Solved

ISA 2004 - Allow access to Windows Update to all user

Posted on 2009-04-04
4
1,154 Views
Last Modified: 2012-05-06
I followed this KB http://support.microsoft.com/kb/885819

From a workstation that has no allowed internet access I can get to www.microsoft.com but when I try to go to update.microsoft.com I get redirected to the No Internet allowed page specified in the Deny rule.

Here is the monitor from that WS below.

Any help is appreciated.


Original Client IP	Client IP	Client Username	Client Agent	Authenticated Client	Service	Server Name	Referring Server	Destination Host Name	Destination IP	Protocol	Transport	HTTP Method	URL	MIME Type	Object Source	Source Network	Destination Network	Source Proxy	Destination Proxy	Action	Bidirectional	Client Host Name	Rule	Filter Information	Network Interface	Raw IP Header	Raw Payload	Log Time	Source Port	Destination Port	Processing Time	Bytes Sent	Bytes Received	Result Code	HTTP Status Code	Cache Information	Error Information	Log Record Type

192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		65.55.184.157	HTTP	TCP	-	-	-		Internal	External			Initiated Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:08 PM	1163	80	0	0	0	0x0 		0x0	0x0	Firewall

0.0.0.0	192.168.1.121	DLI\iang	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)	Yes	Proxy	NV		65.55.184.157	65.55.184.157	http	TCP	GET	http://65.55.184.157/microsoftupdate			Internal	External	-	-	Denied Connection		-	Internet Lockout	Req ID: 0690d7b3 	-	-	-	4/4/2009 3:09:08 PM	0	80	188	176	614		12202 The ISA Server denied the specified Uniform Resource Locator (URL). 	0x0	0x0	Web Proxy Filter

192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		65.55.184.157	HTTP	TCP	-	-	-		Internal	External			Closed Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:08 PM	1163	80	188	0	176	0x80074e24 FWX_E_CONNECTION_KILLED		0x0	0x0	Firewall

192.168.1.121	192.168.1.121					NV	-		192.168.1.224	Unidentified IP Traffic (TCP:1745)	TCP	-	-	-		Internal	Local Host			Initiated Connection				-				4/4/2009 3:09:08 PM	1162	1745	0	0	0	0x0 		0x0	0x0	Firewall

192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		74.125.53.99	HTTP	TCP	-	-	-		Internal	External			Initiated Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:09 PM	1165	80	0	0	0	0x0 		0x0	0x0	Firewall

0.0.0.0	192.168.1.121	DLI\iang	Mozilla/4.0 (compatible; GoogleToolbar 6.0.1411.1512; Windows XP 5.1; MSIE 7.0.5730.13)	Yes	Proxy	NV		74.125.53.99	74.125.53.99	http	TCP	GET	http://74.125.53.99/search?client=navclient-auto&iqrn=zMGD&orig=0J&ie=UTF-8&oe=UTF-8&features=Rank:&q=info:http%3a%2f%2fupdate.microsoft.com%2fmicrosoftupdate&ch=73646830038			Internal	External	-	-	Denied Connection		-	Internet Lockout	Req ID: 0690d7b8 	-	-	-	4/4/2009 3:09:09 PM	0	80	1	176	577		12202 The ISA Server denied the specified Uniform Resource Locator (URL). 	0x4	0x800	Web Proxy Filter

192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		74.125.53.99	HTTP	TCP	-	-	-		Internal	External			Closed Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:09 PM	1165	80	16	0	176	0x80074e24 FWX_E_CONNECTION_KILLED		0x0	0x0	Firewall
 
 
 

---------------------------------------------------------------

URL SET RULE:
 
 

<?xml version="1.0" encoding="UTF-8"?>

<fpc4:Root xmlns:fpc4="http://schemas.microsoft.com/isa/config-4" xmlns:dt="urn:schemas-microsoft-com:datatypes" StorageName="FPC" StorageType="0">

	<fpc4:Build dt:dt="string">4.0.2167.887</fpc4:Build>

	<fpc4:Comment dt:dt="string"/>

	<fpc4:Edition dt:dt="int">80</fpc4:Edition>

	<fpc4:ExportItemClassCLSID dt:dt="string">{AA2E238A-0B11-4EF8-9257-DA4864F87A5A}</fpc4:ExportItemClassCLSID>

	<fpc4:ExportItemStorageName dt:dt="string">{22E1748E-43A5-4666-BC1D-0219F793484A}</fpc4:ExportItemStorageName>

	<fpc4:IsaXmlVersion dt:dt="string">1.10</fpc4:IsaXmlVersion>

	<fpc4:OptionalData dt:dt="int">4</fpc4:OptionalData>

	<fpc4:Upgrade dt:dt="boolean">0</fpc4:Upgrade>

	<fpc4:Arrays StorageName="Arrays" StorageType="0">

		<fpc4:Array StorageName="{D92FA13F-0C4A-4DD2-A5E7-A519F094F264}" StorageType="0">

			<fpc4:Components dt:dt="int">-1</fpc4:Components>

			<fpc4:Name dt:dt="string"/>

			<fpc4:RuleElements StorageName="RuleElements" StorageType="0">

				<fpc4:URLSets StorageName="URLSets" StorageType="0">

					<fpc4:URLSet StorageName="{22E1748E-43A5-4666-BC1D-0219F793484A}" StorageType="1">

						<fpc4:Name dt:dt="string">Microsoft_Updates</fpc4:Name>

						<fpc4:Predefined dt:dt="boolean">0</fpc4:Predefined>

						<fpc4:URLStrings>

							<fpc4:Str dt:dt="string">http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us</fpc4:Str>

							<fpc4:Str dt:dt="string">http://*.download.windowsupdate.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://*.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://*.update.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://*.windowsupdate.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://*.windowsupdate.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://download.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://download.windowsupdate.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://ntservicepack.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://update.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://windowsupdate.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://wustat.windows.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">https://*.update.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">https://*.windowsupdate.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">https://update.microsoft.com/*</fpc4:Str>

						</fpc4:URLStrings>

					</fpc4:URLSet>

				</fpc4:URLSets>

			</fpc4:RuleElements>

		</fpc4:Array>

	</fpc4:Arrays>

</fpc4:Root>

Open in new window

0
Comment
Question by:DMTechGrooup
  • 2
  • 2
4 Comments
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24075296
I would change the URL Set to a Domain Name Set , and make sure this rule is above all the other rules.
0
 
LVL 24

Author Comment

by:DMTechGrooup
ID: 24078179
I have tried that as well.  Seems when it goes to the windows update it tries to go to an IP address instead of a domain name.. or so it seems.
0
 
LVL 14

Accepted Solution

by:
Raj-GT earned 500 total points
ID: 24078897
Looks like the access is being blocked by 'Internal Lockout' rule. Are you sure the Windows Update rule is above all other rules in your firewall policies list. You also need to check that you have given 'All Users' access to this rule and the protocols HTTP and HTTPS are selected.

Can you give me a quick run down of this windows update rule?

0
 
LVL 24

Author Comment

by:DMTechGrooup
ID: 24159368
I havent forgotten this.. I will get back to you early next week.. Thanks.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now