Solved

ISA 2004 - Allow access to Windows Update to all user

Posted on 2009-04-04
4
1,157 Views
Last Modified: 2012-05-06
I followed this KB http://support.microsoft.com/kb/885819

From a workstation that has no allowed internet access I can get to www.microsoft.com but when I try to go to update.microsoft.com I get redirected to the No Internet allowed page specified in the Deny rule.

Here is the monitor from that WS below.

Any help is appreciated.


Original Client IP	Client IP	Client Username	Client Agent	Authenticated Client	Service	Server Name	Referring Server	Destination Host Name	Destination IP	Protocol	Transport	HTTP Method	URL	MIME Type	Object Source	Source Network	Destination Network	Source Proxy	Destination Proxy	Action	Bidirectional	Client Host Name	Rule	Filter Information	Network Interface	Raw IP Header	Raw Payload	Log Time	Source Port	Destination Port	Processing Time	Bytes Sent	Bytes Received	Result Code	HTTP Status Code	Cache Information	Error Information	Log Record Type
192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		65.55.184.157	HTTP	TCP	-	-	-		Internal	External			Initiated Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:08 PM	1163	80	0	0	0	0x0 		0x0	0x0	Firewall
0.0.0.0	192.168.1.121	DLI\iang	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)	Yes	Proxy	NV		65.55.184.157	65.55.184.157	http	TCP	GET	http://65.55.184.157/microsoftupdate			Internal	External	-	-	Denied Connection		-	Internet Lockout	Req ID: 0690d7b3 	-	-	-	4/4/2009 3:09:08 PM	0	80	188	176	614		12202 The ISA Server denied the specified Uniform Resource Locator (URL). 	0x0	0x0	Web Proxy Filter
192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		65.55.184.157	HTTP	TCP	-	-	-		Internal	External			Closed Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:08 PM	1163	80	188	0	176	0x80074e24 FWX_E_CONNECTION_KILLED		0x0	0x0	Firewall
192.168.1.121	192.168.1.121					NV	-		192.168.1.224	Unidentified IP Traffic (TCP:1745)	TCP	-	-	-		Internal	Local Host			Initiated Connection				-				4/4/2009 3:09:08 PM	1162	1745	0	0	0	0x0 		0x0	0x0	Firewall
192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		74.125.53.99	HTTP	TCP	-	-	-		Internal	External			Initiated Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:09 PM	1165	80	0	0	0	0x0 		0x0	0x0	Firewall
0.0.0.0	192.168.1.121	DLI\iang	Mozilla/4.0 (compatible; GoogleToolbar 6.0.1411.1512; Windows XP 5.1; MSIE 7.0.5730.13)	Yes	Proxy	NV		74.125.53.99	74.125.53.99	http	TCP	GET	http://74.125.53.99/search?client=navclient-auto&iqrn=zMGD&orig=0J&ie=UTF-8&oe=UTF-8&features=Rank:&q=info:http%3a%2f%2fupdate.microsoft.com%2fmicrosoftupdate&ch=73646830038			Internal	External	-	-	Denied Connection		-	Internet Lockout	Req ID: 0690d7b8 	-	-	-	4/4/2009 3:09:09 PM	0	80	1	176	577		12202 The ISA Server denied the specified Uniform Resource Locator (URL). 	0x4	0x800	Web Proxy Filter
192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		74.125.53.99	HTTP	TCP	-	-	-		Internal	External			Closed Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:09 PM	1165	80	16	0	176	0x80074e24 FWX_E_CONNECTION_KILLED		0x0	0x0	Firewall
 
 
 
---------------------------------------------------------------
URL SET RULE:
 
 
<?xml version="1.0" encoding="UTF-8"?>
<fpc4:Root xmlns:fpc4="http://schemas.microsoft.com/isa/config-4" xmlns:dt="urn:schemas-microsoft-com:datatypes" StorageName="FPC" StorageType="0">
	<fpc4:Build dt:dt="string">4.0.2167.887</fpc4:Build>
	<fpc4:Comment dt:dt="string"/>
	<fpc4:Edition dt:dt="int">80</fpc4:Edition>
	<fpc4:ExportItemClassCLSID dt:dt="string">{AA2E238A-0B11-4EF8-9257-DA4864F87A5A}</fpc4:ExportItemClassCLSID>
	<fpc4:ExportItemStorageName dt:dt="string">{22E1748E-43A5-4666-BC1D-0219F793484A}</fpc4:ExportItemStorageName>
	<fpc4:IsaXmlVersion dt:dt="string">1.10</fpc4:IsaXmlVersion>
	<fpc4:OptionalData dt:dt="int">4</fpc4:OptionalData>
	<fpc4:Upgrade dt:dt="boolean">0</fpc4:Upgrade>
	<fpc4:Arrays StorageName="Arrays" StorageType="0">
		<fpc4:Array StorageName="{D92FA13F-0C4A-4DD2-A5E7-A519F094F264}" StorageType="0">
			<fpc4:Components dt:dt="int">-1</fpc4:Components>
			<fpc4:Name dt:dt="string"/>
			<fpc4:RuleElements StorageName="RuleElements" StorageType="0">
				<fpc4:URLSets StorageName="URLSets" StorageType="0">
					<fpc4:URLSet StorageName="{22E1748E-43A5-4666-BC1D-0219F793484A}" StorageType="1">
						<fpc4:Name dt:dt="string">Microsoft_Updates</fpc4:Name>
						<fpc4:Predefined dt:dt="boolean">0</fpc4:Predefined>
						<fpc4:URLStrings>
							<fpc4:Str dt:dt="string">http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us</fpc4:Str>
							<fpc4:Str dt:dt="string">http://*.download.windowsupdate.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://*.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://*.update.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://*.windowsupdate.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://*.windowsupdate.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://download.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://download.windowsupdate.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://ntservicepack.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://update.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://windowsupdate.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://wustat.windows.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">https://*.update.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">https://*.windowsupdate.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">https://update.microsoft.com/*</fpc4:Str>
						</fpc4:URLStrings>
					</fpc4:URLSet>
				</fpc4:URLSets>
			</fpc4:RuleElements>
		</fpc4:Array>
	</fpc4:Arrays>
</fpc4:Root>

Open in new window

0
Comment
Question by:DMTechGrooup
  • 2
  • 2
4 Comments
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24075296
I would change the URL Set to a Domain Name Set , and make sure this rule is above all the other rules.
0
 
LVL 24

Author Comment

by:DMTechGrooup
ID: 24078179
I have tried that as well.  Seems when it goes to the windows update it tries to go to an IP address instead of a domain name.. or so it seems.
0
 
LVL 14

Accepted Solution

by:
Raj-GT earned 500 total points
ID: 24078897
Looks like the access is being blocked by 'Internal Lockout' rule. Are you sure the Windows Update rule is above all other rules in your firewall policies list. You also need to check that you have given 'All Users' access to this rule and the protocols HTTP and HTTPS are selected.

Can you give me a quick run down of this windows update rule?

0
 
LVL 24

Author Comment

by:DMTechGrooup
ID: 24159368
I havent forgotten this.. I will get back to you early next week.. Thanks.
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question