Windows update and WSUS update issues with web/email filter

Discussion in 'Software' started by supag33k, Oct 6, 2005.

  1. supag33k

    supag33k Kilobyte Poster

    461
    19
    49
    howdy,

    I have established that recently my web/email filter and secure gateway is blocking key ports associated with windows update, auto update, and WSUS update - these programs all use the same underlying technology/port configs which apparently has been changed recently.

    Basically what happens is that the windows update process for the suite of windows update software bombs put during the download process.

    The secure gateway is a Windows 2003 server with the firewall off [it is behind a firewall already on the internal network] - and I wont mention the web/email filter software for reasons of confidentiality. This gateway is the specified proxy used in IE for servers and clients and allows client update software on both servers and pc's to run until recently.

    The only way I can get the updates to work is to disable the firewall prerouting statement in the secure linux firewall [so updates can bypass the secure gateway] and also disable in IE the proxy server, advanced, use the same proxy server for all settings [unticked] - this bypasses the gateway for the client.

    So I need to get a comprehensive listing of the ports that the Microsoft expects to see open on either the firewall or gateway/filter to allow the changed MS update process to work correctly.

    [For the ports - the answer is not all of them for the linux cynics either.. ]

    And speaking of linux smarties the prerouting statement is as follows:
    iptables -t nat prerouting -i eth0 -p tcp --dport http -j DROP

    - keeps the direct http traffic to the firewall down only to the http/smtp filter/gateway when used, so disabiling this allows the secure gateway to be bypassed by accessing the linux firewall then the web directly.

    What I effectively do with the above steps is to get around my own secure gateway to access the linux firewall then access the internet to install my windows updates...not an ideal situation for sure...

    The only research that hints at the problem is the following:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
    http://support.microsoft.com/default.aspx?kbid=842242

    I would surmise at this point that the update software from microsoft wants to use ports between 3000 and 5000 for ftp downloads as part of the second stage file transfer process - and this is where it is bombing out.

    The vendor of the filtering software is well aware of the issue and looking into it, as it seems that recently Microsoft has moved the goalposts for third party vendors of email and web filtering software.

    - anyone else seen these problems??

    supa
     
    Certifications: MCSE (NT4/2000/2003/Messaging), MCDBA
    WIP: CCNA, MCTS SQL, Exchange & Security stuff
  2. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I don't have anything constructive to say as I've never had to deal with SUS, but that sure is funny, supa. I can't tell you how many times I've read about MS support techs who's first idea was to shut down firewalls to "fix" problems. :biggrin :p :twisted:

    Sorry about being no help but that just tickled my funny bone. If you hadn't brought it up I'd have never even thought about it.... :cheeseyg
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  3. supag33k

    supag33k Kilobyte Poster

    461
    19
    49
    Bingo Freddie, I can prove that if I still use the Linux firewall that my clients and indeed the web/email filter server itself can still run the Windows updates - but the vendor tech insists that the firewall [no changes recently] is at fault.

    On the Windows 2003 server I am not running the firewall or the Secure content manager so that can be ruled out.

    I think I will end up testing an eval copy of their software loaded on a pc in the dmz - means I have to have a couple of test pc's inthe DMZ also...a lot of stuffing around if you ask me... :cry: :rolleyes:
     
    Certifications: MCSE (NT4/2000/2003/Messaging), MCDBA
    WIP: CCNA, MCTS SQL, Exchange & Security stuff

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.