Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WSUS not being passed through the firewall

    General pfSense Questions
    3
    7
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      projector22
      last edited by

      Hi all

      Ok so as the title implies, I'm having an issue with getting clients to access my WSUS server through my pfsense proxy/ firewall.

      Background
      This is all at a school, I have a windows domain environment, with various vm servers providing all the usual features, DC, DNS WSUS & DHCP etc. All DHCP and DNS requests go to these servers. I also have a separate server running Pfsense with squid and squidguard running on it.

      I have used the superscoping feature to divide up my network into various subnets - 192.168.1.x; 192.168.2.x;. The purpose of this is to separate the public devices and departments from each other, giving them separate gateways through the proxy or not, according to each need, but giving all access to the central servers. This all works beautifully and by adding all of the scopes to the pfsense box, it does the NATing and filtering to any of them as I require.

      The Problem
      As I said it all works beautifully until I want to run windows update from the WSUS through those machines routed through the pfsense proxy. I get the error 80072EE2 which means that for some reason the firewall is blocking the request.

      The client can ping the wsus server, it can resolve the address I assigned in in DNS, and it can install updates if I bypass the proxy server altogether.

      In terms of PFsense, I have disabled both the DNS forwarder and DNS resolver, and assigned my own DNS server as PFsense's only option for DNS requests.

      I've tried fiddling with every combination of these as well as the firewall and caching settings to no avail. I'm tearing my hair out, has anyone managed to get WSUS working through pfsense and can anyone suggest a solution?

      Thanks and much appreciated

      Gareth

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Yeah, the suggestion is to stop proxying the WSUS server.

        (Regarding the subnets… unless you use proper VLANs/managed switch - just an illusion of security really.)

        1 Reply Last reply Reply Quote 0
        • P
          projector22
          last edited by

          The servers aren't proxy'd just the clients. If there is a way of completely bypassing these requests completely without compromising the filtering utility of the proxy please let me know how to do it.

          And to change their gateways every time I want to let updates through is a hang of a schlep with 100+ clients and not very secure.

          Yes, there is a managed switch behind all of this. The main reason for the superscoping was increasing the range of ips beyond  254. I'm projecting more than 1000 new clients in the next year or two

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            What I was saying is simply to allow direct access from clients to the WSUS server, NOT through the proxy (utterly pointless in the first place if you ask me). There's no info about how's the proxy setup in the first place (transparent or not, SSL or not) or how's the WSUS configured on the LAN (HTTP or HTTPS) so dunno what exactly you expect here.

            1 Reply Last reply Reply Quote 0
            • P
              projector22
              last edited by

              What I was saying is simply to allow direct access from clients to the WSUS server, NOT through the proxy (utterly pointless in the first place if you ask me). There's no info about how's the proxy setup in the first place (transparent or not, SSL or not) or how's the WSUS configured on the LAN (HTTP or HTTPS) so dunno what exactly you expect here.

              Fair enough, and sorry for the missing info. Transparent proxy, no SSL (though I plan to put it up soon, next project) and the WSUS connects through HTTP.

              What I'm asking, based on your solution, is how to bypass the wsus requests without bypassing the rest of the traffic from my firewall and proxy filter. I've added the ips to the "unrestricted IPs" list under Proxy Server, as well as "Bypass proxy for these source/destination IPs". Have I missed something here?

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                Well, then either stop DNATing the WSUS server IP address to squid, or put WSUS on HTTPS. No idea how's this done with the pfSense package. This is posted in wrong forum section, belongs to packages.

                http://wiki.squid-cache.org/KnowledgeBase/TransparentProxySelectiveBypass

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  Most proxy settings have an option to bypass for local addresses.  Would this not solve the problem?  Since you're looking at HTTPS anyway, you might want to either check out WPAD configuration or pushing proxy settings down via AD GPO.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post