Windows Server 2003 and Watchguard Firebox Policy: WSUS updates failing to download.
Hey all,
Im trying to get WSUS going on a server at my new work. Apparently we used to run a WSUS server but it was decommissioned a while ago due to space issues or something but I am in the process of reinstating it because of the huge security holes it has left us with (and a subsequent malware infection).
I thought I had installed all the prerequisites but I was getting errors trying to download the updates.
Checking the event log showed a BITS related error
The second KB seems to be more likely the issue. We have a Watchguard Firebox that is most likely preventing it from working. I have checked the policies on the Firebox and was already a policy for WSUS (im guessing from the previous deployment) that allows port 80 from all our server IPs to any external IP.
How can I check if this firewall rule is behaving the same way as the Sonicwall as described in the KB article and preventing the downloads from succeeding?
Im trying to get WSUS going on a server at my new work. Apparently we used to run a WSUS server but it was decommissioned a while ago due to space issues or something but I am in the process of reinstating it because of the huge security holes it has left us with (and a subsequent malware infection).
I thought I had installed all the prerequisites but I was getting errors trying to download the updates.
Checking the event log showed a BITS related error
Event Type: Error
Event Source: Windows Server Update Services
Event Category: Synchronization
Event ID: 364
Date: 7/05/2011
Time: 10:50:17 AM
User: N/A
Computer: SERVERFILE
Description:
Content file download failed. Reason: The server does not support the necessary HTTP protocol. Background Intelligent Transfer Service (BITS) requires that the server support the Range protocol header.
Source File: /msdownload/update/software/secu/2008/07/ie7-windowsxp-kb938127-v2-x86-enu_b99f2a4e5971b67a399604bab143f20b0f26bf76.exe Destination File: j:\WSUS\WsusContent\76\B99F2A4E5971B67A399604BAB143F20B0F26BF76.exe.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.The second KB seems to be more likely the issue. We have a Watchguard Firebox that is most likely preventing it from working. I have checked the policies on the Firebox and was already a policy for WSUS (im guessing from the previous deployment) that allows port 80 from all our server IPs to any external IP.
How can I check if this firewall rule is behaving the same way as the Sonicwall as described in the KB article and preventing the downloads from succeeding?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
And do I create a new proxy or a new policy in Watchguard? (The existing one looks like a proxy if I am reading the configuration icons right.)
ASKER
I meant to say, create a new proxy or packet filter.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks washburnma.
so just confirming that there isnt any way to add more port to an existing policy?
so just confirming that there isnt any way to add more port to an existing policy?
ASKER
so i have the new policy in place and it appears to be downloading now. /two thumbs up.
but I now have 15GB of downloads coming down. is there a way to pause the downloading or stop it now that its started? There doesnt appear to be any obvious way of doing it.
but I now have 15GB of downloads coming down. is there a way to pause the downloading or stop it now that its started? There doesnt appear to be any obvious way of doing it.
You can pause or stop the BITS and WSUS processes but that will break other update activities, so not recommended.
To cancel use the procedure here: http://social.technet.microsoft.com/Forums/en/winserverwsus/thread/2f596f9e-9c76-4e22-9899-dfc5921b94b9
Or suffer through, and remember to A) schedule or B) only approve when you know you're ready.
To cancel use the procedure here: http://social.technet.microsoft.com/Forums/en/winserverwsus/thread/2f596f9e-9c76-4e22-9899-dfc5921b94b9
Or suffer through, and remember to A) schedule or B) only approve when you know you're ready.
ASKER
Thanks for the tip. I ended up unapproving a bunch of update the weren't needed. But now I have the opposite issue. Updates are coming down very slowly or failing and the client pc is not updating from WSUS, rather the Windows Update site. I have tried manually adding the server addreses into the registry as they were missing, as guided by a Microsoft WSUS document but still no joy. But this is probably a topic for a new question.
You'll get more help by posting a new question. Good luck.
ASKER
When I setup WSUS I didnt use the default update server. I did the one with port 8350 or what ever. but that only effects clients on the internal network doesnt it?