RE: [squid-users] WindowsUpdate Problems.

From: Palmer J.D.F. <J.D.F.Palmer@dont-contact.us>
Date: Wed, 19 Jan 2005 13:48:33 -0000

Hi,

Thanks for all of your suggestions. :-)

Someone from the list has kindly sent me a list of IPs for making holes in
the FW with which was a quick fix, I have since set up WPAD autoproxy
configuration as this seemed like the most transparent and resilient way of
fixing it; WU does a WPAD discovery as it starts up.

WRT using SUS, we already do use SUS (WUS now) for the majority of PC's on
campus but this problem I'm having at the minute is caused by
student/personal machines connecting to our Wi-Fi service which we can't
really manage in this way.
Getting students etc to install reg fixes etc is an option but would be a
lot easier not to have to rely on them to do it. I'd imagine there would
also be an issue should they take their laptop to another network?

Unfortunately I discovered that WPAD doesn't work on VPNs using the M$
client (and possibly other VPN clients), in their infinite wisdom M$ have
made it so VPNs can't have the DNS-Suffix set on them unless hardcoded on
the client machine, this interaction isn't really an option so I am relying
on FW holes to allow these machines to WU.

All in all with a combination of .pac files, WPAD and FW holes it I now have
all clients able to WU, I hope.

Thanks for all of your help.

Cheers,
Jezz.

> -----Original Message-----
> From: Steve Palmer [mailto:stevepalmer@NOEL-BAKER.DERBY.SCH.UK]
> Sent: 19 January 2005 13:24
> To: James Gray; squid-users@squid-cache.org
> Subject: RE: [squid-users] WindowsUpdate Problems.
>
> I would probably recommend setting up the free SUS server which would have
> direct or regular proxy access to the official servers, and use group
> policys to direct all your clients to your inhouse server.
>
> http://www.microsoft.com/windowsserversystem/sus/default.mspx
>
> ooo just noticed they're doing an update to it called WUS. Hope its good!
> ;)
>
> ________________________________
>
> From: James Gray [mailto:james_gray@ocs.com]
> Sent: Tue 1/18/2005 9:13 PM
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] WindowsUpdate Problems.
>
>
>
> On Mon, 17 Jan 2005 11:18 pm, Palmer J.D.F. wrote:
> > Hello,
> >
> > I have just been made aware that some machines are not Windows updating
> on
> > our campus network, I've done a fair bit of investigation and I 'think'
> I
> > know what the problem is and just wondered if anyone else had seen this,
> > and if so how it was remedied.
> > Initially I thought this was a Squid problem, but I'm now tending to
> think
> > it's a Microsoft problem.
> >
> > On our campus we force certain IP ranges to go through our squid caches,
> > which I guess you could call opaque, IE browsers/clients etc have to be
> > configured to go through the cache rather than transparent.
> > These restricted clients are forced to use the cache by the use of acls
> on
> > core routers denying port 80 traffic from various IPs.
> >
> > It appears that the Windows Update V5 client (not sure about V4) tries
> to
> > open a port 80 connection directly to Microsoft servers to check for and
> > download updates, this obviously fails as the router acls drop the
> packets.
>
> We had similar problems with WinXP clients trying to get updates both
> automatically and manually from Windows Update (v5, but be had
> intermittent
> problems with automatic updates on win2k - v4.windowsupdate...). Turns
> out
> M$ can't figure out how to implement authenticated proxy requests from the
> client to a proxy for Windows Update. I found a M$ knowledge-base article
> about it and the suggestion was to allow all requests to
> "*windowsupdate.microsoft.com" to be done without proxy authentication.
>
> The way you do this in squid is to put an ACL to allow requests to windows
> update BEFORE the ACL that requires authentication.
>
> I'm offline ATM, but the I can send you the relevant bits from our
> squid.conf
> if you like.
>
> Cheers,
>
> James
>
>
>
> This message is confidential. You should not copy it or disclose its
> contents to anyone. If this email has come to you in error please delete
> it and any attachments.
> Internet communications are not secure and therefore Noel-Baker Community
> School and Language College does not accept legal responsibility for the
> contents of this message.
> Unless expressly stated, any views or opinions presented are those of the
> author and not those of Noel-Baker Community School and Language College.
> Please note that Noel-Baker Community School and Language College will
> monitor incoming and outgoing e-mail communications for security and
> regulatory purposes.
Received on Wed Jan 19 2005 - 06:50:02 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST