[isalist] Re: Getting WSUS files to download through TMG 2010
- From: Rob Moore <RMoore@xxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 28 Apr 2010 09:14:46 -0400
Perhaps I'll play with doing that a bit. The decision to turn it off was made
some years back. I seem to recall that we ran into several problems with
cacheing at the time, but it may be worth a second look.
In any case, the problem oddly enough seems to have gone away on its own. I
removed the WSUS server from the "Source Exceptions" in the Malware Inspection
configuration, so I could do some troubleshooting. But the server has continued
to be able to download files.
Rob
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Monday, April 26, 2010 6:37 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010
Hammers and flies (and probably missed, to boot).
It would have been better to simply create a no-cache rule for those sites.
You lose a BUNCH of great functionality with SecureNET clients.
Configure your WSUS to be a Web proxy client and all this will go away.
..Like Steve said...
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Rob Moore
Sent: Monday, April 26, 2010 10:52
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010
I don't have the TMG server configured to be a proxy server. We had a lot of
objections from our web group a few years ago (their test sites would get
cached and they couldn't see their changes in a timely fashion), so we just
turned it off.
Rob
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Monday, April 26, 2010 1:32 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010
OK - so WSUS is not asking for the FQDN, but the IP address.
Have you configured your WSUS to behave as a CERN proxy client?
Based on your logs, it doesn't seems so because the URL includes an IP address
(or the manifest it downloads is buggered).
Do this - go to your WSUS configuration and make sure it's properly configured
to use TMG as its proxy server.
If it is, a netcap of the process at the TMG itself would be very useful...
Jim
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Rob Moore
Sent: Monday, April 26, 2010 07:23
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010
I am looking right now at the live log as the WSUS server tries to go out and
download files. When I highlight one of the Failed Connection Attempts, in the
upper pane the URL is listed as
http://70.37.129.29/msdownload/update/software/defu/2010/04/mpam-fe_128bde14f8e8f74f6fa189cfdf28eff7829a3ed8.exe
In the lower pane, the Destination is listed as "External (cds24.ewr9.msecn.net
70.37.129.29:80)".
Rob
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Sunday, April 25, 2010 11:19 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010
Rob,
Do your TMG logs actually include requests from your WSUS to a URL that
contains "cds118.ewr9.msecn.net"?
The WSUS team insists that WSUS will not make requests this way.
Jim
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Friday, April 23, 2010 9:08 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010
Interesting - lemme see what I can discover...
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Rob Moore
Sent: Friday, April 23, 2010 08:28
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010
Sorry for the delay. I got tied up with other things, and since my creation of
the Source Exception for WSUS made it work, this slipped in priority. Today I
deleted the Source Exception and tried again to download files with WSUS. Again
that failed.
The thing is, WSUS doesn't appear to be trying to pull files from any of those
built-in Destination Exceptions you mentioned (*.microsoft.com, *.windows.com
and *.windowsupdate.com). According to the log, it's trying to pull files from
"cds118.ewr9.msecn.net 70.37.129.123:80". So it doesn't seem like those
Destination Exceptions would help.
Rob
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Tuesday, April 20, 2010 6:49 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010
Time to gather some data.
Use NetMon at the TMG and set the log viewer to monitor traffic from the WSUS
server.
Are you sure the WSUS proxy settings are right?
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Rob Moore
Sent: Tuesday, April 20, 2010 10:51
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010
Yep, all those are in the Destination Exceptions for Malware Inspection.
Rob
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Monday, April 19, 2010 4:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010
By default, malware inspection is disabled for *.microsoft.com, *.windows.com
and *.windowsupdate.com.
If this isn't your experience, someone has been playing silly buggers in your
deployment.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Rob Moore
Sent: Monday, April 19, 2010 10:07
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Getting WSUS files to download through TMG 2010
Hello-
Just FYI-if you're implementing TMG 2010 and you have a WSUS server, you need
to turn off Malware Inspection on the traffic going out from the WSUS server or
else the WSUS server won't be able to download files associated with the
updates. At least that was my experience today.
Thanks,
Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rob Moore
Network Manager
215-241-7870
Helpdesk: 800-500-AFSC
Other related posts:
