Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 16961 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Microsoft WSUS updates won't download

ZaneDonaldson

much has been written in these forums about failed Microsoft downloads.  I've read as much as I can but I still can't make it work.

 

For me, I'm using a WSUS server.  It is failing to download updates from Microsoft.  It is successfully connecting and downloading the description of each update, but not the actual update itself.

 

I've  read this article and followed its instructions:

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80605/how-do-i-allow-windows-updates-app-updates-in-windows-10/306688#306688

 

here is my firewall rule:

in log viewer, I can see traffic hitting that rule and being allowed out, so I'm at a bit of a loss as to why I'm not getting updates at this point.  anyone see something that I didn't get quite right?

 
 


This thread was automatically locked due to age.
Parents
  • 0

    I was just looking at a problem with installing Office Click-To-Run which I think uses BITS or at least a similar download mechanism that uses partial downloads. My logs all show "allowed", but the request where the install fails has a status_code of 502, which I think is a timeout or some other failure.

    Can you check your logs for the same? If you are running v17 you should be able use a search string of status_code="5 to find such entries in the logs. If you don't see anything with a status_code of 502 (or maybe some other 5xx) then you can ignore the rest of this... it gets a bit ranty towards the end.

    Adding exceptions didn't fix it for me. I can see that the exceptions are taking effect, but they don't solve the problem. The only thing that makes it work is a new rule, before the rule that is allowing this traffic, with no http scanning. Limit the destinations to the FQDN hosts in question (wildcards don't seem to work) so that you aren't turning off scanning for all your traffic.

    I'm chasing another issue that I think is related to this where customers report that occasionally when they go to load a page in a browser, nothing happens. A few minutes later they get some sort of error. If they refresh the page it works fine. The only thing that has resolved this is to turn off http scanning.

    Turning off http scanning turns off transparent proxying, from what I can see, so you will no longer see the traffic in the web logs, only in the firewall logs.

    So i think that there are two issues at play:

    1. proxy is broken and is occasionally failing requests
    2. when the requests fail, the response isn't relayed back to the client in a way that looks like a failure. In my case Office Deployment Tool thinks it has downloaded data but then hashes it and finds it isn't the right data.

    I'm not really sure where to go with this. My past experience with Sophos support is that you have to wade through a mountain of futility before it gets escalated to someone who understands the problem enough to be able to help. And surely i'm at the end of a long list of people who have reported this issue before? Reproducing an Office Click-To-Run install in a lab is about an hours work.

    James

  • 0 in reply to jamesharper

    Hi,

    Short question to your long investigation: Do you use MR5 ?

    We fixed a issue with range http packets, which Microsoft quite often uses.

    Cheers

  • 0 in reply to LuCar Toni

    I'm on MR5 and am having the problem. But as I said my issue may not be related at all to the OP's issues.

    Curiously though, I set up a heap of packet traces, turned off my bypass rules, and now can't get it to fail. It downloads the 1.8GB of Office without any issues at all.

    James

  • 0 in reply to LuCar Toni

    manbearpig said:

    Hi,

    Short question to your long investigation: Do you use MR5 ?

    We fixed a issue with range http packets, which Microsoft quite often uses.

    Cheers

     

     

    I'm on MR3 at the moment, but if MR5 has the possibility of helping I will get it installed and report back.

  • 0 in reply to ZaneDonaldson

    Here are the mention bug IDs, fixed in MR5.

    • NC-22752 [Web] Range requests cannot download files larger than 2GB

     

    • NC-25582 [Web] Range header in requests should not be validated when AV scanning is not required

     

     

  • 0 in reply to LuCar Toni

    my WSUS server won't download any updates at all.  I doubt that every update is larger than 2GB, but I'll try the MR5 update anyways.

Reply Children
  • 0 in reply to ZaneDonaldson

    I gave up trying to make WSUS work with Sophos.  It is never gonna work.  You will have to create a specific rule that will bypass that XG firewall completely.  A simple (unsecure) rule allowing HTTPS traffic only from your WSUS to the internet.  But if Sophos scans it, it will fail. NAT behind a firewall is the only protection available. If you want to decrypt and scan it, you will have to look at another solution.

     

    Paul Jr