RE: Windows Update v5 issues and workaround

  • From: Jim Harrison <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 06 Sep 2004 21:45:15 -0700

Actually, they did use an "allow all for "everyone"" policy thining that 
validated their authentication testing.
Needless to say, we've offered our consulting services for the next round...

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Mon, 6 Sep 2004 14:09:07 -0500
 "Thomas W Shinder" <tshinder@xxxxxxxxxxx> wrote:
http://www.ISAserver.org

Maybe they were testing with a 'hardware' firewall with an All Open
outbound access policy and Deny Rules to supplement it. 

Isn't that how we're supposed to configure our firewalls? ;-)

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Monday, September 06, 2004 2:17 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Windows Update v5 issues and workaround


http://www.ISAserver.org

Nope; and I don't get why not, either.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Mon, 6 Sep 2004 20:02:53 +0200
 "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx> wrote:
http://www.ISAserver.org

Hi Jim, 

Is this fix already included in IE6-SP2 delivered with XP-SP2 (IE
version
6.0.2900.2180)?  

Thanks, 
Stefaan 

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: maandag 6 september 2004 19:05
To: [ISAserver.org Discussion List]
Subject: Re: Windows Update v5 issues and workaround

http://www.ISAserver.org

Hi all,

We've located an existing fix that appears to alleviate WU issue #2:
    http://support.microsoft.com/?id=871260

Accordingly, the previous instructions are amended as follows (if you
previously had "global authentication" disabled, there is no reason to
enable it):

(add)
    For internal clients
    Download and apply this Internet Explorer update package to all
internal
clients
        http://support.microsoft.com/?id=871260

For ISA 2000
(add)
    Note for ISA policy recommendations:  If you use an "allow all
destinations for selected users" rule, the following recommendations may
not
work as expected because of the way ISA 2000 matches requests to rules.
Since it is not possible to define a "rule order" in ISA 2000, you may
wish
to modify your "allow all destinations for selected users" rule to be an
"allow Windows Update for all users"

(delete)
    Disable "global" authentication for web proxy requests

For ISA 2004
(delete)
    Disable "global" authentication for web proxy requests


  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, September 04, 2004 14:54
Subject: [isalist] Windows Update v5 issues and workaround


http://www.ISAserver.org

Hello everyone,

The core cause of this problem is still being worked out, but a clear
workaround is available and it boils down to two things:
- Disable authentication for Windows Update requests.
- Disable "global authentication" for web proxy requests

Note: you may have heard that the "ReturnDeniedIfAuthenticated registry
setting explained in http://support.microsoft.com/?id=297324
is part of the problem.  While applying this setting to ISA 2000 does
help
expose the WU authentication problems, it is not the
cause. If you have applied this setting to your ISA 2000 Server, you did
so
with good reason to solve a specific problem. You should
not remove this setting if you have applied it.  By the same token, if
you
are not experiencing the problem outlined in this KB
article, you don't need to and shouldn't apply it.  The above article
applies only to ISA 2000; you should not apply any ISA 2000
registry settings to ISA 2004 unless the relevant KB article explicitly
instructs you to.  Currently, none do.


Now let's get on with the workaround.
Per the WU team, there are four destinations that should be included for
creating anonymous Windows Update access policies:

        TABLE 1
    Item    FQDN
    1        *.download.microsoft.com
    2        *.windowsupdate.com
    3        *.windowsupdate.microsoft.com
    4        windowsupdate.microsoft.com


For ISA 2000
    Disable "global" authentication for web proxy requests
    1.       Open the ISA Manglement MMC
    2.       Select View, then Advanced
    3.       Expand Servers and Arrays
    4.       R-click   <ArrayName>, select Properties
    5.       Select Outgoing Web Requests
    6.       Uncheck Ask Unauthenticated users for identification
    7.       Click Apply,
    8.       When prompted, select Save the changes and restart the
service(s)
    9.       Click OK

    Create a destination set for Windows Update domains
    1.       Expand <ArrayName> and PolicyElements
    2.       R-click Destination Sets, select New, then Set
    3.       Enter WindowsUpdate in the Name field, click Next
    4.       Click Add
    5.       Enter *.download.microsoft.com in the Domain field
    6.       Leave the Path field blank
    7.       Click OK
    8.       Repeat steps 4 through 7 for each remaining entry in Table
1
    9.       Click OK

    Create an anonymous Site and Content rule for Windows Update
requests
    1.       Expand Access Policy
    2.       R-click Site and Content Rules, select New, then Rule
    3.       Enter Windows Update in the Name field, click Next
    4.       Select Allow, click Next
    5.       Select Allow access based on destination, click Next
    6.       In the Apply this rule to: drop-down list, select Specified
Destination Set
    7.       In the Name: drop-down list, select Windows Update
    8.       Click Next, then Finish


For ISA 2004
    Disable "global" authentication for web proxy requests
    1.       Open the ISA Manglement MMC
    2.       Expand <ArrayName>, then Configuration
    3.       Select Networks
    4.       In the middle pane, select the Networks tab
    5.       R-click Internal and select Properties
    6.       Select the Web Proxy tab
    7.       Click Authentication
    8.       In the Authentication window, uncheck Require all users to
authenticate, click OK
    9.       Click Apply, then OK
    10.     Repeat steps 5 through 9 for each network object where you
allow
Web Proxy requests

Create an anonymous Access Rule for Windows Update
    1.       In the left pane, R-click Firewall Policy and select New,
then
Access Rule
    2.       Enter Windows Update in the Name field, click Next
    3.       Select Allow, click Next
    4.       In the This rule applies to: drop-down list, select
Selected
Protocols
    5.       Click Add
    6.       In the Add Protocols dialog, expand Web
    7.       Select HTTP and click Add
    8.       Select HTTPS and click Add
    9.       Click Close, then Next
    10.     In the Access Rule Sources dialog, click Add
    11.     In the Add Network Entities dialog, expand Networks
    12.     Select Internal and click Add
    13.     For each network where you unchecked Require all users to
authenticate, select that network object and click Add
    14.     Click Close, then Next
    15.     In the Access Rule Destinations window, click Add
    16.     In the Add Network Entities window menu bar, click New, then
Domain Name Set
    17.     In the New Domain Name Set Policy Element window, enter
Windows
Update in the Name field
    18.     Click New
    19.     In the Domain names included in this set list, change the
new
entry to *.download.microsoft.com
    20.     Repeat steps 19 and 20 for each remaining entry in Table 1
    21.     Click OK
    22.     In the New Domain Name Set Policy Element window, select
Windows
Update, click Add, then Close
    23.     Click Next, Next, then Finish
    24.     In the top part of the middle pane, Apply and Discard
buttons
will appear; click Apply
    25.     When Apply New Configuration dialog reports "Changes to the
configuration were successfully applied", click OK

    Make the Windows Update rule the first rule
    NOTE: If you prefer to list all of your deny rules first, then you
can
make the Window Update rule the first rule following them
    1.       In the left pane, select Firewall Policy
    2.       If Windows Update is already the first rule in the list,
stop
here
    3.       In the middle pane, select Windows Update
    4.       In the right pane select the Tasks tab
    5.       Click Move the selected rule up until Windows Update is the
first rule in the list
    6.       In the top part of the middle pane, Apply and Discard
buttons
should appear; click Apply
    7.       When Apply New Configuration dialog reports "Changes to the
configuration were successfully applied", click OK

Look for a WU KB soon that details the that side of the issue and
cross-links to an ISA KB with these instructions.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: