• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2164
  • Last Modified:

ISA 2004 server won't update from WSUS server

We're running WSUS server 3.0 on a server which is working pretty problem-free at the moment, updating servers and workstations alike.

We've also got ISA 2004 running on a different box which is acting as a firewall for our company network.  Unfortunately I'm not much of an expert on ISA.  I have deployed several updates to the ISA server but the server isn't picking these up, even despite several wuauclt /detectnow attempts.

It seems that ISA is blocking the traffic to the WSUS server.  I've pasted some text from our windowsupdate.log below since attaching doesn't seem to be working.  When I visit http://wsus/selfupdate/iuident.cab  on the ISA box I get an error page displayed by the ISA server saying "Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)".

Following instructions from several posts on the Internet I've created a new access rule in ISA to allow HTTP, HTTPS and Kerberos-Sec (UDP) traffic from Local Host to WSUS for All Users.  This hasn't made any difference and, just in case, I've tried amending the rule to allow all outgoing traffic and adding other user groups such as 'Authenticated Users'.

Also noteworthy is the fact that when I visit the Microsoft Windows Update website the server has no problem checking for updates and picking up what it needs.

So I'm pretty certain it's ISA blocking the update traffic, I just can't figure out how to unblock it!


WindowsUpdate.log sample:

2008-02-05      08:18:42:713      1296      1678      AU      #############
2008-02-05      08:18:42:713      1296      1678      AU      ## START ##  AU: Search for updates
2008-02-05      08:18:42:713      1296      1678      AU      #########
2008-02-05      08:18:42:713      1296      1678      AU      <<## SUBMITTED ## AU: Search for updates [CallId = {6844A3A7-91B1-47D1-AB83-27DE47C878E1}]
2008-02-05      08:18:42:713      1296      900      Agent      *************
2008-02-05      08:18:42:713      1296      900      Agent      ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
2008-02-05      08:18:42:713      1296      900      Agent      *********
2008-02-05      08:18:42:713      1296      900      Agent        * Online = Yes; Ignore download priority = No
2008-02-05      08:18:42:713      1296      900      Agent        * Criteria = "IsHidden=0 and IsInstalled=0 and DeploymentAction='Installation' and IsAssigned=1 or IsHidden=0 and IsPresent=1 and DeploymentAction='Uninstallation' and IsAssigned=1 or IsHidden=0 and IsInstalled=1 and DeploymentAction='Installation' and IsAssigned=1 and RebootRequired=1 or IsHidden=0 and IsInstalled=0 and DeploymentAction='Uninstallation' and IsAssigned=1 and RebootRequired=1"
2008-02-05      08:18:42:713      1296      900      Agent        * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
2008-02-05      08:18:42:713      1296      900      Misc      Validating signature for C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\wuident.cab:
2008-02-05      08:18:42:728      1296      900      Misc       Microsoft signed: Yes
2008-02-05      08:18:42:728      1296      900      Misc      WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80190193
2008-02-05      08:18:42:728      1296      900      Misc      WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80190193
2008-02-05      08:18:42:728      1296      900      Misc      WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80190193
2008-02-05      08:18:42:728      1296      900      Misc      WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80190193
