Windows Update and WSUS

[BadSamaritan]

Then put in a NO-RDR rule with a SOURCE alias for the IP of your WSUS server. I do that as well for the devices that do not function properly behind the transparent proxy(smart tv + netflix for example).

[Julien]

Then put in a NO-RDR rule with a SOURCE alias for the IP of your WSUS server. I do that as well for the devices that do not function properly behind the transparent proxy(smart tv + netflix for example).

i've done this before but it didn't works however we figured out it was a hardware issue with the firewall which it does flip out .
i'll try this again after i've configured the proxy server again.
thank you

[opnsense_user12123]

This is the solution for pfsense. And this works without any problems in pfsense!.

OPNSense doesn´t have the option "Before Auth"
find the field in PFsense under -> Menu Package -> Proxy Server -> General Settings -> Show Advanced Options -> "Before Auth": but the code in this field:

code:

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex microsoft.com                     
acl NoSSLIntercept ssl::server_name_regex .microsoft.com                   
acl NoSSLIntercept ssl::server_name_regex windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex .windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex update.microsoft.com.akadns.net

ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

acl BrokenButTrustedServers dstdomain download.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com.akadns.net
acl BrokenButTrustedServers dstdomain update.microsoft.com.nsatc.net
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

source:
https://wiki.squid-cache.org/SquidFaq/WindowsUpdate

IS THERE A WAY TO BUT THIS CODES INTO OPNSENSE?

[phoenix]

Any particular reason you feel the need to SHOUT on this forum? Posting in all capitals is not good etiquette on a forum and I think we're all able to read quite well without capitals or bold text.

You could always post an issue on github, that would be the preferred place for a change to OPNsense.

[opnsense_user12123]

Any particular reason you feel the need to SHOUT on this forum? Posting in all capitals is not good etiquette on a forum and I think we're all able to read quite well without capitals or bold text.

You could always post an issue on github, that would be the preferred place for a change to OPNsense.

sorry ->i cleaned up my previous posting. :-(

I do not understand why noone except me has this problem before?
i think i´m the only one who´s using windows as client machines.

would be really great if i get any solution on this. thx

[opnsense_user12123]

Dear All,
Hope someone can help me getting this fixed.
We have a OPNsense on a production using IPS and WebProxy with transparent settings.
We just noticed that the Update is not working.
Can someone please help me getting the Windows update working behind the proxy .
I already added the next domains to the whitelist on the proxy server.
*.windowsupdate.com
*.microsoft.com
*.windows.com

everytime I have to get it working, have to disable the proxy and remove the rat rules.
is there is a way to get it working ?
but it still not working.
I hope someone can help out.

thank you

here is my solution for getting windows updates working without any problems:
add this url set to the "SSL no bump sites" 

.microsoft.com
.windowsupdate.com
.update.microsoft.com.akadns.net
.update.microsoft.com.nsatc.net