windows 7 update not working through one gateway

i have two gateways one on an sbs 2003 box with isa 2004 connected to t1 and another on sonicwall tz200 connected to coax.

on a couple of windows 7 workstations if i set the gateway to sonic wall windows update gives me code 80244018 encountered unknown error (when try to check for updates manually).  update works fine if i change gateway to sbs box

sonic wall outbound is wide open allowing everything.  when gateway on work station is set to sonicwall everything works (mail, internet) except windows update.  

i change the gateway on the workstation with:
route change 0.0.0.0 mask 0.0.0.0 192.168.0.100 (sbs box) and 192.168.0.109 (sonicwall)

dns works fine (checked with nslookup), i can telnet to windowsupdate.microsoft.com on port 80

i'm going to try to trace some traffic and maybe capture some packets at the sonic wall to see if i can see any requests coming from the workstations to the tz200 during the update request but in the meantime i wanted to pick the experts brains

the microsoft error doesn't tell me much so now i gotta dig a bit to see where the traffic is stopping

thanks
LVL 7
scrabyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

scrabyAuthor Commented:
i'm pretty convinced that this is a network setup issue and windows update is not able to connect to where ever it's trying to connect to

but what i don't understand is why everything else connecting to the internet works fine with sonic wall as the gateway

the isa server is acting as a proxy and the proxy needs to be specified in IE (check boxes checked and addresses defined) and then update works fine but when i switch to sonicwall and uncheck the proxy stuff in IE.  browsing works fine (i've checked at ipchicken.com and i am arriving from the correct public ip based on which connection i'm on) but windows update breaks when connected to sonic wall
0
scrabyAuthor Commented:
by the way adobe acrobat updater works just fine with the sonicwall?? not sure what's up with windows update.
0
Blue Street TechLast KnightCommented:
Hi scraby,

Which device is handling DHCP, the SBS 2003 or the SonicWALL?
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

scrabyAuthor Commented:
dhcp is on sbs box
0
Blue Street TechLast KnightCommented:
Is this your topology:

ISP
|
SonicWALL
|
SBS 2003?

On the SonicWALL - make sure the Enable DHCP Server checkbox is unchecked.

On SBS - are you running WSUS 3.0 for update dissemination?
0
Blue Street TechLast KnightCommented:
Any update on this?
0
scrabyAuthor Commented:
topology is isp1 > isa firewall (software firewall / proxy) on sbs box > lan1

isp2 > sonicwall > lan1

dhcp is disabled on sonic wall

no WSUS roles is installed on any servers on this network.
0
Blue Street TechLast KnightCommented:
My gut says WUS needs to be running through the SBS server.

Why not setup your topology like this:

ISP1  ISP2
|        |
 \       /
   \   /
SonicWALL
|
SBS
|
LAN

This would allow you to load balance on the SonicWALL and would consolidate all the traffic and eliminate these types of issues. If both WANs are going to the same LAN, what other reason is there for the 2nd WAN if not for redundancy (HA)? When I say consolidate I mean if you need to keep the traffic separate you still can but all the routing will be more focused this way. BTW you can remove ISA altogether.
0
ded9Commented:
Can be related to mtu settings.


Run this command


ping www.yahoo.com -f -l 1472

If you get fragment error then try different number(1462, etc) until there are no error.

Check mtu settings in sonicfirewall and client system.

http://www.richard-slater.co.uk/archives/2009/10/23/change-your-mtu-under-vista-windows-7-or-windows-8/

http://kb.guru-corner.com/question.php?ID=190

Ded9
0
Cris HannaSr IT Support EngineerCommented:
SBS 2003 is not going to support two gateways/isp connections especially as you have it setup

You can only do this by means of a router/gateway device that supports two WAN connections.

First step would be to remove ISA 2004 from the SBS box and reduce it to a single NIC which would connect to your Sonicwall.

You can get instructions for that here http://msmvps.com/blogs/kwsupport/archive/2008/09/07/uninstalling-isa-2004.aspx

Then you would configure your Sonicwall with one WAN port for the T1 and one for the Coax and the appropriate static IP's, port forwarding and such.  

