Windows Server 2003 and Watchguard Firebox Policy: WSUS updates failing to download.

Hey all,

Im trying to get WSUS going on a server at my new work. Apparently we used to run a WSUS server but it was decommissioned a while ago due to space issues or something but I am in the process of reinstating it because of the huge security holes it has left us with (and a subsequent malware infection).

I thought I had installed all the prerequisites but I was getting errors trying to download the updates.

Checking the event log showed a BITS related error
Event Type:	Error
Event Source:	Windows Server Update Services
Event Category:	Synchronization 
Event ID:	364
Date:		7/05/2011
Time:		10:50:17 AM
User:		N/A
Content file download failed. Reason: The server does not support the necessary HTTP protocol. Background Intelligent Transfer Service (BITS) requires that the server support the Range protocol header.
 Source File: /msdownload/update/software/secu/2008/07/ie7-windowsxp-kb938127-v2-x86-enu_b99f2a4e5971b67a399604bab143f20b0f26bf76.exe Destination File: j:\WSUS\WsusContent\76\B99F2A4E5971B67A399604BAB143F20B0F26BF76.exe.

For more information, see Help and Support Center at

Open in new window

After a bit of googling I found these KBs (, and when I tried to install the update it told me I had a newer version and it could not be installed. I followed the KB to check to see if the required files are on the server. The winhttp.dll file is missing but all the other files are of a new version than the update installs.

The second KB seems to be more likely the issue. We have a Watchguard Firebox that is most likely preventing it from working. I have checked the policies on the Firebox and was already a policy for WSUS (im guessing from the previous deployment) that allows port 80 from all our server IPs to any external IP.

How can I check if this firewall rule is behaving the same way as the Sonicwall as described in the KB article and preventing the downloads from succeeding?
Who is Participating?
BrianConnect With a Mentor Commented:
If you are just opening a port you can just add a packet filter. It will take less processing power that way. You can just add another policy for it.


You can create a custom packet filter type if you like and add both 80 and 443 if you want them both in one packet filter. In the Policy Manager, click add a policy, then select add in that new window to add a custom packet filter. Then add the ports TCP 80 and TCP 443. Then save, and select your new filter under Custom.

If the old Proxy Policy was only being used for WSUS port 80, then you can disable it. Test if it works, then delete if you are sure you do not need it. I will usually leave a policy I am unsure about disabled for a week or two to see if it breaks something else.
BrianConnect With a Mentor Commented:
WSUS uses port 443 as well. So just add TCP port 443 to the policy along with port 80.

The server also could have been set to use a custom port. That should be under IIS.

You need to look for blocked packets in your WatchGuard log as well.

A final possibility is, do you have auto-sort or manual-sort on for the policies?
defectaAuthor Commented:
i have had a look and I cant see a way to add another port to a Watchguard policy. Is there a way? Or do I need to create another policy?

When I setup WSUS I didnt use the default update server. I did the one with port 8350 or what ever. but that only effects clients on the internal network doesnt it?
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

defectaAuthor Commented:
And do I create a new proxy or a new policy in Watchguard? (The existing one looks like a proxy if I am reading the configuration icons right.)
defectaAuthor Commented:
I meant to say, create a new proxy or packet filter.
defectaAuthor Commented:
thanks washburnma.

so just confirming that there isnt any way to add more port to an existing policy?
defectaAuthor Commented:
so i have the new policy in place and it appears to be downloading now. /two thumbs up.

but I now have 15GB of downloads coming down. is there a way to pause the downloading or stop it now that its started? There doesnt appear to be any obvious way of doing it.
You can pause or stop the BITS and WSUS processes but that will break other update activities, so not recommended.

To cancel use the procedure here:

Or suffer through, and remember to A) schedule or B) only approve when you know you're ready.
defectaAuthor Commented:
Thanks for the tip. I ended up unapproving a bunch of update the weren't needed. But now I have the opposite issue. Updates are coming down very slowly or failing and the client pc is not updating from WSUS, rather the Windows Update site. I have tried manually adding the server addreses into the registry as they were missing, as guided by a Microsoft WSUS document but still no joy. But this is probably a topic for a new question.
You'll get more help by posting a new question. Good luck.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.