Stefaan also provided me some interesting captures. I've forwarded this and his WU configuration to them as well. There's a very real bug here and the only current workaround is to use source address limitations for this destination for now. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, August 26, 2004 09:56 Subject: [isalist] Re: V5.WindowsUpdate problem on ISA 2000 http://www.ISAserver.org This is the final response I got from Microsoft. I thought the would send you the logs that I sent them, since he said he knew you and said he would forward them to you. And for the record, I never blamed ISA, just that something new wouldn't work through ISA. I also cant just add the group Everybody to the security for internet access, since I don't want just anybody going there. I just hope the fix they issue, which I guess would be another push of the update client, will work through ISA in the first place to get it installed. >From PSS: After browsing the ISA logs, we found that in our case the WU client 2.0 does not properly authenticate with the ISA server. During authentication, the WU client identifies itself as "Domain\" instead of "Domain\UserName". Authentication fails and then Windows Update fails and issues the error code 0x80244021. Of course WU is still working fine on all other versions of Windows 2000. We were able to bypass this problem by creating a rule in ISA which would allow the client to get out without authentication on the ISA server. This is not an ideal fix of course, but it appears that in our case this seems to be the cause and fix. This has been passed on to our support staff and we will be making efforts to resolve this. END Jeff -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Monday, August 23, 2004 7:56 PM To: ISALists Subject: [isalist] Re: V5.WindowsUpdate problem on ISA 2000 http://www.ISAserver.org The error code in the screen shot actually resolves to 12152; a WinInet error complaining about "invalid server response". Between that and the 12209 in your logs, it's clear that WindowsUpdate.v5 doesn't like authenticating proxies. Call PSS and bitch loud and clear; they should be using WinHTTP, not WinInet in their AX controls. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Mon, 23 Aug 2004 22:14:40 +0200 "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx> wrote: http://www.ISAserver.org Hi Jim, I made another test and you can download a screenshot of the error, an excerpt from the web proxy log file and an Ethereal trace at http://users.skynet.be/spouseele/download/WindowsUpdateV5.zip. Thanks, Stefaan -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: zondag 22 augustus 2004 17:46 To: [ISAserver.org Discussion List] Subject: [isalist] Re: V5.WindowsUpdate problem on ISA 2000 http://www.ISAserver.org see; this is why I wanted to see logs... :-) Do you also have captures of this event? That would go a long way to help sort out the "what "& why" of this problem... Nice catch, Stephen! You should contact PSS and scream loud and long about this... Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Sun, 22 Aug 2004 11:38:59 +0200 "Stefaan Pouseele" <Stefaan.Pouseele@xxxxxxx> wrote: http://www.ISAserver.org Hey guys, There seems to be a problem with the new V5.WindowsUpdate and a site&content rule who applies to a user/group based membership. Here is an excerpt of the Web Proxy log on an ISA 2000 server: 172.31.1.2, anonymous, Microsoft WU Client/2.0, N, 8/21/2004, 15:27:10, w3proxy, GWISA, -, v5.windowsupdate.microsoft.com, -, 443, 0, 0, 0, SSL-tunnel, TCP, -, v5.windowsupdate.microsoft.com:443, -, Inet, 12209, 0x0, PR-SPECIAL, - 172.31.1.2, anonymous, Microsoft WU Client/2.0, N, 8/21/2004, 15:27:10, w3proxy, GWISA, -, v5.windowsupdate.microsoft.com, -, 443, 0, 0, 0, SSL-tunnel, TCP, -, v5.windowsupdate.microsoft.com:443, -, Inet, 0, 0x0, PR-SPECIAL, - 172.31.1.2, INTRANET\, Microsoft WU Client/2.0, Y, 8/21/2004, 15:27:10, w3proxy, GWISA, -, v5.windowsupdate.microsoft.com, -, 443, 0, 0, 0, SSL-tunnel, TCP, -, v5.windowsupdate.microsoft.com:443, -, Inet, 12202, 0x0, PR-SPECIAL, - 172.31.1.2, INTRANET\SP, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322), Y, 8/21/2004, 15:27:11, w3proxy, GWISA, -, v5.windowsupdate.microsoft.com, 64.4.21.188, 80, 188, 898, 6519, http, TCP, GET, http://v5.windowsupdate.microsoft.com/v5consumer/errorinformation.aspx?e rror=-2145107935&ln=en-us, text/html; charset=utf-8, Inet, 200, 0x40020001, PR-SPECIAL, SCR-USERS When the Microsoft WU Client/2.0 tries to connect he doesn't authenticate with the full user name (domain\user) but only with the domain part. Turning of the user/group based membership in the site&content rule and apply the rule to any request or a client address set seems to solve the problem. Is this a known problem? HTH, Stefaan ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx