1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WSUS Updates to ISA 2004

Discussion in 'Software' started by mojorisin, Jan 12, 2007.

  1. mojorisin

    mojorisin Kilobyte Poster

    Hi Guys

    Happy New Year to you all

    Right now to the problem that has been doing my head in for about a month now

    I installed ISA 2004 on a freshly built Windows 2003 Server before install the server was pulling updates from my internal WSUS server after installing ISA it no longer connects

    I have followed the instruction from Tom Schinder on the isaserver.org site to allow updates and also created the rule to allow traffic to and from the isa server and the wsus server but still it has denied errors in the event log on the isa server

    I can ping the wsus server from the isa server and the name resolves but if i try to open it via IE i get the 403 forbidden error

    All other pc's are pulling updates ok and the wsus server can also get updates from Microsoft through the isa server without a problem

    Only the ISA server cannot self update from the WSUS server

    Any Ideas

    sorry for the long ramble :biggrin
    WIP: 70-685 http://www.speedtest.net/result/3377759783.png
  2. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    It's hard to help as you have already followed Tom S's advice and if that didn't work, well um search me :rolleyes: :biggrin

    Just a few thoughts which crossed my mind..

    Presumably you have two NICs in your ISA server, with the external one configured with a network id that differs from your internal NIC? The external one should be on the same subnet as your Internet gateway ie router/modem The internal one (LAN) must be on a separate subnet, so that ISA stands between your LAN and the net.

    ISA determines what is local and what is remote by entries in it's LAT (local address table) - only the LAN IPs (internal) should be in there - check and make sure!

    Browsing from the ISA server itself is not recommended, hence by default you can't. This might be preventing you from accessing your WSUS server from the ISA server.

    Do not load the Firewall Client on the ISA server itself, it can create issues which cannot be resolved even once it's been removed.
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  3. supag33k

    supag33k Kilobyte Poster

    Yes - I've seen this before....

    The problems are usually:

    1. Client firewalll...either MS or 3rd party.
    2. Windows Installer 3.0 not installed or working correctly...a big issue in my view...
    3. Some AV software...the AV needs to be rated for ISA server IMHO
    4. Secure settings in the IE browser setting...unlikely but still possible

    You could try browsing to port 80 or the custom 8530 port on the WSUS server manually.

    Also going to windows update and manually clicking the "allow Windows update" will install/reinitialise Windows Installer 3.0...you dont need to then manually patch the server just redo the Windows Installer 3.0 stuff.

    Note that on occasion a WSUS client refuses to update anymore - as if the patching process itself can render the client unable to utilise WSUS.

    I generally find that when I set the affected PC to manually go to the Windows Update site the detection routine detects that Windows Updates needs to be setup again.

    Some information at ISAserver.org....

    Finally, note that industry best practice is to update critical servers manually, as an automated patch can render a server - especially an Exchange server - unuseable on occasion. For example appling IE 7.0 automatically to a Exchange box can possibly render it temporarily unuseable.
    [you would have to move mailboxs and reset VS servers to get it going again]


    Certifications: MCSE (NT4/2000/2003/Messaging), MCDBA
    WIP: CCNA, MCTS SQL, Exchange & Security stuff
  4. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    Yikes, that is worth knowing :eek:
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)

Share This Page