2008-02-05      08:18:42:728      1296      900      Misc      WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80190193
2008-02-05      08:18:42:728      1296      900      Misc      WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80190193
2008-02-05      08:18:42:728      1296      900      Misc      WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80190193
2008-02-05      08:18:42:728      1296      900      Misc      WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80190193
2008-02-05      08:18:42:728      1296      900      Misc      WARNING: DownloadFileInternal failed for http://wphedgbaston/selfupdate/wuident.cab: error 0x80190193
2008-02-05      08:18:42:728      1296      900      Setup      FATAL: IsUpdateRequired failed with error 0x80244018
2008-02-05      08:18:42:728      1296      900      Setup      WARNING: SelfUpdate: Default Service: IsUpdateRequired failed: 0x80244018
2008-02-05      08:18:42:728      1296      900      Setup      WARNING: SelfUpdate: Default Service: IsUpdateRequired failed, error = 0x80244018
2008-02-05      08:18:42:728      1296      900      Agent        * WARNING: Skipping scan, self-update check returned 0x80244018
2008-02-05      08:18:42:994      1296      900      Agent        * WARNING: Exit code = 0x80244018
2008-02-05      08:18:42:994      1296      900      Agent      *********
2008-02-05      08:18:42:994      1296      900      Agent      **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
2008-02-05      08:18:42:994      1296      900      Agent      *************
2008-02-05      08:18:42:994      1296      900      Agent      WARNING: WU client failed Searching for update with error 0x80244018
2008-02-05      08:18:42:994      1296      d50      AU      >>##  RESUMED  ## AU: Search for updates [CallId = {6844A3A7-91B1-47D1-AB83-27DE47C878E1}]
2008-02-05      08:18:42:994      1296      d50      AU        # WARNING: Search callback failed, result = 0x80244018
2008-02-05      08:18:42:994      1296      d50      AU        # WARNING: Failed to find updates with error code 80244018
2008-02-05      08:18:42:994      1296      d50      AU      #########
2008-02-05      08:18:42:994      1296      d50      AU      ##  END  ##  AU: Search for updates [CallId = {6844A3A7-91B1-47D1-AB83-27DE47C878E1}]
2008-02-05      08:18:42:994      1296      d50      AU      #############
2008-02-05      08:18:42:994      1296      d50      AU      AU setting next detection timeout to 2008-02-05 13:18:42
2008-02-05      08:18:42:994      1296      d50      AU      Setting AU scheduled install time to 2008-02-09 10:00:00
2008-02-05      08:18:47:729      1296      900      Report      REPORT EVENT: {204B6591-8249-4C25-8D19-40A56442FFC6}      2008-02-05 08:18:42:728-0000      1      148      101      {D67661EB-2423-451D-BF5D-13199E37DF28}      0      80244018      SelfUpdate      Failure      Software Synchronization      Windows Update Client failed to detect with error 0x80244018.
2008-02-05      08:24:34:566      1296      900      PT      WARNING: Cached cookie has expired or new PID is available
2008-02-05      08:24:34:566      1296      900      PT      Initializing simple targeting cookie, clientId = 05aec7a7-69d5-44df-a082-6d81dd0efc92, target group = , DNS name = wphisa.admin.wphomes.org.uk
2008-02-05      08:24:34:566      1296      900      PT        Server URL = http://wphedgbaston/SimpleAuthWebService/SimpleAuth.asmx
2008-02-05      08:24:34:566      1296      900      PT      WARNING: GetAuthorizationCookie failure, error = 0x80244018, soap client error = 10, soap error code = 0, HTTP status code = 403
