Windows Update with ISA 2006 and ISA 2004

KNOWN ISSUE: there is a known issue with updating ISA Server 2006 using Windows Update after initial installation. Microsoft has written brief suggestions on this subject. However, a search of the internet will reveal that this issue is a stumbling block for many people.

Although there is a mixed bag of solutions offered on the internet, I have found the key to be a combination of practices:

1. creating a NEW Firewall Policy Rule
2. auditing the Domain Name Sets and applying the corrections to the new rule (i.e. using the correct Domain Names)
3. adding a URL set to the new rule (and using the correct URLS)
4. and auditing the ISA System Policy | Various Configuration Groups | Allowed Sites (and using correct sites names)

One confusing aspect of troubleshooting this issue with ISA Server and Windows Update is that part of the work has already been done. Microsoft attempts to solve the issue in the design of ISA itself. There are some incomplete pieces in place that need to be cleaned up. ALSO, solving Windows Update issues with ISA 2006 or 2004 is a matter of recognizing that most articles you will read that are written to address the issue list only part of the solution. So, lets walk through the part(s) shall we

CREATING A NEW WINDOWS UPDATE FIREWALL POLICY RULE USING DOMAIN NAME SETS IN ISA 2006

Microsoft has provided the first hint here…

This article points out that a new Access Rule needs to be created and that it should point at a Domain Name Set (allowing domains within the set to be accessed). What it DOES NOT CLEARLY DEFINE is what domains should be in the set!

Follow the article as written AND add these domains to the Domain Name Set by going to Firewall Policy | Toolbox | Domain Name Sets | Microsoft Update Domain Names and adding these domains

*.download.microsoft.com
*.download.windowsupdate.com
*.update.microsoft.com
*.windowsupdate.microsoft.com
download.microsoft.com
download.windowsupdate.com
update.microsoft.com
windowsupdate.microsoft.com

CREATING A NEW WINDOWS UPDATE FIREWALL POLICY RULE USING URL SETS IN ISA 2004

This article points out that a new Firewall Rule needs to be created but this time the suggestion is to use URL Sets (allowing specific http://URL’s to be accessed). What the article DOES NOT ACCURATELY DEFINE is what URLS should be in the set!

There are 2 places to look in this article: Scenario 2 and Scenario 4 . Scenario 2 hints at the URL’s that the editors suggest should be used (please note I believe this URL list to be outdated). Scenario 4 provides a walk-through on creating a Firewall Rule to make use of a URL Set but does not define URLs completely!

Follow the Scenario 4 portion of the article as written AND add these URL’s to the URL Set by going to Firewall Policy | Toolbox | URL Sets. My choice was to create a new URL Set with the following URL’s added to the list (NOTE: the syntax here is VERY IMPORTANT)

http://*.update.microsoft.com/*
http://*.download.microsoft.com/*
http://*.download.windowsupdate.com/*
http://*.windowsupdate.microsoft.com/*


The key is not to bank your money on the list offered in Scenario 2. Although some of the sites they offered are accurate, some are outdated and the list does not implement the potential wildcards ( * ) required to accommodate all combinations of URL’s. Although, not exhaustive, the above list does work currently with http://update.microsoft.com (as of 2008-04-22).

UPDATING THE BUILT IN SYSTEM POLICY ALLOWED WINDOWS UPDATE SITES ISA 2004 AND ISA 2006

Oddly enough, ISA Server has a built in set of Allowed Sites that are designed to solve the Windows Update issue right out of the box. In other words, it’s supposed to be fixed before it’s broken. Microsoft designed an element to allow Windows Update access (by including key Microsoft sites as part of the install). The challenge is THE SITES ARE NOT ACCURATELY DEFINED to allow access with the default install!

Go to Firewall Policy | Tasks | System Policy Tasks | Edit System Policy. This will bring up the System Policy Editor. Scroll to the bottom of Configuration Groups. Under Various, click on Allowed Sites. Now, on the [tabs] on the left, CLICK on the [To] tab, SELECT System Policy Allowed Sites and CLICK Edit… These *Allowed Sites* are intended to provide access to Windows Update, microsoft.com/downloads, and other key Microsoft resources (by default!). Let’s check the Sites and confirm the following are present:

*.download.microsoft.com
*.download.windowsupdate.com
*.update.microsoft.com
*.windowsupdate.microsoft.com
download.microsoft.com
download.windowsupdate.com
update.microsoft.com
windowsupdate.microsoft.com

That’s it folks

OK…. with these aspects covered (3 different methods from the beginning of this article), we should now be able to go to http://update.microsoft.com and check for updates with ISA Server.

If there are any remaining access issues, there is one more article to consult.

Please read through this article carefully if you still are experiencing challenges. KB902093 provides a step by step walkthrough on how to read the Windows Update log file.

My method (from the article) is go to Run and type

%windir%\Windowsupdate.log

Once the log comes up, scroll toward the very end. The point of failure for me (which helped me determine these URLS and DOMAIN NAME SETS) was where the local installation of Windows completed the analysis of the Operating System and then tried to synchronize with Windows Update. For you, no matter what the problem is…. simply look for points of failure in this LOG, identify the URL’s and DOMAIN NAMES that failed and return with this data to your lists above. Enter in your URL’s and DOMAIN NAMES and hopefully, your good to update

Also, once your up and running, check out Best Practices Firewall Policy for ISA 2006 . It’s a good way to get off to a smart start with ISA.

AND REMEMBER!!! none of this does any good if your BROWSER does not trust the sites. Make sure to add sites to your internet browsers list of trusted sites as needed. The list Microsoft provides in Scenario 2 of the Windows Update Version 6 through ISA article above is a good place to start. Here is their list if you need it.

https://*.update.microsoft.com

IN CLOSING

Adding sites and setting up URL Sets and Domain Name Sets can be used for any sites on the internet. These same techniques will help you no matter where you want to travel with your browser.

Thanks for reading

ALSO: for corporate or small business security and network infrastructure, say Hi!. Call or emal us at WIGITAL. We are Business Technology People and we’re here to help.

Outlook Express is the Microsoft Email client built into Windows (beginning with Win9x and ending with Windows XP).

Configuring Outlook Express when behind Proxy, Corporate Firewall, (and in my case today – ISA Server/Proxy/Firewall/kitchen-sink) can require a little extra work to implement. In the category of *just in case you need this ever*… I’ve linked a KB article that details four solutions to the Proxy Issue when configuring Outlook Express as your email client when ISA is acting as an Internet Proxy for your network. See the KB link below:

ISA Server Configuration Options for Hotmail Access When You Use Outlook Express

KB287921

have fun!