On Mon, 17 Jan 2005 11:18 pm, Palmer J.D.F. wrote:
> Hello,
>
> I have just been made aware that some machines are not Windows updating on
> our campus network, I've done a fair bit of investigation and I 'think' I
> know what the problem is and just wondered if anyone else had seen this,
> and if so how it was remedied.
> Initially I thought this was a Squid problem, but I'm now tending to think
> it's a Microsoft problem.
>
> On our campus we force certain IP ranges to go through our squid caches,
> which I guess you could call opaque, IE browsers/clients etc have to be
> configured to go through the cache rather than transparent.
> These restricted clients are forced to use the cache by the use of acls on
> core routers denying port 80 traffic from various IPs.
>
> It appears that the Windows Update V5 client (not sure about V4) tries to
> open a port 80 connection directly to Microsoft servers to check for and
> download updates, this obviously fails as the router acls drop the packets.
We had similar problems with WinXP clients trying to get updates both
automatically and manually from Windows Update (v5, but be had intermittent
problems with automatic updates on win2k - v4.windowsupdate...). Turns out
M$ can't figure out how to implement authenticated proxy requests from the
client to a proxy for Windows Update. I found a M$ knowledge-base article
about it and the suggestion was to allow all requests to
"*windowsupdate.microsoft.com" to be done without proxy authentication.
The way you do this in squid is to put an ACL to allow requests to windows
update BEFORE the ACL that requires authentication.
I'm offline ATM, but the I can send you the relevant bits from our squid.conf
if you like.
Cheers,
James
Received on Tue Jan 18 2005 - 15:46:46 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST