RE: [squid-users] WindowsUpdate Problems.

From: Steve Palmer <[email protected]>
Date: Wed, 19 Jan 2005 13:23:31 -0000

I would probably recommend setting up the free SUS server which would have direct or regular proxy access to the official servers, and use group policys to direct all your clients to your inhouse server.
 
http://www.microsoft.com/windowsserversystem/sus/default.mspx
 
ooo just noticed they're doing an update to it called WUS. Hope its good! ;)

________________________________

From: James Gray [mailto:james_gray@ocs.com]
Sent: Tue 1/18/2005 9:13 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] WindowsUpdate Problems.

On Mon, 17 Jan 2005 11:18 pm, Palmer J.D.F. wrote:
> Hello,
>
> I have just been made aware that some machines are not Windows updating on
> our campus network, I've done a fair bit of investigation and I 'think' I
> know what the problem is and just wondered if anyone else had seen this,
> and if so how it was remedied.
> Initially I thought this was a Squid problem, but I'm now tending to think
> it's a Microsoft problem.
>
> On our campus we force certain IP ranges to go through our squid caches,
> which I guess you could call opaque, IE browsers/clients etc have to be
> configured to go through the cache rather than transparent.
> These restricted clients are forced to use the cache by the use of acls on
> core routers denying port 80 traffic from various IPs.
>
> It appears that the Windows Update V5 client (not sure about V4) tries to
> open a port 80 connection directly to Microsoft servers to check for and
> download updates, this obviously fails as the router acls drop the packets.

We had similar problems with WinXP clients trying to get updates both
automatically and manually from Windows Update (v5, but be had intermittent
problems with automatic updates on win2k - v4.windowsupdate...). Turns out
M$ can't figure out how to implement authenticated proxy requests from the
client to a proxy for Windows Update. I found a M$ knowledge-base article
about it and the suggestion was to allow all requests to
"*windowsupdate.microsoft.com" to be done without proxy authentication.

The way you do this in squid is to put an ACL to allow requests to windows
update BEFORE the ACL that requires authentication.

I'm offline ATM, but the I can send you the relevant bits from our squid.conf
if you like.

Cheers,

James

This message is confidential. You should not copy it or disclose its contents to anyone. If this email has come to you in error please delete it and any attachments.
Internet communications are not secure and therefore Noel-Baker Community School and Language College does not accept legal responsibility for the contents of this message.
Unless expressly stated, any views or opinions presented are those of the author and not those of Noel-Baker Community School and Language College.
Please note that Noel-Baker Community School and Language College will monitor incoming and outgoing e-mail communications for security and regulatory purposes.
Received on Wed Jan 19 2005 - 06:31:18 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST