Loading...
Loading...

Trustwave Knowledge Base

Home » Knowledgebase » WebMarshal » PRB: Windows Update does not connect through WebMarshal proxy

PRB: Windows Update does not connect through WebMarshal proxy

Expand / Collapse
Show/Hide Article Tools


This article applies to:

  • WebMarshal
  • Microsoft Windows Update
  • Windows Store

Symptoms:

  • Some clients are unable to run Windows Update or Windows Store through WebMarshal proxy.
  • Windows Update does not run automatically through WebMarshal proxy.

Causes:

  • WebMarshal policy might not allow access to all sites required by Windows Store or Windows Update.
  • Windows automatic processes do not use a proxy by default, and cannot use account authentication.
  • Windows automatic processes use a system proxy setting that you can set manually.

Information:

Sites required for Windows Updates

You can allow access to all sites required by Microsoft Windows Updates by setting up some policies in the WebMarshal configuration.

  1. Create a new URL category called 'Software updates' and populate it with the list of URLs below:


    • http://download.windowsupdate.com
    • http://*.download.windowsupdate.com
    • http://download.microsoft.com
    • https://*.update.microsoft.com
    • http://*.update.microsoft.com
    • https://update.microsoft.com
    • http://update.microsoft.com
    • http://*.windowsupdate.com
    • http://*.windowsupdate.microsoft.com
    • http://windowsupdate.microsoft.com
    • https://*.windowsupdate.microsoft.com
    • http://ntservicepack.microsoft.com
    • http://wustat.windows.com


    Note: The list of sites used by Windows Updates is subject to change. The list above was taken from Microsoft KB 885819. If you continue to encounter problems after completing the steps in this article, use the Active Sessions feature in WebMarshal Console to identify any blocked sites and add them to the list. 
     
  2. Create a new Standard Rule similar to the following. Place it above any blocking rules:
    Site Rule: Permit Software Updates
    When a web request is received
    For any User
    And where the URL is a member of 'Software Updates'

    Permit Access to this site
    And do not process any further site blocking rules
  3. Create a new Content Analysis Rule similar to the following. Place it above any File Type blocking rules:

    FileType Rule: Permit Software Update files
    When a web request is received
    For any User
    And where the URL is a member of 'Software Updates'

    Permit Access to this file
    And do not process any further file type rules

  4. Be sure to reload the configuration after making these changes.

Proxy authentication options

Windows Update cannot use a proxy that requires account authentication; there is no method to save a credential.

Several possibilities are available to enable automatic updating through a proxy.

  1. Use WSUS. You can configure the WSUS server to use proxy credentials. This is the recommended option for enterprise scenarios and provides greatest flexibility. For WSUS setup, refer to WSUS documentation. Search Microsoft Technet for the latest version of documentation. Here is a recent version.
    • Note: If WSUS is connecting through WebMarshal, set WSUS to perform downloads in foreground mode, or add the sites to the Proxy Bypass list. WSUS in background mode uses byte ranges and these are not supported by the WebMarshal Engine. For details, see Trustwave Knowledgebase article Q11582.
  2. Use IP Authentication in WebMarshal. To use this option:
    • Add a 'Software Updates' URL category as described above.
    • Enable IP authentication in WebMarshal. (If you want to require account authentication for interactive users, enforce browser proxy settings with GPO or other tools.)
    • On each workstation, configure the default proxy setting for WinHTTP as described below, using the IP authentication port of WebMarshal.
  3. Use the WebMarshal Proxy Bypass List. To use this option:
    • Add the URLs mentioned above to the WebMarshal Proxy Bypass list.
    • On each workstation, configure the default proxy setting for WinHTTP as described below.

Proxy settings for WinHTTP

To configure default proxy settings, use proxycfg or netsh winhttp (depending on Windows version). See also Microsoft KB 900935.

  • In the below instructions, proxyservername and portnumber refer to the WebMarshal server name (or address) and the port where you want to direct the request - for instance, WMSERVER01:8080
  • For current versions of Windows (Windows 7 and above, Windows Server 2008 and above):
     
    At an elevated (run as administrator) command prompt, enter:

         netsh winhttp set proxy proxyservername:portnumber 

    Alternatively, if the Internet Explorer settings of the current user are correct, you can use them by entering:
     
            netsh winhttp import proxy source=ie
     
  • For Windows 2003 and below, at a command prompt, enter:

         proxycfg -p proxyservername:portnumber

 Notes:

  • Some earlier releases of Windows Update allowed an interactive user to perform updates through a proxy using their own credentials. However the current versions of Windows Update or Microsoft Update use a back-end process for all updates including user-initiated updates. This article has been revised to reflect this change.
A previous version of this article was published as:
NETIQKB41520

    To contact Trustwave about this article or to request support:

    Rate this Article:
         

    Add Your Comments


    Comment submission is disabled for anonymous users.
    Please send feedback to Trustwave Technical Support or the Webmaster    .


    Execution: 0.031. 8 queries. Compression Disabled.
    Powered by InstantKB.NET