OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: Julien on April 12, 2017, 02:16:37 am

Title: Windows Update and WSUS
Post by: Julien on April 12, 2017, 02:16:37 am
Dear All,
Hope someone can help me getting this fixed.
We have a OPNsense on a production using IPS and WebProxy with transparent settings.
We just noticed that the Update is not working.
Can someone please help me getting the Windows update working behind the proxy .
I already added the next domains to the whitelist on the proxy server.
*.windowsupdate.com
*.microsoft.com
*.windows.com

everytime I have to get it working, have to disable the proxy and remove the rat rules.
is there is a way to get it working ?
but it still not working.
I hope someone can help out.

thank you
Title: Re: Windows Update and WSUS
Post by: empbilly on April 12, 2017, 04:53:03 am
I do not think that need the "*". It's sure to have more hosts to release. Check with tcpdump.
Title: Re: Windows Update and WSUS
Post by: monstermania on April 12, 2017, 08:47:58 am
Hi Julien,
i've also run transparent proxy but no ips.
Windows update is running fine for me.
I've added the url's found here into whitelist: https://technet.microsoft.com/en-gb/us-en/library/bb693717.aspx
also added some url's for windows defender, so here are my whitelist-entries:
crl.microsoft.com
eu.vortex-win.data.microsoft.com
winatp-gw-neu.microsoft.com
winatp-gw-weu.microsoft.com
blob.core.windows.net
windowsupdate.microsoft.com
update.microsoft.com
windowsupdate.com
download.microsoft.com
download.windowsupdate.com
test.stats.update.microsoft.com
ntservicepack.microsoft.com

Hope it helps.

best regards
Dirk
Title: Re: Windows Update and WSUS
Post by: Julien on April 12, 2017, 04:05:05 pm
Hi Julien,
i've also run transparent proxy but no ips.
Windows update is running fine for me.
I've added the url's found here into whitelist: https://technet.microsoft.com/en-gb/us-en/library/bb693717.aspx
also added some url's for windows defender, so here are my whitelist-entries:
crl.microsoft.com
eu.vortex-win.data.microsoft.com
winatp-gw-neu.microsoft.com
winatp-gw-weu.microsoft.com
blob.core.windows.net
windowsupdate.microsoft.com
update.microsoft.com
windowsupdate.com
download.microsoft.com
download.windowsupdate.com
test.stats.update.microsoft.com
ntservicepack.microsoft.com

Hope it helps.

best regards
Dirk
thank you for your answer,
have you got this working behind the proxy ?
i'cant seem to get the WSUS up and running behind the Proxy, I've turned the IPS off but no vail ( see my screenshots).

thank you
Title: Re: Windows Update and WSUS
Post by: monstermania on April 12, 2017, 07:24:49 pm
Hi Julien,
habe you enabled SSL interception into webproxy?
I've only use transparent proxy for http protocol. Https don't use the proxy on my OPNSense. https traffic is routed directly without proxy!
Windows update is working without any problems. Windows Defender updates working too.

Regards
Dirk
Title: Re: Windows Update and WSUS
Post by: Julien on April 14, 2017, 02:32:11 am
Hi Julien,
habe you enabled SSL interception into webproxy?
I've only use transparent proxy for http protocol. Https don't use the proxy on my OPNSense. https traffic is routed directly without proxy!
Windows update is working without any problems. Windows Defender updates working too.

Regards
Dirk
Thank you for your answer.
so you disable the https proxy, how are you blocking the https request? most porn websites are using https, how are you blocking those?

thank you
Title: Re: Windows Update and WSUS
Post by: AndyX90 on April 15, 2017, 12:21:37 pm
Hey, i add the following to whitelist:

microsoft.com
windowsupdate.com

And it works.


Gesendet von meinem LG-H850 mit Tapatalk

Title: Re: Windows Update and WSUS
Post by: Julien on April 17, 2017, 12:01:41 am
Hey, i add the following to whitelist:

microsoft.com
windowsupdate.com

And it works.


Gesendet von meinem LG-H850 mit Tapatalk
Do You mean adding those lines to the withelist will works even using the https proxy ?
I have already done this but its not working.
Title: Re: Windows Update and WSUS
Post by: Julien on April 18, 2017, 11:54:41 am
Can Someone advise are we can't continue here.
Title: Re: Windows Update and WSUS
Post by: Julien on April 27, 2017, 02:14:47 am
Hi Guys,
my issue is still not working hopefully someone can point me to the right directions.
Title: Re: Windows Update and WSUS
Post by: Julien on May 13, 2017, 10:06:30 pm
Does anyone have a idea how to fix this please ?

Title: Re: Windows Update and WSUS
Post by: BadSamaritan on May 13, 2017, 10:17:31 pm
Like i mentioned in another similar thread, create "NO RDR" rules with the windows update servers in an alias as destination and see if that helps. I don't do wsus rules personally but it fixed some sites that just don't work via transparent https proxy for me
Title: Re: Windows Update and WSUS
Post by: Julien on May 13, 2017, 11:12:29 pm
Like i mentioned in another similar thread, create "NO RDR" rules with the windows update servers in an alias as destination and see if that helps. I don't do wsus rules personally but it fixed some sites that just don't work via transparent https proxy for me
thank you for your answer
if you mean add the MS updates servers to the while list with "NO RDR" I've dat already. see attached.
if you mean something else please point me to the right direction
Title: Re: Windows Update and WSUS
Post by: BadSamaritan on May 15, 2017, 05:59:02 pm
That image is the proxy whitelist, NOT the Redirect rules.
You need "NO RDR" rules under Firewall->NAT->Port Forward
You basically clone the proxy redirect rule, change it to NO-RDR near the top and set destinations to an alias of type host(s) containing the windows update servers.

I wish i could find some good documentation on it, but have yet to find it. The whitelist doesn't change how the traffic is treated, it just changes whether or not it's allowed thru. Setting the NO RDR rules makes the windows update bypass the proxy altogether.

I attached an example of one of my ipv6 no redirect rules for https.
Title: Re: Windows Update and WSUS
Post by: Julien on May 16, 2017, 01:17:11 pm
Thank you for your answer.
when we chose check update online it does works without issues. but the WSUS can't connect online.
it does connect only when I remove the NAT rule of the https.
Title: Re: Windows Update and WSUS
Post by: BadSamaritan on May 16, 2017, 10:59:52 pm
Then put in a NO-RDR rule with a SOURCE alias for the IP of your WSUS server. I do that as well for the devices that do not function properly behind the transparent proxy(smart tv + netflix for example).
Title: Re: Windows Update and WSUS
Post by: Julien on August 29, 2017, 03:23:36 pm
Then put in a NO-RDR rule with a SOURCE alias for the IP of your WSUS server. I do that as well for the devices that do not function properly behind the transparent proxy(smart tv + netflix for example).
i've done this before but it didn't works however we figured out it was a hardware issue with the firewall which it does flip out .
i'll try this again after i've configured the proxy server again.
thank you
Title: Re: Windows Update and WSUS
Post by: opnsense_user12123 on December 16, 2017, 11:32:22 am
This is the solution for pfsense. And this works without any problems in pfsense!.

OPNSense doesn´t have the option "Before Auth"
find the field in PFsense under -> Menu Package -> Proxy Server -> General Settings -> Show Advanced Options -> "Before Auth": but the code in this field:

code:

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex microsoft.com                     
acl NoSSLIntercept ssl::server_name_regex .microsoft.com                   
acl NoSSLIntercept ssl::server_name_regex windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex .windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex update.microsoft.com.akadns.net

ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

acl BrokenButTrustedServers dstdomain download.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com.akadns.net
acl BrokenButTrustedServers dstdomain update.microsoft.com.nsatc.net
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

source:
https://wiki.squid-cache.org/SquidFaq/WindowsUpdate

IS THERE A WAY TO BUT THIS CODES INTO OPNSENSE?
Title: Re: Windows Update and WSUS
Post by: phoenix on December 16, 2017, 02:24:13 pm
Any particular reason you feel the need to SHOUT on this forum? Posting in all capitals is not good etiquette on a forum and I think we're all able to read quite well without capitals or bold text. ;)

You could always post an issue on github, that would be the preferred place for a change to OPNsense.
Title: Re: Windows Update and WSUS
Post by: opnsense_user12123 on December 16, 2017, 03:04:27 pm
Any particular reason you feel the need to SHOUT on this forum? Posting in all capitals is not good etiquette on a forum and I think we're all able to read quite well without capitals or bold text. ;)

You could always post an issue on github, that would be the preferred place for a change to OPNsense.

sorry ->i cleaned up my previous posting. :-(

I do not understand why noone except me has this problem before?
i think i´m the only one who´s using windows as client machines.

would be really great if i get any solution on this. thx
Title: Re: Windows Update and WSUS
Post by: opnsense_user12123 on December 17, 2017, 03:27:19 pm
Dear All,
Hope someone can help me getting this fixed.
We have a OPNsense on a production using IPS and WebProxy with transparent settings.
We just noticed that the Update is not working.
Can someone please help me getting the Windows update working behind the proxy .
I already added the next domains to the whitelist on the proxy server.
*.windowsupdate.com
*.microsoft.com
*.windows.com

everytime I have to get it working, have to disable the proxy and remove the rat rules.
is there is a way to get it working ?
but it still not working.
I hope someone can help out.

thank you

here is my solution for getting windows updates working without any problems:
add this url set to the "SSL no bump sites"  ;D

.microsoft.com
.windowsupdate.com
.update.microsoft.com.akadns.net
.update.microsoft.com.nsatc.net