atroutcatcher
asked on
Watchguard Firebox Edge and how to configure it to allow Microsoft Windows Updates
Can't get Microsoft Windows Updates to pass through my Firebox Edge. Thoughts?
Here's an error message that I see frequently on the log:
deny in eth0 40 tcp 20 255 64.4.21.61 xx.xxx.xx.xx 80 38532 ack rst (Non-est TCP)
Here's an error message that I see frequently on the log:
deny in eth0 40 tcp 20 255 64.4.21.61 xx.xxx.xx.xx 80 38532 ack rst (Non-est TCP)
ASKER
Hi and thank you.
The HTTP proxy IS enabled on the Edge.
The HTTP proxy IS enabled on the Edge.
Would it be possible for you to disable HTTP proxy or create custom service to allow traffic to Microsoft update servers?
ASKER
I will gladly try it. Do you have the specifics on what to setup?
The Windows Update servers seem to constantly rotate and/or change.
Please advise about how to configure for the services to work.
The Windows Update servers seem to constantly rotate and/or change.
Please advise about how to configure for the services to work.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Update:
I've been adding IP addresses as you suggest, but the IP addresses change EVERY time I attempt the download of an update. Thus, this scheme could take months to finish. Is this correct?
Also, is there a list of the public Microsoft servers somewhere? Or is this information protected?
Maybe this system is not the one I should be using? Not only are Windows Updates not coming through, but the Adobe players won't download either.
Thanks for your help.
I've been adding IP addresses as you suggest, but the IP addresses change EVERY time I attempt the download of an update. Thus, this scheme could take months to finish. Is this correct?
Also, is there a list of the public Microsoft servers somewhere? Or is this information protected?
Maybe this system is not the one I should be using? Not only are Windows Updates not coming through, but the Adobe players won't download either.
Thanks for your help.
Yes it can take long to add each and every IP address; but if you have a single machine which should download all the download and then distribute it to all the internal server; then we can open all the traffic for this server only; configure service as below instead:
From ip-address-of-internal-ser ver; To ANY
please note for the above machine there would be no filtering at all.
Please see if this help you.
Thank you.
From ip-address-of-internal-ser
please note for the above machine there would be no filtering at all.
Please see if this help you.
Thank you.
ASKER
Update - still working on this. Still haven't been able to get the flow of information to work properly and/or consistently.
I am sorry, I know the solution is not the most elegant one; but this is all what we can do.
ASKER
Thanks. Lengthy process but it appears to be working. Best regards.
Happy I could be assistance! :)
The log you have posted indicates that the packet has come from internet when the session is not established.
Can you provide some details if you have proxy enabled or not.
Thank you.