It's the only way it's going to work
0
scrabyAuthor Commented:
ded9, fragment flag did not make any difference, pings work fine with it set or not with whatever packet size

diverseit, my ultimate goal is to setup the topology similar to what you have stated however, there is no need for isa as with your layout you are showing isa behind the sonic wall which would complicate things.  remember load balancing is not my problem here.  i just can't figure out why windows update does not like the sonic wall gateway when everything else works fine through the sonicwall

crishanna, you are correct and sbs/isa does not support two gateways, but that is only the case if i add another gateway directly to the sbs box.  my sonicwall gateway is connected directly to the lan and sbs is unaware of it as being a gateway except for the correct routes and networks added so that it will allow traffic to the sbs box that originated from the sonicwall.  my setup is interim as i was trying the coax line for reliability while retaining the t1.  once i'm done, i will eliminate the t1, bring in a cheap dsl to use for ha

i appreciate everyones help, but i think everyone is forgetting that my issues here is why does everything work fine going through the sonic wall except windows update.  what is different about windows update compared to all other traffic.  the rules on the sonic wall are set pretty much wide open outbound with very little allowed inbound.

can you guys help me out with windows update if anyone knows something that is different about it comprated to all other traffic.  i'm going to need to use something like wireshark or perhaps the logging capabilities of sonicwall but it would make things easier if i knew what i was looking for.

thanks
0
ded9Commented:
Firewall might be bocking windows update port.

In case of wsus its 8530 and 8531

for automatic updates its 80 and 443.

I think only wireshark can isolate this issue.



Ded9
0
Blue Street TechLast KnightCommented:
As Ded9 said, the traffic is TCP/80 - nothing special.

I'm thinking a security service or GPO settings are interfering.

Are you running CGSS on the SonicWALL? If so, check to make sure it is not being blocked by one of the security services, especially App Control. As a test temporarily disable all Security Services & re-test.

Run a Packet Capture on the SonicWALL (System > Diagnostics page, then Packet Capture tool). Post results. You'll see what's happening from there.

Also, check Group Policy distribution settings for updates. Verify the policy settings (if applicable). I'm thinking that the server is providing the URL path for client updates and then when you disable Proxy settings...the GPO is still presiding but the path now is an incorrect URL as a result.

Microsoft has a Fix IT for this error (code: 80244018): http://support.microsoft.com/mats/windows_update/en-us?entrypoint=lightbox
To dig into it more troubleshoot here: http://support.microsoft.com/kb/818018

Lastly (if all else fails), on the PC, try:
1. Disable the third party programs.
Sometimes, the third party programs such as firewall, antivirus, Internet and so on, which can prevent the connection between Windows and Windows Update Server. Try disable these third party programs when install updates and re-enable them after finish installing.
2. Verify the Windows Update is set correctly.
Click the "Start" button, type "services.msc" in the search box.
Click the "service" from the pop-up programs list.
On the right list of Services windows, find and right-click "Background Intelligent Transfer Service" and set the status as "Started".
Next, find and right-click "Windows Update" and set the status as "Started".
Close the Services windows and reinstall the Windows Update.

P.S. In comment http:#a39495576, I was just pointing out that with that topology you could take advantage of load balancing & multi-WAN fail-over.

Let me know how it goes!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blue Street TechLast KnightCommented:
Any update on this?
0
scrabyAuthor Commented:
I really haven't found an answer and still need to experiment with wireshark and packet capture on the sonic wall to see where this traffic is getting plugged.  Thanks for all of your input and I'll post back to this thread if I find a solution
0
djstewartncCommented:
I have read soooo many different articles concerning the Microsoft Update error. We were having the same issue since implementing Content Filtering on our Sonic Wall. I tried excluding the three addresses suggested by Microsoft to no avail. Then, to my chagrin, my boss (of all people) suggested I look at what category the site is falling in. It would be the Freeware/Software Downloads category. I considered the minimal risk of unblocking this category and determined it to be acceptable. We have enough safeguards to prevent a major crisis if we un-check this category. We did, and guess what ... our updates run now.
Glad to get this behind us.
0
Blue Street TechLast KnightCommented:
It depends on how you are deploying CFS in SonicWALL via App Rules or Users & Zones. The configuration is slightly different on approach but the result is the same. You can successfully block the category 49. Freeware/Software Downloads, which I'd recommend for a number of reasons, and whitelist the following domains to allow Microsoft updates to take place:
microsoft.com
windows.com
windowsecurity.com
windowsupdate.com
Just make sure that each CFS Policy under Configure > Settings tab has the Source of Allowed Domains set to Global.

Cheers!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.