Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 4 answers
  • Subscribers 36 subscribers
  • Views 36143 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 10 download fails to BITS range requests being blocked by the firewall.

IbrahimFofana

I just deployed a new Sophos XG firewall and discovered that Windows 10 upgrade requests are failing with the error code 80200013. This it seems is tied to the act that BITS range requests are being blocked. How can this be allowed to endpoints?

The download works from the same PCs if the XG is bypassed.



This thread was automatically locked due to age.
  • 0

    Hi Ibrahim,

    Which firmware version you are running ?

    There is known issue with range headers in GA version. and resolved in MR 1.1 if you update to MR 1.1 Windows Update tool should work as long as AV scanning is turned off.

  • 0

    BITS uses something called "range requests" to download the file piece by piece.  So the XG may see that bytes 2000-4000 of PotentiallyEvil.exe are being downloaded.  There is no way to effectively virus scan the middle of a file (or apply things like filetype blocking) so the range request is blocked.  I'm not sure but I think bypassing the virus scanner might allow it.

    From what I recall, BITS only uses range requests when downloading in the background.  Another solution is to use foreground.

    See https://support.microsoft.com/en-ca/kb/922330

  • 0 in reply to Michael Dunn

    Hi Ibrahim, 

    I have just the same problem. Unfortunately the replies to your request seem to have no working solution for it.

    Did you solve this problem? Can you tell me how?

    Specs of my device: Sophos XG 210

    Firmware Version SFOS 15.01.0

    Only Base Firewall is enabled - all other modules have an expired test license

    Do I have to disable these modules, although the license is expired?

    Thank you, 

    René

  • 0 in reply to RenéMewes

    Hello, 

    I solved the issue by switching Application Filter and Web Filter on #Default_Network_Policy both from "Allow All" to "None"

    No problem with downloading updates anymore.

  • 0 in reply to RenéMewes

    You can temporarily disable the AV scanning in your firewall policies since the device sees the extended range packets coming in as possible malware due to the fact that they are out of sequence.

    That's how I got it to work. Hopefully with future releases of the XG, an enable range request option will be provided.

    Thanks.

  • 0 in reply to Michael Dunn

    I have confirmed, if you create an exception for Malware scanning, it will allow BITS range requests.

  • 0 in reply to Michael Dunn

    Could you please describe how to create an exception for these updates?  We are having this same issue and have not been able to successfully create an exception for Office Updates. 

  • 0 in reply to PaesslerAG

    Web Protection, Web Content Filter, HTTP Scanning Rules
    Add Rule
    Source: *
    Destination: *
    URL Regex: microsoft.com
    Action: Bypass

    You might need additional rules for other domains, I don't know what the BITS requests actually use.

  • 0 in reply to Michael Dunn

    Hi,

    I have applied this policy and still I cant download windows 10 updates it just keeps on failing.

  • 0 in reply to jsybhdu

    Hi jsybhdu,

    What ended up finally working to allow Windows 10 machines to update Office 2016 was putting the following domain names into the Exceptions List:

    officecdn.microsoft.com.edgekey.net
    officecdn.microsoft.com.edgesuite.net
    officecdn.microsoft.com

    I did this by going to Web Protection ->Filtering Options ->Exceptions

    There I created a new Exception List with only the Antivirus under Skip these checks checked and added the domains exactly how you see the above to the target domains with the option matching these URLS selected.  Once I did that, Office 2016 was able to update without further issues.