[squid-users] Squid and Windows Update from Julian Pilfold-Bagwell on 2007-06-21 (squid-users)

From: Julian Pilfold-Bagwell <jpb@dont-contact.us>
Date: Thu, 21 Jun 2007 13:26:49 +0100

Hi All,

I have an NTLM authenticated squid proxy and an trying to get to Windows
Update. Up until about 3 weeks ago it worked OK but then stopped and I
haven't been able to get it going since. I have microsoft.com and
windowsupdate.com in an always_direct acl and have used proxycfg to set
the proxy up on the windows boxes. I've also ticked http 1.1 connection
on proxy in IE6's options. I've spent hours on Google without finding
any solution. Could someone have a look through the acls below to see if
I've missed something please.

Cheers,

Jools

PS: Below is a snap from the proxy log showing what's happening when I
try to connect. Thanks.

##### Log Output

1182427844.513 RELEASE -1 FFFFFFFF 62992ED631E0F39DDA8C8DC2F898F266 407
1182427844 0 1182427844 text/html 1325/1325 GET
http://go.microsoft.com/fwlink/?
1182427844.520 RELEASE -1 FFFFFFFF 2E6A5C7F93EEE6901CCCEE0DEB5A2229 407
1182427844 0 1182427844 text/html 1325/1325 GET
http://go.microsoft.com/fwlink/?
1182427844.533 RELEASE -1 FFFFFFFF DEE0F5C0483083C6578A92A5A262DBA8 407
1182427844 0 1182427844 text/html 1463/1463 POST
http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx
1182427844.868 RELEASE -1 FFFFFFFF A8ABED5E2C14C5B1E9D0C071634A6A5F 407
1182427844 0 1182427844 text/html 1325/1325 GET
http://go.microsoft.com/fwlink/?
1182427844.898 RELEASE -1 FFFFFFFF 8A2AF11EB29DC53BECCE375C51ED2564 407
1182427844 0 1182427844 text/html 1325/1325 GET
http://go.microsoft.com/fwlink/?
1182427845.371 RELEASE -1 FFFFFFFF E376783F93B586292C10EB17CEED8C0D 302
1182427844 -1 1182427784 text/html 135/135 GET
http://go.microsoft.com/fwlink/?
1182427845.395 RELEASE -1 FFFFFFFF DB56627F467C065BB2717F8C4807EE04 302
1182427844 -1 1182427784 text/html 135/135 GET
http://go.microsoft.com/fwlink/?
1182427845.959 RELEASE -1 FFFFFFFF FC48317C07A19CD1D257DF7931B8CF91 407
1182427845 0 1182427845 text/html 1301/1301 CONNECT
update.microsoft.com:443
1182427845.965 RELEASE -1 FFFFFFFF 9FDB6B061BB1A01FD5774EDCF57BFE72 407
1182427845 0 1182427845 text/html 1301/1301 CONNECT
update.microsoft.com:443
1182427845.968 RELEASE -1 FFFFFFFF 24E1583A4D3FE04F9CC5D92791D8234F 407
1182427845 0 1182427845 text/html 1301/1301 CONNECT
update.microsoft.com:443
1182427846.017 RELEASE -1 FFFFFFFF 307158AE09CFED627438DB4C97BB6DE7 407
1182427846 0 1182427846 text/html 1301/1301 CONNECT
update.microsoft.com:443
1182427848.314 RELEASE -1 FFFFFFFF B54B1B79B60C0A9EE18BCC5F376CCCF0 407
1182427848 0 1182427848 text/html 1463/1463 POST
http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx
1182427848.335 RELEASE -1 FFFFFFFF 106150D23930001055AB50F33462E587 407
1182427848 0 1182427848 text/html 1463/1463 POST
http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx
1182427848.385 RELEASE -1 FFFFFFFF 8F2EB8EA5C13E1999AA8BBA44C8DE2CC 407
1182427848 0 1182427848 text/html 1463/1463 POST
http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx
1182427848.608 RELEASE -1 FFFFFFFF 9AAF6E2DA487093383A0DD59ADB264B4 407
1182427848 0 1182427848 text/html 1301/1301 CONNECT
update.microsoft.com:443
