This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Office 365 updates failing

Hi,

I have a web appliance acting as a proxy and for the most part it works as expected. We are currently experiencing an issue where office365 will install successfully, register successfully, license successfully but then fail in regards to updating.

It can identify that updates are available and you can tell it to install them, you then get the standard downloading updates box. It will sit there with nothing but the progress bar for about twenty minutes and then eventually turns up an error (error code 30180-28 (something went wrong - we were unable to download office). If I get the same machine to bypass the web appliance and have no proxy it works and updates fine, so it's definitely the web appliance somehow struggling with the update procedure. 

I've tried adding a load of sites into the trusted site lists and adding certificates for most of the MS sites that it looks to be calling, but it still seems to fail. Anyone had any success getting this working or any ideas on how to get it working!?

Cheers.



This thread was automatically locked due to age.
Parents Reply Children
  • Thanks Red_Warrior.

     

    I've pumped all the logs out for this machine and looked for anything that has the users IP - and everything comes back as act=1 and no rsn=-. So in my mind everything is saying its successfully passing through. However it still fails.

     

    At present we do not have any authentication enabled and all rules and everything are managed by IP. 

     

    It definitely is something sophos web appliance related. I've got the same machine and bypassed the web appliance and it's worked first time. So the sophos appliance is obviously doing something with the updates but I can't see anything in the logs to suggest anything but a legit passing through traffic!

  • Hi again, I'm posting this just in case anyone else runs into the problem with 364 updates and Proxy settings.

     

    After lots of faffing about, hair pulling, swearing, network traffic analyzing and coffee drinking - I seem to have it working. So far, tested successful on two machines and working as expected.

    I think what actually appears to be happening is that certain parts of the office 365 updater DO NOT use the current user to work, instead relying on localsystem user.  The issue with this is - the localsystem user does not understand the proxy settings we put in to IE - so when it tries to run that part - its not that Sophos is somehow blocking it. It's actually not even hitting sophos for this bit of the update. As such running the following command issues the proxy settings to the localsystem user and voila - after that it worked straight away. Obviously - edit this per your own requirements.

    bitsadmin /util /setieproxy localsystem MANUAL_PROXY proxy.company.com:3128 "<local>*.company.com; 172.19.*; 172.20.*;"

    Hopefully this may help anyone else having a mare with it like i have been!

     

    Thanks again Red_Warrior!

  • The newer update mechanisms of Windows and Office mostly rely on the netsh proxy settings and ignore user-settings completely which is OK as many users aren't allowed to install any updates on their own anyway.

    If this outgoing traffic on the gateway isn't allowed by firewall- / masquerading/NAT-policies (nearly in most cases where you use a dedicated proxy) you have a problem with those connections if you don't set the netsh proxy explicitly. If the web appliance has comparable rules like a UTM I would recommend allowing web traffic from user agents "OfficeClickToRun" and "Microsoft-Delivery-Optimization/10.0" without authentication, too.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Hey glad to help,

    sounds like whats going on is perhaps not so much running as another user, but more like its trying to authenticate (or communicate) on a port other that 80 or 443.  if this is the case the appliance would not answer and the request would time out.

     

    adding the proxy exclusion is a good option as well.. It also helps in similar cases where outlook trys to look up auto discovery addresses for the email box and fails.  (the most common fix is to black hole the auto-discover address to 127.0.0.1 forcing outlook to check locally) 

     

    another thing you could try .. is look in the logs un UA= .. (user agent)  .. then under authentication create an authentication profile.. under the user agent string select custom.. then add the first part of the agent..  once thats done go into the second tab under the auth menu and make a profile using the exception and set it to not use authentication (enter the ms domains)  and that will allow an un authenticated request with the update tool only, to that specific site.. 

     

    cheers