Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 33 replies
  • Subscribers 1 subscriber
  • Views 93329 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows Update

gband
hello. We have UTM 9.004. Clients pc's can't download windows updates from Microsoft, unless they are added in the "Skip transparent mode source hosts/nets" list. otherwise an error appears. the same with wsus server. it must be also added in the same list in order to synchronize. I am sending the web proxy log, when a client pc tries to download updates from Microsoft.
Any ideas are welcome. The built-in "Microsoft Windows Update" exception rule is active.
Thanks


This thread was automatically locked due to age.
Parents
  • 0
    I mamanged to get it working with these steps:

    [LIST=1]
    • Create network definitions

    • create firewall rule

    • Internal (Network) -> Web Surfing ->

    • activate HTTPS (SSL) scanning

      • Web Protection - Web Filtering  - Global - check 'Scan HTTPS (SSL) Traffic'

    • Web filtering exceptions

    • Web Protection - Web Filtering - Exceptions - activate 'Microsoft Windows Update'
    • Skip these checks:
      • Antivirus, Extension blocking, SSL scanning

    • Matching these URLS:
      • ^https?://([A-Za-z0-9.-]*\.)?windowsupdate\.com/
      • ^https?://([A-Za-z0-9.-]*\.)?microsoft\.com/


    • skip transparent mode
      • Web Protection - Web Filtering - Advanced
        • Skip transparent mode destination hosts/nets:
        • activate 'Allow HTTP/S traffic for listed hosts/nets'


    • import cert
      • Web Protection - Web Filtering - HTTPS CAs -> Download

    [/LIST]

    Some config pictures:
  • 0 in reply to GMF
    Hello there,

    i solved it with the default "windows update"-exception from sophos.
    I added 3 ip's to the url-list (for which a certificate-error occurs, see below):

    2012:12:06-23:10:50 utm httpproxy[4415]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="" srcip="192.168.2.100" dstip="" user="" statuscode="502" cached="0" profile="REF_HttProPrivat (Privat)" filteraction=" ()" size="0" request="0x95626c8" url="https://157.55.60.56" exceptions="" error="Failed to verify server certificate"
    2012:12:06-23:10:56 utm httpproxy[4415]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="" srcip="192.168.2.100" dstip="" user="" statuscode="502" cached="0" profile="REF_HttProPrivat (Privat)" filteraction=" ()" size="0" request="0x128f4040" url="https://65.52.98.7" exceptions="" error="Failed to verify server certificate"
    2012:12:06-23:10:57 utm httpproxy[4415]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="" srcip="192.168.2.100" dstip="" user="" statuscode="502" cached="0" profile="REF_HttProPrivat (Privat)" filteraction=" ()" size="0" request="0x129150e8" url="https://65.52.98.7" exceptions="" error="Failed to verify server certificate

    i hope these server-ips dont even change, but for now it works like a charm.
    All PCs and Notebooks can update without any issues...

    Just add these 2 (different) IPs and it should work.
Reply
  • 0 in reply to GMF
    Hello there,

    i solved it with the default "windows update"-exception from sophos.
    I added 3 ip's to the url-list (for which a certificate-error occurs, see below):

    2012:12:06-23:10:50 utm httpproxy[4415]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="" srcip="192.168.2.100" dstip="" user="" statuscode="502" cached="0" profile="REF_HttProPrivat (Privat)" filteraction=" ()" size="0" request="0x95626c8" url="https://157.55.60.56" exceptions="" error="Failed to verify server certificate"
    2012:12:06-23:10:56 utm httpproxy[4415]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="" srcip="192.168.2.100" dstip="" user="" statuscode="502" cached="0" profile="REF_HttProPrivat (Privat)" filteraction=" ()" size="0" request="0x128f4040" url="https://65.52.98.7" exceptions="" error="Failed to verify server certificate"
    2012:12:06-23:10:57 utm httpproxy[4415]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="" srcip="192.168.2.100" dstip="" user="" statuscode="502" cached="0" profile="REF_HttProPrivat (Privat)" filteraction=" ()" size="0" request="0x129150e8" url="https://65.52.98.7" exceptions="" error="Failed to verify server certificate

    i hope these server-ips dont even change, but for now it works like a charm.
    All PCs and Notebooks can update without any issues...

    Just add these 2 (different) IPs and it should work.
Children
No Data
Unfiltered HTML