2008-02-05      08:24:34:566      1296      900      PT      WARNING: Failed to initialize Simple Targeting Cookie: 0x80244018
2008-02-05      08:24:34:566      1296      900      PT      WARNING: PopulateAuthCookies failed: 0x80244018
2008-02-05      08:24:34:566      1296      900      PT      WARNING: RefreshCookie failed: 0x80244018
2008-02-05      08:24:34:566      1296      900      PT      WARNING: RefreshPTState failed: 0x80244018
2008-02-05      08:24:34:566      1296      900      PT      WARNING: PTError: 0x80244018
2008-02-05      08:24:34:566      1296      900      Report      WARNING: Reporter failed to upload events with hr = 80244018.
2008-02-05      08:54:13:970      1296      1c80      PT      WARNING: Cached cookie has expired or new PID is available
2008-02-05      08:54:13:970      1296      1c80      PT      Initializing simple targeting cookie, clientId = 05aec7a7-69d5-44df-a082-6d81dd0efc92, target group = , DNS name = wphisa.admin.wphomes.org.uk
2008-02-05      08:54:13:970      1296      1c80      PT        Server URL = http://wphedgbaston/SimpleAuthWebService/SimpleAuth.asmx
2008-02-05      08:54:13:970      1296      1c80      PT      WARNING: GetAuthorizationCookie failure, error = 0x80244018, soap client error = 10, soap error code = 0, HTTP status code = 403
2008-02-05      08:54:13:970      1296      1c80      PT      WARNING: Failed to initialize Simple Targeting Cookie: 0x80244018
2008-02-05      08:54:13:970      1296      1c80      PT      WARNING: PopulateAuthCookies failed: 0x80244018
2008-02-05      08:54:13:970      1296      1c80      PT      WARNING: RefreshCookie failed: 0x80244018
2008-02-05      08:54:13:970      1296      1c80      PT      WARNING: RefreshPTState failed: 0x80244018
2008-02-05      08:54:13:970      1296      1c80      PT      WARNING: PTError: 0x80244018
2008-02-05      08:54:13:970      1296      1c80      Report      WARNING: Reporter failed to upload events with hr = 80244018.
2008-02-05      09:08:24:305      1296      1c80      PT      WARNING: Cached cookie has expired or new PID is available
2008-02-05      09:08:24:305      1296      1c80      PT      Initializing simple targeting cookie, clientId = 05aec7a7-69d5-44df-a082-6d81dd0efc92, target group = , DNS name = wphisa.admin.wphomes.org.uk
2008-02-05      09:08:24:305      1296      1c80      PT        Server URL = http://wphedgbaston/SimpleAuthWebService/SimpleAuth.asmx
2008-02-05      09:08:24:555      1296      1c80      PT      WARNING: GetAuthorizationCookie failure, error = 0x80244018, soap client error = 10, soap error code = 0, HTTP status code = 403
2008-02-05      09:08:24:555      1296      1c80      PT      WARNING: Failed to initialize Simple Targeting Cookie: 0x80244018
2008-02-05      09:08:24:555      1296      1c80      PT      WARNING: PopulateAuthCookies failed: 0x80244018
2008-02-05      09:08:24:555      1296      1c80      PT      WARNING: RefreshCookie failed: 0x80244018
2008-02-05      09:08:24:555      1296      1c80      PT      WARNING: RefreshPTState failed: 0x80244018
2008-02-05      09:08:24:555      1296      1c80      PT      WARNING: PTError: 0x80244018
2008-02-05      09:08:24:555      1296      1c80      Report      WARNING: Reporter failed to upload events with hr = 80244018.
2008-02-05      09:19:03:821      1296      1c80      PT      WARNING: Cached cookie has expired or new PID is available
2008-02-05      09:19:03:821      1296      1c80      PT      Initializing simple targeting cookie, clientId = 05aec7a7-69d5-44df-a082-6d81dd0efc92, target group = , DNS name = wphisa.admin.wphomes.org.uk
2008-02-05      09:19:03:821      1296      1c80      PT        Server URL = http://wphedgbaston/SimpleAuthWebService/SimpleAuth.asmx
2008-02-05      09:19:03:821      1296      1c80      PT      WARNING: GetAuthorizationCookie failure, error = 0x80244018, soap client error = 10, soap error code = 0, HTTP status code = 403
2008-02-05      09:19:03:821      1296      1c80      PT      WARNING: Failed to initialize Simple Targeting Cookie: 0x80244018
2008-02-05      09:19:03:821      1296      1c80      PT      WARNING: PopulateAuthCookies failed: 0x80244018
2008-02-05      09:19:03:821      1296      1c80      PT      WARNING: RefreshCookie failed: 0x80244018
2008-02-05      09:19:03:821      1296      1c80      PT      WARNING: RefreshPTState failed: 0x80244018
2008-02-05      09:19:03:821      1296      1c80      PT      WARNING: PTError: 0x80244018
2008-02-05      09:19:03:821      1296      1c80      Report      WARNING: Reporter failed to upload events with hr = 80244018.
2008-02-05      09:36:58:208      1296      d48      PT      WARNING: Cached cookie has expired or new PID is available
2008-02-05      09:36:58:208      1296      d48      PT      Initializing simple targeting cookie, clientId = 05aec7a7-69d5-44df-a082-6d81dd0efc92, target group = , DNS name = wphisa.admin.wphomes.org.uk
2008-02-05      09:36:58:208      1296      d48      PT        Server URL = http://wphedgbaston/SimpleAuthWebService/SimpleAuth.asmx
2008-02-05      09:36:58:208      1296      d48      PT      WARNING: GetAuthorizationCookie failure, error = 0x80244018, soap client error = 10, soap error code = 0, HTTP status code = 403
2008-02-05      09:36:58:208      1296      d48      PT      WARNING: Failed to initialize Simple Targeting Cookie: 0x80244018
2008-02-05      09:36:58:208      1296      d48      PT      WARNING: PopulateAuthCookies failed: 0x80244018
2008-02-05      09:36:58:208      1296      d48      PT      WARNING: RefreshCookie failed: 0x80244018
2008-02-05      09:36:58:208      1296      d48      PT      WARNING: RefreshPTState failed: 0x80244018
2008-02-05      09:36:58:208      1296      d48      PT      WARNING: PTError: 0x80244018
2008-02-05      09:36:58:208      1296      d48      Report      WARNING: Reporter failed to upload events with hr = 80244018.
2008-02-05      09:58:29:600      1296      1778      PT      WARNING: Cached cookie has expired or new PID is available
2008-02-05      09:58:29:600      1296      1778      PT      Initializing simple targeting cookie, clientId = 05aec7a7-69d5-44df-a082-6d81dd0efc92, target group = , DNS name = wphisa.admin.wphomes.org.uk
2008-02-05      09:58:29:600      1296      1778      PT        Server URL = http://wphedgbaston/SimpleAuthWebService/SimpleAuth.asmx
2008-02-05      09:58:29:616      1296      1778      PT      WARNING: GetAuthorizationCookie failure, error = 0x80244018, soap client error = 10, soap error code = 0, HTTP status code = 403
2008-02-05      09:58:29:616      1296      1778      PT      WARNING: Failed to initialize Simple Targeting Cookie: 0x80244018
2008-02-05      09:58:29:616      1296      1778      PT      WARNING: PopulateAuthCookies failed: 0x80244018
2008-02-05      09:58:29:616      1296      1778      PT      WARNING: RefreshCookie failed: 0x80244018
2008-02-05      09:58:29:616      1296      1778      PT      WARNING: RefreshPTState failed: 0x80244018
2008-02-05      09:58:29:616      1296      1778      PT      WARNING: PTError: 0x80244018
2008-02-05      09:58:29:616      1296      1778      Report      WARNING: Reporter failed to upload events with hr = 80244018.
0
WPHIT
Asked:
WPHIT
2 Solutions
 
cedarghostCommented:
Have you tried publishing the WSUS server as a webserver through the tasks pane on the right in your firewall policy page?
0
 
Keith AlabasterEnterprise ArchitectCommented:
OK

Open the ISA gui
Click on the firewall policy option on the left. At the top of the right-hand window, some new icons appear - click the right-hand one - this lists the System Policy.
in the firewall policy list, another 20 or so rules will have appeared.
Scroll down and you will see a system policy that allows ISA to talk directly to anumber of sites - this includes MS updates etc - thats why it works from the site. Add in the name of your wsus server to the list of three sites so ISA knows it can contact that server as well. ISA MUST be able to resolve the name you put in....
Click the icon at the top again to rehide the system policy
Make sure you have a firewall policy allowing the wsus box to talk to the local host (ISA server)
Apply the new policy
Should be 'job done'
0
 
Keith AlabasterEnterprise ArchitectCommented:
As an aside, 0x80190193 is the 'unathorised' generic error code. As I recall, wsus pulls the info from the windows update site so a publishing rule would not help. I assume your access rule that allows http/https traffic from the wsus box is not part of an access rule that has authentication set on it? ie an ad group or authenticated users etc?

WSUS updates are normally put into their own access rule ie allow http/https from 'ip_of_wsus_box' to external - all users - above the normal allow http/https from internal to external for user {list}  
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
WPHITAuthor Commented:
Thanks for the suggestions.  Cedarghost, I think your idea might be worth a try if WSUS lived on the same box as ISA but as Keith says, updates are pulled from the Microsoft Update site by the WSUS server.  This has always worked properly.

I found the System Policy rule you talked about, Keith, and added the WSUS server name, in various different guises (short name, FQDN etc.) but none worked.  I confirmed that the ISA box can resolve the name by pinging the server name.

I'm no expert on ISA but isn't adding the WSUS server name into that System Policy the same as creating my own rule for Windows Updates allowing HTTP/HTTPS traffic from Local Host to the WSUS server? I've already got such a rule set up which, as you suggest, is above all the other HTTP/HTTPS rules.  That rule has the default ISA group All Users in the permissions section, not any AD group.

I've tried accessing our Intranet homepage (which lives on the same box as WSUS) and another internal webpage we have published on a different server and I get the same Error 403: Forbidden message.  It seems that ISA won't communicate with anything internally over HTTP.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Not quite, no. If the system policy, for example, denies remote access to the ISA from rdp, for example, no amount of firewall rules will ever get it to work. The system policy controls the out-of-band style traffic. if you take it that ISAs real job is to pass/block traffic passing 'through' its interfaces, the System Policy is the controller for traffic that does not pass through but is specifically targetted at ISA itself. Because then ISA will be talking to the internal network you need a Firewall rule between the wsus box and the localhost (ISA)to allow that to take place as well so there are two steps required:)

WSUS uses ports over and above just http/https

Open the ISA gui, select monitoring - logging - click start query
this reveals the realtime ISA log.
try and initiate a WSUS update - what do you see appear in the log?
When I install a new system, I make a rule that allows all traffic from internal & localhost TO internal & local host and write them down. i can gthen create the necessary rules that need to go into firewall policy rules so that I can lock it down properly. Change the first rule we put in to all protocols from internal & locahlhost to internal & localhost temporarily and lets see what we get rep[orted.






0
 
WPHITAuthor Commented:
There are four denied events relating the to the wuauclt /detectnow command I entered.  They're all virtually identical to this first one, except for variations in the word which appears first in the 'Request' category.  Where this one says HEAD, two of the other say GET.  Does this give any more clues?  Could the fact that the user is 'anonymous' be a problem?

Denied Connection ISA 11/02/2008 09:21:43
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).  
Rule:  
Source: ( 10.5.0.62:0)
Destination: (wsus.admin.*******.org.uk 10.5.0.57:80)
Request: HEAD /selfupdate/wuident.cab?0802110921
Filter information: Req ID: 1ce74051  
Protocol:  
User: anonymous
 Additional information
Client agent: Windows-Update-Agent
Object source: Processing time: 1
Cache info: 0x0 MIME type:  
0
 
WPHITAuthor Commented:
I tweaked various other settings in the Access Rule I created as well as a couple of other places - nothing special, just stuff that seemed logical.  In themselves they didn't make any difference but in desperation I stopped the ISA service altogether, just to prove that ISA was definitely the root of the problem and after restarting it I found that the updates worked all of a sudden.

All is still not well as I still can't access internal webpage on our Intranet webserver, again getting Error 403: Forbidden, but I'm past caring and at least my updates are working!
0
 
ByteCafeSupportCommented:
If anyone comes looking for this later, I figured I would share what I did...

After removing WSUS and reinstalling, I installed in default website (port 80) rather than it's own website on port 8530 like it was before when it was working. I was then getting the URL denied message. I had added an access rule, added to list of allowed site in system policy, and checked proxy settings, but no luck.

I added port 8530 to the default website and was able to access server through IE. Created a GPO that specifies port 8530 on the intranet update server that applies only to this one server and all is good.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now