OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Windows Update and WSUS
« previous next »
  • Print
Pages: 1 [2]

Author Topic: Windows Update and WSUS  (Read 17688 times)

BadSamaritan

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: Windows Update and WSUS
« Reply #15 on: May 16, 2017, 10:59:52 pm »
Then put in a NO-RDR rule with a SOURCE alias for the IP of your WSUS server. I do that as well for the devices that do not function properly behind the transparent proxy(smart tv + netflix for example).
Logged

Julien

  • Hero Member
  • *****
  • Posts: 647
  • Karma: 32
    • View Profile
Re: Windows Update and WSUS
« Reply #16 on: August 29, 2017, 03:23:36 pm »
Quote from: BadSamaritan on May 16, 2017, 10:59:52 pm
Then put in a NO-RDR rule with a SOURCE alias for the IP of your WSUS server. I do that as well for the devices that do not function properly behind the transparent proxy(smart tv + netflix for example).
i've done this before but it didn't works however we figured out it was a hardware issue with the firewall which it does flip out .
i'll try this again after i've configured the proxy server again.
thank you
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

opnsense_user12123

  • Guest
Re: Windows Update and WSUS
« Reply #17 on: December 16, 2017, 11:32:22 am »
This is the solution for pfsense. And this works without any problems in pfsense!.

OPNSense doesn´t have the option "Before Auth"
find the field in PFsense under -> Menu Package -> Proxy Server -> General Settings -> Show Advanced Options -> "Before Auth": but the code in this field:

code:

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex microsoft.com                     
acl NoSSLIntercept ssl::server_name_regex .microsoft.com                   
acl NoSSLIntercept ssl::server_name_regex windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex .windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex update.microsoft.com.akadns.net

ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

acl BrokenButTrustedServers dstdomain download.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com.akadns.net
acl BrokenButTrustedServers dstdomain update.microsoft.com.nsatc.net
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

source:
https://wiki.squid-cache.org/SquidFaq/WindowsUpdate

IS THERE A WAY TO BUT THIS CODES INTO OPNSENSE?
« Last Edit: December 16, 2017, 03:02:09 pm by opnsense_user12123 »
Logged

phoenix

  • Sr. Member
  • ****
  • Posts: 485
  • Karma: 55
    • View Profile
Re: Windows Update and WSUS
« Reply #18 on: December 16, 2017, 02:24:13 pm »
Any particular reason you feel the need to SHOUT on this forum? Posting in all capitals is not good etiquette on a forum and I think we're all able to read quite well without capitals or bold text. ;)

You could always post an issue on github, that would be the preferred place for a change to OPNsense.
Logged
Regards


Bill

opnsense_user12123

  • Guest
Re: Windows Update and WSUS
« Reply #19 on: December 16, 2017, 03:04:27 pm »
Quote from: phoenix on December 16, 2017, 02:24:13 pm
Any particular reason you feel the need to SHOUT on this forum? Posting in all capitals is not good etiquette on a forum and I think we're all able to read quite well without capitals or bold text. ;)

You could always post an issue on github, that would be the preferred place for a change to OPNsense.

sorry ->i cleaned up my previous posting. :-(

I do not understand why noone except me has this problem before?
i think i´m the only one who´s using windows as client machines.

would be really great if i get any solution on this. thx
« Last Edit: December 16, 2017, 03:06:24 pm by opnsense_user12123 »
Logged

opnsense_user12123

  • Guest
Re: Windows Update and WSUS
« Reply #20 on: December 17, 2017, 03:27:19 pm »
Quote from: Julien on April 12, 2017, 02:16:37 am
Dear All,
Hope someone can help me getting this fixed.
We have a OPNsense on a production using IPS and WebProxy with transparent settings.
We just noticed that the Update is not working.
Can someone please help me getting the Windows update working behind the proxy .
I already added the next domains to the whitelist on the proxy server.
*.windowsupdate.com
*.microsoft.com
*.windows.com

everytime I have to get it working, have to disable the proxy and remove the rat rules.
is there is a way to get it working ?
but it still not working.
I hope someone can help out.

thank you

here is my solution for getting windows updates working without any problems:
add this url set to the "SSL no bump sites"  ;D

.microsoft.com
.windowsupdate.com
.update.microsoft.com.akadns.net
.update.microsoft.com.nsatc.net
« Last Edit: December 23, 2017, 10:49:34 pm by opnsense_user12123 »
Logged

  • Print
Pages: 1 [2]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Windows Update and WSUS
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2022 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2