Solved

ISA 2004 - Allow access to Windows Update to all user

Posted on 2009-04-04
4
1,166 Views
Last Modified: 2012-05-06
I followed this KB http://support.microsoft.com/kb/885819

From a workstation that has no allowed internet access I can get to www.microsoft.com but when I try to go to update.microsoft.com I get redirected to the No Internet allowed page specified in the Deny rule.

Here is the monitor from that WS below.

Any help is appreciated.


Original Client IP	Client IP	Client Username	Client Agent	Authenticated Client	Service	Server Name	Referring Server	Destination Host Name	Destination IP	Protocol	Transport	HTTP Method	URL	MIME Type	Object Source	Source Network	Destination Network	Source Proxy	Destination Proxy	Action	Bidirectional	Client Host Name	Rule	Filter Information	Network Interface	Raw IP Header	Raw Payload	Log Time	Source Port	Destination Port	Processing Time	Bytes Sent	Bytes Received	Result Code	HTTP Status Code	Cache Information	Error Information	Log Record Type
192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		65.55.184.157	HTTP	TCP	-	-	-		Internal	External			Initiated Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:08 PM	1163	80	0	0	0	0x0 		0x0	0x0	Firewall
0.0.0.0	192.168.1.121	DLI\iang	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)	Yes	Proxy	NV		65.55.184.157	65.55.184.157	http	TCP	GET	http://65.55.184.157/microsoftupdate			Internal	External	-	-	Denied Connection		-	Internet Lockout	Req ID: 0690d7b3 	-	-	-	4/4/2009 3:09:08 PM	0	80	188	176	614		12202 The ISA Server denied the specified Uniform Resource Locator (URL). 	0x0	0x0	Web Proxy Filter
192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		65.55.184.157	HTTP	TCP	-	-	-		Internal	External			Closed Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:08 PM	1163	80	188	0	176	0x80074e24 FWX_E_CONNECTION_KILLED		0x0	0x0	Firewall
192.168.1.121	192.168.1.121					NV	-		192.168.1.224	Unidentified IP Traffic (TCP:1745)	TCP	-	-	-		Internal	Local Host			Initiated Connection				-				4/4/2009 3:09:08 PM	1162	1745	0	0	0	0x0 		0x0	0x0	Firewall
192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		74.125.53.99	HTTP	TCP	-	-	-		Internal	External			Initiated Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:09 PM	1165	80	0	0	0	0x0 		0x0	0x0	Firewall
0.0.0.0	192.168.1.121	DLI\iang	Mozilla/4.0 (compatible; GoogleToolbar 6.0.1411.1512; Windows XP 5.1; MSIE 7.0.5730.13)	Yes	Proxy	NV		74.125.53.99	74.125.53.99	http	TCP	GET	http://74.125.53.99/search?client=navclient-auto&iqrn=zMGD&orig=0J&ie=UTF-8&oe=UTF-8&features=Rank:&q=info:http%3a%2f%2fupdate.microsoft.com%2fmicrosoftupdate&ch=73646830038			Internal	External	-	-	Denied Connection		-	Internet Lockout	Req ID: 0690d7b8 	-	-	-	4/4/2009 3:09:09 PM	0	80	1	176	577		12202 The ISA Server denied the specified Uniform Resource Locator (URL). 	0x4	0x800	Web Proxy Filter
192.168.1.121	192.168.1.121	DLI\iang	IEXPLORE.EXE:3:5.1			NV	-		74.125.53.99	HTTP	TCP	-	-	-		Internal	External			Closed Connection			Allow_Website_Maintenance	-				4/4/2009 3:09:09 PM	1165	80	16	0	176	0x80074e24 FWX_E_CONNECTION_KILLED		0x0	0x0	Firewall
 
 
 
---------------------------------------------------------------
URL SET RULE:
 
 
<?xml version="1.0" encoding="UTF-8"?>
<fpc4:Root xmlns:fpc4="http://schemas.microsoft.com/isa/config-4" xmlns:dt="urn:schemas-microsoft-com:datatypes" StorageName="FPC" StorageType="0">
	<fpc4:Build dt:dt="string">4.0.2167.887</fpc4:Build>
	<fpc4:Comment dt:dt="string"/>
	<fpc4:Edition dt:dt="int">80</fpc4:Edition>
	<fpc4:ExportItemClassCLSID dt:dt="string">{AA2E238A-0B11-4EF8-9257-DA4864F87A5A}</fpc4:ExportItemClassCLSID>
	<fpc4:ExportItemStorageName dt:dt="string">{22E1748E-43A5-4666-BC1D-0219F793484A}</fpc4:ExportItemStorageName>
	<fpc4:IsaXmlVersion dt:dt="string">1.10</fpc4:IsaXmlVersion>
	<fpc4:OptionalData dt:dt="int">4</fpc4:OptionalData>
	<fpc4:Upgrade dt:dt="boolean">0</fpc4:Upgrade>
	<fpc4:Arrays StorageName="Arrays" StorageType="0">
		<fpc4:Array StorageName="{D92FA13F-0C4A-4DD2-A5E7-A519F094F264}" StorageType="0">
			<fpc4:Components dt:dt="int">-1</fpc4:Components>
			<fpc4:Name dt:dt="string"/>
			<fpc4:RuleElements StorageName="RuleElements" StorageType="0">
				<fpc4:URLSets StorageName="URLSets" StorageType="0">
					<fpc4:URLSet StorageName="{22E1748E-43A5-4666-BC1D-0219F793484A}" StorageType="1">
						<fpc4:Name dt:dt="string">Microsoft_Updates</fpc4:Name>
						<fpc4:Predefined dt:dt="boolean">0</fpc4:Predefined>
						<fpc4:URLStrings>
							<fpc4:Str dt:dt="string">http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us</fpc4:Str>
							<fpc4:Str dt:dt="string">http://*.download.windowsupdate.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://*.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://*.update.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://*.windowsupdate.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://*.windowsupdate.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://download.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://download.windowsupdate.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://ntservicepack.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://update.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://windowsupdate.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">http://wustat.windows.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">https://*.update.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">https://*.windowsupdate.microsoft.com/*</fpc4:Str>
							<fpc4:Str dt:dt="string">https://update.microsoft.com/*</fpc4:Str>
						</fpc4:URLStrings>
					</fpc4:URLSet>
				</fpc4:URLSets>
			</fpc4:RuleElements>
		</fpc4:Array>
	</fpc4:Arrays>
</fpc4:Root>

Open in new window

0
Comment
Question by:DMTechGrooup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24075296
I would change the URL Set to a Domain Name Set , and make sure this rule is above all the other rules.
0
 
LVL 24

Author Comment

by:DMTechGrooup
ID: 24078179
I have tried that as well.  Seems when it goes to the windows update it tries to go to an IP address instead of a domain name.. or so it seems.
0
 
LVL 14

Accepted Solution

by:
Raj-GT earned 500 total points
ID: 24078897
Looks like the access is being blocked by 'Internal Lockout' rule. Are you sure the Windows Update rule is above all other rules in your firewall policies list. You also need to check that you have given 'All Users' access to this rule and the protocols HTTP and HTTPS are selected.

Can you give me a quick run down of this windows update rule?

0
 
LVL 24

Author Comment

by:DMTechGrooup
ID: 24159368
I havent forgotten this.. I will get back to you early next week.. Thanks.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question