Windows Update and WSUS

[Julien]

Dear All,
Hope someone can help me getting this fixed.
We have a OPNsense on a production using IPS and WebProxy with transparent settings.
We just noticed that the Update is not working.
Can someone please help me getting the Windows update working behind the proxy .
I already added the next domains to the whitelist on the proxy server.
*.windowsupdate.com
*.microsoft.com
*.windows.com

everytime I have to get it working, have to disable the proxy and remove the rat rules.
is there is a way to get it working ?
but it still not working.
I hope someone can help out.

thank you

[empbilly]

I do not think that need the "*". It's sure to have more hosts to release. Check with tcpdump.

[monstermania]

Hi Julien,
i've also run transparent proxy but no ips.
Windows update is running fine for me.
I've added the url's found here into whitelist: https://technet.microsoft.com/en-gb/us-en/library/bb693717.aspx
also added some url's for windows defender, so here are my whitelist-entries:
crl.microsoft.com
eu.vortex-win.data.microsoft.com
winatp-gw-neu.microsoft.com
winatp-gw-weu.microsoft.com
blob.core.windows.net
windowsupdate.microsoft.com
update.microsoft.com
windowsupdate.com
download.microsoft.com
download.windowsupdate.com
test.stats.update.microsoft.com
ntservicepack.microsoft.com

Hope it helps.

best regards
Dirk

[Julien]

Hi Julien,
i've also run transparent proxy but no ips.
Windows update is running fine for me.
I've added the url's found here into whitelist: https://technet.microsoft.com/en-gb/us-en/library/bb693717.aspx
also added some url's for windows defender, so here are my whitelist-entries:
crl.microsoft.com
eu.vortex-win.data.microsoft.com
winatp-gw-neu.microsoft.com
winatp-gw-weu.microsoft.com
blob.core.windows.net
windowsupdate.microsoft.com
update.microsoft.com
windowsupdate.com
download.microsoft.com
download.windowsupdate.com
test.stats.update.microsoft.com
ntservicepack.microsoft.com

Hope it helps.

best regards
Dirk

thank you for your answer,
have you got this working behind the proxy ?
i'cant seem to get the WSUS up and running behind the Proxy, I've turned the IPS off but no vail ( see my screenshots).

thank you

[monstermania]

Hi Julien,
habe you enabled SSL interception into webproxy?
I've only use transparent proxy for http protocol. Https don't use the proxy on my OPNSense. https traffic is routed directly without proxy!
Windows update is working without any problems. Windows Defender updates working too.

Regards
Dirk

[Julien]

Hi Julien,
habe you enabled SSL interception into webproxy?
I've only use transparent proxy for http protocol. Https don't use the proxy on my OPNSense. https traffic is routed directly without proxy!
Windows update is working without any problems. Windows Defender updates working too.

Regards
Dirk

Thank you for your answer.
so you disable the https proxy, how are you blocking the https request? most porn websites are using https, how are you blocking those?

thank you

[AndyX90]

Hey, i add the following to whitelist:

microsoft.com
windowsupdate.com

And it works.


Gesendet von meinem LG-H850 mit Tapatalk

[Julien]

Hey, i add the following to whitelist:

microsoft.com
windowsupdate.com

And it works.


Gesendet von meinem LG-H850 mit Tapatalk

Do You mean adding those lines to the withelist will works even using the https proxy ?
I have already done this but its not working.

[Julien]

Can Someone advise are we can't continue here.

[Julien]

Hi Guys,
my issue is still not working hopefully someone can point me to the right directions.

[Julien]

Does anyone have a idea how to fix this please ?

[BadSamaritan]

Like i mentioned in another similar thread, create "NO RDR" rules with the windows update servers in an alias as destination and see if that helps. I don't do wsus rules personally but it fixed some sites that just don't work via transparent https proxy for me

[Julien]

Like i mentioned in another similar thread, create "NO RDR" rules with the windows update servers in an alias as destination and see if that helps. I don't do wsus rules personally but it fixed some sites that just don't work via transparent https proxy for me

thank you for your answer
if you mean add the MS updates servers to the while list with "NO RDR" I've dat already. see attached.
if you mean something else please point me to the right direction

[BadSamaritan]

That image is the proxy whitelist, NOT the Redirect rules.
You need "NO RDR" rules under Firewall->NAT->Port Forward
You basically clone the proxy redirect rule, change it to NO-RDR near the top and set destinations to an alias of type host(s) containing the windows update servers.

I wish i could find some good documentation on it, but have yet to find it. The whitelist doesn't change how the traffic is treated, it just changes whether or not it's allowed thru. Setting the NO RDR rules makes the windows update bypass the proxy altogether.

I attached an example of one of my ipv6 no redirect rules for https.

[Julien]

Thank you for your answer.
when we chose check update online it does works without issues. but the WSUS can't connect online.
it does connect only when I remove the NAT rule of the https.