[isalist] Re: Getting WSUS files to download through TMG 2010

  • From: Rob Moore <RMoore@xxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 26 Apr 2010 10:22:52 -0400

I am looking right now at the live log as the WSUS server tries to go out and 
download files. When I highlight one of the Failed Connection Attempts, in the 
upper pane the URL is listed as 
http://70.37.129.29/msdownload/update/software/defu/2010/04/mpam-fe_128bde14f8e8f74f6fa189cfdf28eff7829a3ed8.exe

In the lower pane, the Destination is listed as "External (cds24.ewr9.msecn.net 
70.37.129.29:80)".

Rob

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Sunday, April 25, 2010 11:19 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010

Rob,

Do your TMG logs actually include requests from your WSUS to a URL that 
contains "cds118.ewr9.msecn.net"?
The WSUS team insists that WSUS will not make requests this way.

Jim

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Friday, April 23, 2010 9:08 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010

Interesting - lemme see what I can discover...

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
Sent: Friday, April 23, 2010 08:28
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010

Sorry for the delay. I got tied up with other things, and since my creation of 
the Source Exception for WSUS made it work, this slipped in priority. Today I 
deleted the Source Exception and tried again to download files with WSUS. Again 
that failed.

The thing is, WSUS doesn't appear to be trying to pull files from any of those 
built-in Destination Exceptions you mentioned (*.microsoft.com, *.windows.com 
and *.windowsupdate.com). According to the log, it's trying to pull files from 
"cds118.ewr9.msecn.net 70.37.129.123:80". So it doesn't seem like those 
Destination Exceptions would help.

Rob

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, April 20, 2010 6:49 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010

Time to gather some data.
Use NetMon at the TMG and set the log viewer to monitor traffic from the WSUS 
server.
Are you sure the WSUS proxy settings are right?

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
Sent: Tuesday, April 20, 2010 10:51
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010

Yep, all those are in the Destination Exceptions for Malware Inspection.

Rob

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Monday, April 19, 2010 4:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Getting WSUS files to download through TMG 2010

By default, malware inspection is disabled for *.microsoft.com, *.windows.com 
and *.windowsupdate.com.
If this isn't your experience, someone has been playing silly buggers in your 
deployment.


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
Sent: Monday, April 19, 2010 10:07
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Getting WSUS files to download through TMG 2010

Hello-

Just FYI-if you're implementing TMG 2010 and you have a WSUS server, you need 
to turn off Malware Inspection on the traffic going out from the WSUS server or 
else the WSUS server won't be able to download files associated with the 
updates. At least that was my experience today.

Thanks,
Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rob Moore
Network Manager
215-241-7870
Helpdesk: 800-500-AFSC

Other related posts: