's what happened yesterday: after I approved the installation of ISA 2004 SP3 on WSUS and it was downloaded, the ISA server downloaded the update, installed it and after I restarted it, it appeared on WSUS, but it still does not report status. Without ISA 2004 SP3 it would not even appear in the WSUS console.
I haven't changed any firewall rules or anything, but it suddenly appeared in WSUS.
ANd of course this confirms that the ISA server is getting its updates through WSUS and not Windows Update (as configured in GP). If anyone has an idea how to make ISA report status, please let me know, otherwise I will consider this question closed after 2 days and the points will go to keith_alabaster for his effort.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Nice move - i am still testing sp3 myself so wasn't that comfortable recommending its deployment.
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Join & Write a Comment

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now