Solved

ISA 2004 - Allow access to Windows Update to all user

Posted on 2009-04-04
4
1,152 Views
Last Modified: 2012-05-06
I followed this KB http://support.microsoft.com/kb/885819

From a workstation that has no allowed internet access I can get to www.microsoft.com but when I try to go to update.microsoft.com I get redirected to the No Internet allowed page specified in the Deny rule.

Here is the monitor from that WS below.

Any help is appreciated.


Original Client IP	Client IP	Client Username	Client Agent	Authenticated Client	Service	Server Name	Referring Server	Destination Host Name	Destination IP	Protocol	Transport	HTTP Method	URL	MIME Type	Object Source	Source Network	Destination Network	Source Proxy	Destination Proxy	Action	Bidirectional	Client Host Name	Rule	Filter Information	Network Interface	Raw IP Header	Raw Payload	Log Time	Source Port	Destination Port	Processing Time	Bytes Sent	Bytes Received	Result Code	HTTP Status Code	Cache Information	Error Information	Log Record Type

192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		65.55.184.157	HTTP	TCP	-	-	-		Internal	External			Initiated Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:08 PM	1163	80	0	0	0	0x0 		0x0	0x0	Firewall

0.0.0.0	192.168.1.121	DLI\iang	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)	Yes	Proxy	NV		65.55.184.157	65.55.184.157	http	TCP	GET	http://65.55.184.157/microsoftupdate			Internal	External	-	-	Denied Connection		-	Internet Lockout	Req ID: 0690d7b3 	-	-	-	4/4/2009 3:09:08 PM	0	80	188	176	614		12202 The ISA Server denied the specified Uniform Resource Locator (URL). 	0x0	0x0	Web Proxy Filter

192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		65.55.184.157	HTTP	TCP	-	-	-		Internal	External			Closed Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:08 PM	1163	80	188	0	176	0x80074e24 FWX_E_CONNECTION_KILLED		0x0	0x0	Firewall

192.168.1.121	192.168.1.121					NV	-		192.168.1.224	Unidentified IP Traffic (TCP:1745)	TCP	-	-	-		Internal	Local Host			Initiated Connection				-				4/4/2009 3:09:08 PM	1162	1745	0	0	0	0x0 		0x0	0x0	Firewall

192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		74.125.53.99	HTTP	TCP	-	-	-		Internal	External			Initiated Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:09 PM	1165	80	0	0	0	0x0 		0x0	0x0	Firewall

0.0.0.0	192.168.1.121	DLI\iang	Mozilla/4.0 (compatible; GoogleToolbar 6.0.1411.1512; Windows XP 5.1; MSIE 7.0.5730.13)	Yes	Proxy	NV		74.125.53.99	74.125.53.99	http	TCP	GET	http://74.125.53.99/search?client=navclient-auto&iqrn=zMGD&orig=0J&ie=UTF-8&oe=UTF-8&features=Rank:&q=info:http%3a%2f%2fupdate.microsoft.com%2fmicrosoftupdate&ch=73646830038			Internal	External	-	-	Denied Connection		-	Internet Lockout	Req ID: 0690d7b8 	-	-	-	4/4/2009 3:09:09 PM	0	80	1	176	577		12202 The ISA Server denied the specified Uniform Resource Locator (URL). 	0x4	0x800	Web Proxy Filter

192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		74.125.53.99	HTTP	TCP	-	-	-		Internal	External			Closed Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:09 PM	1165	80	16	0	176	0x80074e24 FWX_E_CONNECTION_KILLED		0x0	0x0	Firewall
 
 
 

---------------------------------------------------------------

URL SET RULE:
 
 

<?xml version="1.0" encoding="UTF-8"?>

<fpc4:Root xmlns:fpc4="http://schemas.microsoft.com/isa/config-4" xmlns:dt="urn:schemas-microsoft-com:datatypes" StorageName="FPC" StorageType="0">

	<fpc4:Build dt:dt="string">4.0.2167.887</fpc4:Build>

	<fpc4:Comment dt:dt="string"/>

	<fpc4:Edition dt:dt="int">80</fpc4:Edition>

	<fpc4:ExportItemClassCLSID dt:dt="string">{AA2E238A-0B11-4EF8-9257-DA4864F87A5A}</fpc4:ExportItemClassCLSID>

	<fpc4:ExportItemStorageName dt:dt="string">{22E1748E-43A5-4666-BC1D-0219F793484A}</fpc4:ExportItemStorageName>

	<fpc4:IsaXmlVersion dt:dt="string">1.10</fpc4:IsaXmlVersion>

	<fpc4:OptionalData dt:dt="int">4</fpc4:OptionalData>

	<fpc4:Upgrade dt:dt="boolean">0</fpc4:Upgrade>

	<fpc4:Arrays StorageName="Arrays" StorageType="0">

		<fpc4:Array StorageName="{D92FA13F-0C4A-4DD2-A5E7-A519F094F264}" StorageType="0">

			<fpc4:Components dt:dt="int">-1</fpc4:Components>

			<fpc4:Name dt:dt="string"/>

			<fpc4:RuleElements StorageName="RuleElements" StorageType="0">

				<fpc4:URLSets StorageName="URLSets" StorageType="0">

					<fpc4:URLSet StorageName="{22E1748E-43A5-4666-BC1D-0219F793484A}" StorageType="1">

						<fpc4:Name dt:dt="string">Microsoft_Updates</fpc4:Name>

						<fpc4:Predefined dt:dt="boolean">0</fpc4:Predefined>

						<fpc4:URLStrings>

							<fpc4:Str dt:dt="string">http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us</fpc4:Str>

							<fpc4:Str dt:dt="string">http://*.download.windowsupdate.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://*.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://*.update.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://*.windowsupdate.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://*.windowsupdate.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://download.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://download.windowsupdate.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://ntservicepack.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://update.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://windowsupdate.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">http://wustat.windows.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">https://*.update.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">https://*.windowsupdate.microsoft.com/*</fpc4:Str>

							<fpc4:Str dt:dt="string">https://update.microsoft.com/*</fpc4:Str>

						</fpc4:URLStrings>

					</fpc4:URLSet>

				</fpc4:URLSets>

			</fpc4:RuleElements>

		</fpc4:Array>

	</fpc4:Arrays>

</fpc4:Root>

Open in new window

0
Comment
Question by:DMTechGrooup
  • 2
  • 2
4 Comments
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24075296
I would change the URL Set to a Domain Name Set , and make sure this rule is above all the other rules.
0
 
LVL 24

Author Comment

by:DMTechGrooup
ID: 24078179
I have tried that as well.  Seems when it goes to the windows update it tries to go to an IP address instead of a domain name.. or so it seems.
0
 
LVL 14

Accepted Solution

by:
Raj-GT earned 500 total points
ID: 24078897
Looks like the access is being blocked by 'Internal Lockout' rule. Are you sure the Windows Update rule is above all other rules in your firewall policies list. You also need to check that you have given 'All Users' access to this rule and the protocols HTTP and HTTPS are selected.

Can you give me a quick run down of this windows update rule?

0
 
LVL 24

Author Comment

by:DMTechGrooup
ID: 24159368
I havent forgotten this.. I will get back to you early next week.. Thanks.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now