1182427848.628 RELEASE -1 FFFFFFFF 552B7EA2E74614B8A4E9E82E193FC296 407
1182427848 0 1182427848 text/html 1301/1301 CONNECT
update.microsoft.com:443
1182427848.631 RELEASE -1 FFFFFFFF B2701012D1DE2296A7678125A6841581 407
1182427848 0 1182427848 text/html 1301/1301 CONNECT
update.microsoft.com:443
1182427848.681 RELEASE -1 FFFFFFFF 6194E73C33414591F76E8645DD78AF71 407
1182427848 0 1182427848 text/html 1301/1301 CONNECT
update.microsoft.com:443
1182427848.928 RELEASE -1 FFFFFFFF 2B64CB519E1123FE9772D9D2FD6B9D23 407
1182427848 0 1182427848 text/html 1463/1463 POST
http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx
1182427848.959 RELEASE -1 FFFFFFFF BAB09BA63C9B037455216ED743BDE755 407
1182427848 0 1182427848 text/html 1463/1463 POST
http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx
1182427849.014 RELEASE -1 FFFFFFFF 964028CC20022B536F59877D37745174 407
1182427849 0 1182427849 text/html 1463/1463 POST
http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx
1182427850.033 RELEASE -1 FFFFFFFF 36FDA330BD08904D927FB76ABD56B1D1 407
1182427850 0 1182427850 text/html 1292/1292 CONNECT
urs.microsoft.com:443
1182427850.075 RELEASE -1 FFFFFFFF B5335E465AA32ED4259749CBB2AC4236 407
1182427850 0 1182427850 text/html 1292/1292 CONNECT
urs.microsoft.com:443
1182427850.127 RELEASE -1 FFFFFFFF 0D4261BD99331073CAE9F2FA94E0EE61 407
1182427850 0 1182427850 text/html 1292/1292 CONNECT
urs.microsoft.com:443
1182427850.130 RELEASE -1 FFFFFFFF 32CCE2EA2FB00E6CA57DF5D5F2CC6799 407
1182427850 0 1182427850 text/html 1292/1292 CONNECT
urs.microsoft.com:443
1182427857.205 RELEASE -1 FFFFFFFF 8364CFCAC246E58498EE0BDE0D20BB55 407
1182427857 0 1182427857 text/html 1424/1424 HEAD
http://download.microsoft.com/v7/windowsupdate/redir/wuredir.cab?
1182427857.246 RELEASE -1 FFFFFFFF 1D28B4DEFD9E052684081FF35FC7AC48 407
1182427857 0 1182427857 text/html 1424/1424 HEAD
http://download.microsoft.com/v7/windowsupdate/redir/wuredir.cab?
1182427870.383 RELEASE -1 FFFFFFFF 58E46B60D5281FCE38B25993DCD623DD 407
1182427870 0 1182427870 text/html 1325/1325 GET
http://go.microsoft.com/fwlink/?
1182427870.411 RELEASE -1 FFFFFFFF 527B3C30FBE3F4D0D4F906A707460DB8 407
1182427870 0 1182427870 text/html 1325/1325 GET
http://go.microsoft.com/fwlink/?
1182427870.826 RELEASE -1 FFFFFFFF 5380F6373AD5E4AE495DA842325C8985 302
1182427870 -1 1182427810 text/html 153/153 GET
http://go.microsoft.com/fwlink/?

########## squid.conf snippet

acl winupdate dstdomain .microsoft.com .windowsupdate.com

# Force Authentication onto Windows clients in background (no pop-up
password box)
acl mynetwork proxy_auth REQUIRED

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
#Following line hashed out to allow next but one line - Added JPB 03/04/2007
#acl localhost src 127.0.0.1/255.255.255.255
acl localhost proxy_auth REQUIRED
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the
request.

#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, then the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# And finally deny all other access to this proxy
always_direct allow winupdate
http_access allow all mynetwork
http_access deny all
Received on Thu Jun 21 2007 - 06:26:17 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT