Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1318
  • Last Modified:

Windows Server 2003 and Watchguard Firebox Policy: WSUS updates failing to download.

Hey all,

Im trying to get WSUS going on a server at my new work. Apparently we used to run a WSUS server but it was decommissioned a while ago due to space issues or something but I am in the process of reinstating it because of the huge security holes it has left us with (and a subsequent malware infection).

I thought I had installed all the prerequisites but I was getting errors trying to download the updates.

Checking the event log showed a BITS related error
Event Type:	Error
Event Source:	Windows Server Update Services
Event Category:	Synchronization 
Event ID:	364
Date:		7/05/2011
Time:		10:50:17 AM
User:		N/A
Computer:	SERVERFILE
Description:
Content file download failed. Reason: The server does not support the necessary HTTP protocol. Background Intelligent Transfer Service (BITS) requires that the server support the Range protocol header.
 Source File: /msdownload/update/software/secu/2008/07/ie7-windowsxp-kb938127-v2-x86-enu_b99f2a4e5971b67a399604bab143f20b0f26bf76.exe Destination File: j:\WSUS\WsusContent\76\B99F2A4E5971B67A399604BAB143F20B0F26BF76.exe.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

After a bit of googling I found these KBs (http://support.microsoft.com/kb/842773, http://support.microsoft.com/kb/922330) and when I tried to install the update it told me I had a newer version and it could not be installed. I followed the KB to check to see if the required files are on the server. The winhttp.dll file is missing but all the other files are of a new version than the update installs.

The second KB seems to be more likely the issue. We have a Watchguard Firebox that is most likely preventing it from working. I have checked the policies on the Firebox and was already a policy for WSUS (im guessing from the previous deployment) that allows port 80 from all our server IPs to any external IP.

How can I check if this firewall rule is behaving the same way as the Sonicwall as described in the KB article and preventing the downloads from succeeding?
0
defecta
Asked:
defecta
  • 6
  • 4
2 Solutions
 
BrianCommented:
WSUS uses port 443 as well. So just add TCP port 443 to the policy along with port 80.

The server also could have been set to use a custom port. That should be under IIS.

You need to look for blocked packets in your WatchGuard log as well.

A final possibility is, do you have auto-sort or manual-sort on for the policies?
0
 
defectaAuthor Commented:
i have had a look and I cant see a way to add another port to a Watchguard policy. Is there a way? Or do I need to create another policy?

When I setup WSUS I didnt use the default update server. I did the one with port 8350 or what ever. but that only effects clients on the internal network doesnt it?
0
 
defectaAuthor Commented:
And do I create a new proxy or a new policy in Watchguard? (The existing one looks like a proxy if I am reading the configuration icons right.)
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
defectaAuthor Commented:
I meant to say, create a new proxy or packet filter.
0
 
BrianCommented:
If you are just opening a port you can just add a packet filter. It will take less processing power that way. You can just add another policy for it.

or

You can create a custom packet filter type if you like and add both 80 and 443 if you want them both in one packet filter. In the Policy Manager, click add a policy, then select add in that new window to add a custom packet filter. Then add the ports TCP 80 and TCP 443. Then save, and select your new filter under Custom.

If the old Proxy Policy was only being used for WSUS port 80, then you can disable it. Test if it works, then delete if you are sure you do not need it. I will usually leave a policy I am unsure about disabled for a week or two to see if it breaks something else.
0
 
defectaAuthor Commented:
thanks washburnma.

so just confirming that there isnt any way to add more port to an existing policy?
0
 
defectaAuthor Commented:
so i have the new policy in place and it appears to be downloading now. /two thumbs up.

but I now have 15GB of downloads coming down. is there a way to pause the downloading or stop it now that its started? There doesnt appear to be any obvious way of doing it.
0
 
BrianCommented:
You can pause or stop the BITS and WSUS processes but that will break other update activities, so not recommended.

To cancel use the procedure here: http://social.technet.microsoft.com/Forums/en/winserverwsus/thread/2f596f9e-9c76-4e22-9899-dfc5921b94b9

Or suffer through, and remember to A) schedule or B) only approve when you know you're ready.
0
 
defectaAuthor Commented:
Thanks for the tip. I ended up unapproving a bunch of update the weren't needed. But now I have the opposite issue. Updates are coming down very slowly or failing and the client pc is not updating from WSUS, rather the Windows Update site. I have tried manually adding the server addreses into the registry as they were missing, as guided by a Microsoft WSUS document but still no joy. But this is probably a topic for a new question.
0
 
BrianCommented:
You'll get more help by posting a new question. Good luck.
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now