Squid SSL Intercept, Transparent, Clam - Windows/Office Updates Through Squid?



  • Giant Thank You to doktornotor for your hard work cleaning up Squid3!  It's working beautifully.

    Question/Assistance Needed:
    We have squid setup with SSL Intercept, Transparent Proxy, & Clam.  PC's (Windows 10) using Squid proxy are receiving Error 0x80004005 when attempting to download windows updates.  Additionally, office updates are not showing as available/needed, but they should be.

    Currently, I have Cache Dynamic Content enabled with the Windows Update refresh pattern selected.  As this pfSense box is used in a home setting protecting approximately 12 devices, it is not important for Windows Updates to be cached.  We just need Windows/Office Updates to work, one way or the other.

    I have tried a number of ACL settings & destination bypass addresses, but have been unable to solve this.  Any guidance would be greatly appreciated.

    Best-



  • did you try disabling Cache Dynamic Content?



  • I'm not Windows / Microsoft specialist but I'm surprised that such question is raised so often:

    • I'm pretty sure you will find some suitable answer in this forum using search feature  ;)
    • Isn't WSUS part of the answer ?

    For sure, given dynamic nature of web nowadays, tuning proxy cache is not obvious, especially because more and ore pages and components are not cached.



  • You must exclude some Domains from SSL interception in the section Custom ACLS (Before Auth).

    
    acl broken_sites dstdomain .windowsupdate.microsoft.com
    acl broken_sites dstdomain .update.microsoft.com
    acl broken_sites dstdomain .ws.microsoft.com
    acl broken_sites dstdomain .mp.microsoft.com
    acl broken_sites dstdomain .delivery.microsoft.com
    ssl_bump none broken_sites
    


  • Nope not working, giving error 80245006


  • Banned

    The above list is widely incomplete in the first place.



  • Please provide us the complete list.



  • @doktornotor:

    The above list is widely incomplete in the first place.

    Mybe, but works for me. Updates for Windows 7 and 10 are working. This works only in Proxy mode, don't work in transparent mode. That's by design and normal.



  • It works in non transparent proxy mode from the starting, but no go in transparent.


  • Banned

    W@exograpix:

    Please provide us the complete list.

    Please, research Google or use the search box on this forum.



  • @exograpix:

    It works in non transparent proxy mode from the starting, but no go in transparent.

    Yes, as I told you. That's because in transparent mode the squid proxy don't know the name of the destination only the ip address. So you are not able to play around with names and domains. You have to know all the ip addresse of the destinations. That makes it very hard to configure. But what's the problem to configure a proxy in Windows? I use the transparent proxy only for devices that can't be configured to use a proxy.



  • Create Aliases Called add WindowsUpdate and the following list for the networking group
    157.54.0.0/15
    157.56.0.0/14
    157.60.0.0/16
    65.52.0.0/14
    70.37.0.0/17
    70.37.128.0/18
    207.46.0.0/16
    131.107.0.0/16
    66.119.144.0/20
    23.96.0.0/13
    204.79.195.0/24
    204.79.196.0/23
    208.76.44.0/22
    208.68.136.0/21
    216.220.208.0/20
    209.240.192.0/19
    204.14.180.0/22
    206.191.224.0/19
    192.92.90.0/24
    208.84.0.0/21
    104.40.0.0/13
    192.197.157.0/24
    204.231.192.0/24
    104.208.0.0/13
    129.75.0.0/16
    204.79.179.0/24
    64.4.0.0/18
    167.220.0.0/17
    167.220.128.0/18
    167.220.192.0/19
    192.92.214.0/24
    207.68.128.0/18
    13.64.0.0/11
    13.96.0.0/13
    13.104.0.0/14
    146.147.0.0/16
    52.145.0.0/16
    52.146.0.0/15
    52.148.0.0/14
    52.152.0.0/13
    52.160.0.0/11
    52.224.0.0/11
    52.96.0.0/12
    52.112.0.0/14
    52.120.0.0/14
    52.125.0.0/16
    52.126.0.0/15
    52.130.0.0/15
    52.132.0.0/14
    52.136.0.0/13
    138.196.0.0/16
    150.171.0.0/16
    40.74.0.0/15
    40.76.0.0/14
    40.80.0.0/12
    40.96.0.0/12
    40.112.0.0/13
    40.120.0.0/14
    40.124.0.0/16
    40.125.0.0/17
    40.64.0.0/13
    40.126.128.0/17
    40.127.0.0/16
    40.126.0.0/18
    204.13.120.0/21
    204.152.18.0/23
    Then you go to Services –-> Squid Proxy Server ----> Bypass Proxy for These Destination IPs
    Enter the created aliase called WindowsUpdate
    And this way it fixes all the updates for Windows with Transparent Proxy