THE OFFICIAL BLOG OF THE SBS "DIVA"

UPDATED - CLICK HERE http://support.microsoft.com/?id=885819

We're seeing issues with computers being able to get to Windows update if they are on the v5 platform: 

Here is the info you will need:

Windows Update on the v5 platform which is
all XP sp2 machines
Some XP sp1 machines
[how to tell ... when the machine goes to Windows update there will be a v5 in the url name]

Anyone running with ISA in the egress filtering mode [not all/all/all rule] will get this issue.  Adjust your ISA 2000's accordingly

[The following info courtesy of Mr.  Jim "Mr. Isa" Harrison]

Please note this also affects any other authenticating firewall [and not just ISA server]

-------------------------------------------------------

There are two NTLM authentication issues affecting WU v5 when WU uses web proxy requests to access Windows Update:

1 – NTLMSSP_AUTH responses may contain null credentials

2 – NTLMSSP_NEGOTIATE credentials may be sent on a half-closed connection

We haven’t heard any reports of WUv5 issues with non-NTLM (Basic, Digest) authentication yet and we haven’t specifically tested this.

We have been able to repro this with ISA Server 2000 and we have also heard reports of WU failing through other NTLM-authenticating proxy servers (Proxy 2, Squid are two examples).

The cause of each problem is still being worked out, but a clear workaround is available and it boils down to three things:

•  Ensure Internet Explorer patches are up to date and validate or set a registry value
• Disable authentication for Windows Update requests.
• Disable “global authentication” for web proxy requests

ISA Server Note: you may have heard that the “ReturnDeniedIfAuthenticated registry setting explained in http://support.microsoft.com/?id=297324 is part of the problem.  While applying this setting to ISA 2000 does help expose the WU authentication problems, it is not the cause. If you have applied this setting to your ISA 2000 Server, you did so with good reason to solve a specific problem. You should not remove this setting if you have applied it.  By the same token, if you are not experiencing the problem outlined in this KB article, you don’t need to and shouldn’t apply it.  The above article applies only to ISA 2000; you should not apply any ISA 2000 registry settings to ISA 2004 unless the relevant KB article explicitly instructs you to.  Currently, none do.

Now let’s get on with the workaround…

Per the WU team, there are four destinations that should be included for creating anonymous Windows Update access policies:

TABLE 1

For ISA 2000

• Disable “global” authentication for web proxy requests

1. Open the ISA Manglement MMC
2. Select View, then Advanced
3. Expand Servers and Arrays
4. R-click   , select Properties
5. Select Outgoing Web Requests
6. Uncheck Ask Unauthenticated users for identification
7. Click Apply,
8. When prompted, select Save the changes and restart the service(s)
9. Click OK

• Create a destination set for Windows Update domains

1. Expand and PolicyElements
2. R-click Destination Sets, select New, then Set
3. Enter WindowsUpdate in the Name field, click Next
4. Click Add
5. Enter *.download.microsoft.com in the Domain field
6. Leave the Path field blank
7. Click OK
8. Repeat steps 4 through 7 for each remaining entry in Table 1
9. Click OK

• Create an anonymous Site and Content rule for Windows Update requests

1. Expand Access Policy
2. R-click Site and Content Rules, select New, then Rule
3. Enter Windows Update in the Name field, click Next
4. Select Allow, click Next
5. Select Allow access based on destination, click Next
6. In the Apply this rule to: drop-down list, select Specified Destination Set
7. In the Name: drop-down list, select Windows Update
8. Click Next, then Finish

For ISA 2004

• Disable “global” authentication for web proxy requests

Open the ISA Manglement MMC

Expand , then Configuration

Select Networks

In the middle pane, select the Networks tab

R-click Internal and select Properties

Select the Web Proxy tab

Click Authentication

In the Authentication window, uncheck Require all users to authenticate, click OK

Click Apply, then OK

Repeat steps 5 through 9 for each network object where you allow Web Proxy requests

• Create an anonymous Access Rule for Windows Update

In the left pane, R-click Firewall Policy and select New, then Access Rule

Enter Windows Update in the Name field, click Next

Select Allow, click Next

In the This rule applies to: drop-down list, select Selected Protocols

Click Add

In the Add Protocols dialog, expand Web

Select HTTP and click Add

Select HTTPS and click Add

Click Close, then Next

In the Access Rule Sources dialog, click Add

In the Add Network Entities dialog, expand Networks

Select Internal and click Add

For each network where you unchecked Require all users to authenticate, select that network object and click Add

Click Close, then Next

In the Access Rule Destinations window, click Add

In the Add Network Entities window menu bar, click New, then Domain Name Set

In the New Domain Name Set Policy Element window, enter Windows Update in the Name field

Click New

In the Domain names included in this set list, change the new entry to *.download.microsoft.com

Repeat steps 19 and 20 for each remaining entry in Table 1

Click OK

In the New Domain Name Set Policy Element window, select Windows Update, click Add, then Close

Click Next, Next, then Finish

In the top part of the middle pane, Apply and Discard buttons will appear; click Apply

When Apply New Configuration dialog reports “Changes to the configuration were successfully applied”, click OK

• Make the Windows Update rule the first rule

NOTE: If you prefer to list all of your deny rules first, then you can make the Window Update rule the first rule following them

In the left pane, select Firewall Policy

If Windows Update is already the first rule in the list, stop here

In the middle pane, select Windows Update

In the right pane select the Tasks tab

Click Move the selected rule up until Windows Update is the first rule in the list

In the top part of the middle pane, Apply and Discard buttons should appear; click Apply

When Apply New Configuration dialog reports “Changes to the configuration were successfully applied”, click OK