Squid3-dev blocks Windows update and other updates
-
Pfsense 2.1.3 32-bit
Ram 4 GB
HDD 128 GB SSD
CPU AMD Athlon 3400+ 64-bit
1 Wan
1 LanPackages:
pfBlocker 1.0.2
Squid3-dev 3.3.10 pkg 2.2.2SSL and Squidclam are enabled on a Transparent proxy. I can browse to SSL sites without a problem.
I am having trouble getting Squid to allow Windows Update (Win 7) and others like JAVA to connect to the MS/Oracle/etc. update server and pull the update. The error I get in the Windows Update window is 80072F8F.
If I bypass the proxy for the computer I want to update, then the update works without complaining.
I have tried changing the Remote Cert Checks and Certificate Adapt options, but no combination fixes this.
I also have the Dynamic Content Caching enabled for Windows Update.Can someone provide some ideas to get Squid3 to allow Windows Update (etc.) to work? Thanks!
-
The following needs to be in your squid.conf file, not sure how to add it via the GUI. You may need to add other sites to bypass SSLbump also.
| acl broken_sites dstdomain .update.microsoft.com
ssl_bump none broken_sites |
-
excuse me sir, solved this prob? :)
-
try that, not working for me. Maybe missing some more domains….
-
maybe this will help for the domain list?
https://technet.microsoft.com/en-us/library/bb693717.aspx
-
thx sir, but i dont know how set this type of domain: *.update.microsoft.com
In squid i needed strictly setup all domain or it can use * ?
-
I have not been able to get this to work either for Windows update. I did get minecraft working with this method. Is it possible to use Windows update with HTTPS transparent proxy?
-
Squid wildcard is a . instead of *
If you try it on acls, just try to remove * and keep .update.microsoft.com
-
thx sir, i try that, hope that will work. ;)
-
Hello,
Windows update is not working with me too, below what i have for windows update
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl windowsupdate dstdomain watson.microsoft.comacl CONNECT method CONNECT
acl wuCONNECT dstdomain update.microsoft.comhttp_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate localnet
http_access allow windowsupdate localhostbut i still get error 80072f8f while trying to update.
access.log:
1422878282.386 76 192.168.1.58 TCP_MISS/200 391 HEAD http://ds.download.windowsupdate.com/v11/2/microsoftupdate/redir/v6-muauth.cab? - HIER_DIRECT/79.140.94.25 application/octet-stream
1422878282.521 76 192.168.1.58 TCP_MISS/200 390 HEAD http://ds.download.windowsupdate.com/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab? - HIER_DIRECT/79.140.94.25 application/octet-stream
1422878283.051 76 192.168.1.124 TCP_MISS/200 390 HEAD http://ds.download.windowsupdate.com/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab? - HIER_DIRECT/79.140.94.25 application/octet-stream
1422878286.460 76 192.168.1.58 TCP_MISS/200 390 HEAD http://ds.download.windowsupdate.com/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab? - HIER_DIRECT/79.140.94.25 application/octet-streamI have squid3-dev with squidGuard 3 installed
I have more than 70 pcs and i have to fix this urgently, any clue ?
Thanks
Ayman
-
I generated a tcpdump when this was happening and poked around the contents. I found the URL fe2.update.microsoft.com
I added that URL AND windowsupdate.microsoft.com to my squid.conf (with ssl_bump none as well for each) it seems to be updating now
Hope it helps.
~Vinbot
-
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
…Could you not just use .microsoft.com, .windowsupdate.com and .windows.com to replace all of that?
I've played with Squid3 dynamic caching with Windows Update and I always ended up in a situation where it would download the entire file for every segment it's trying to download. 100 MB of patches required downloading many gigabytes of data, as each segment request would cause the entire file to be downloaded again and again. My traffic graph would show my WAN being fully saturated for an hour or more and hardly anything coming in to LAN from Squid.
I have more than 70 pcs and i have to fix this urgently, any clue ?
For that many users, why not run WSUS?
-
Hi, :)
So with ssl filtering, windows update does not want to do this. There in there a manipulation to do to solve this problem.
Sorry for my bad english ;D -
I am also facing same issue as reported by poster , if any one have solution to this kindly update this thread ,if i bypass source Ip from proxy server settings i am able to update
-
This was a main reason why I switch to a wpad.
-
This was a main reason why I switch to a wpad.
So are you telling moving from transparent proxy to non transparent proxy will fix my issue ?
-
I could not get windows updates to work through HTTPS/SSL interception, and dealing with the CA were a pain.
Windows updates using wpad with squid proxy works.
-
so u disabled Https interception ? i have no issue deploying cert since i am using AD gpmc
-
You first have to decide if you want to use a transparent proxy or non transparent proxy with wpad
If you want to try using non transparent proxy with wpad here are a few links
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
https://forum.pfsense.org/index.php?topic=93060.0Note: non transparent proxy with wpad you disable HTTPS/SSL interception and Transparent HTTP proxy.
Let me know if you get stuck
-
So i cant use Https inspection with wpad ? As far as i understood wpad is a method of delivering proxy server info such as IP address and port number so we don't need to manually configure all client PC's proxy serttings manually in Non Transparent proxy case
IF using transparent proxy there is no need of configuring wpad
