Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 57 replies
  • Subscribers 1 subscriber
  • Views 39499 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WSUS with ASG Webfilter not working anymore

TheExpert
Hello together,

since Microsoft deployed the WSUS 3.0 SP2 patch KB2720211 the exception rules of ASG for the webfilter (originally made by Astaro) doesn't work anymore and WSUS can't synchronize with the Microsoft Update Services. I use my ASG as transparent proxy.

The first thing I tried was to deactivate all the SSL interceptions and certificate tests but the synchronization doesn't work. It also doesn't work when all webfilter features are deactivated.

After deactivating the complete webfilter on the ASG WSUS was able to synchronize.

Now I set an exception for the WSUS server IP address on the transparent proxy modus and so WSUS is working fine. But now I have a security issue because there's no proxy functionality for the complete server.

What can I do?

Thank you

TheExpert

ASG 8.305 on VMware ESXi 5.0


This thread was automatically locked due to age.
Parents
  • 0
    place the wsus server in the web filtering-advanced-transparent mode skiplist section.  This totally bypasses the http proxy for the server.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    Hello,

    thank you for your answers.

    @William: As I wrote in my first post on this threat I set an exception for the WSUS server IP address on the transparent proxy modus and so WSUS is working fine. But now I have a security issue because there's no proxy functionality for the complete server.

    @BAlfson: The thing is, that in the webfilter log everything works fine: There is the right rule with all the configured exceptions.

    Here are some examples :

    Example with standard exceptions, made by Astaro per Default:

    2012:06:17-17:36:57 httpproxy[6869]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.x.y" dstip="23.61.246.40" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11853" request="0xb0c5300" url="http://download.windowsupdate.com/v9/wsus/redir/wsusredir.cab?126171563459" exceptions="av,fileextension" error="" country="United States" category="175" reputation="trusted" categoryname="Software/Hardware" content-type="application/octet-stream" application="winupdat"

    2012:06:17-17:37:14 httpproxy[6869]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="192.168.x.y" dstip="65.55.13.190" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="406" request="0xb0cfe38" url="https://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx" exceptions="av,fileextension" error="" country="United States" reputation="neutral" category="105,175" reputation="neutral" categoryname="Business,Software/Hardware" content-type="text/xml"

    Example with advanced exceptions:

    2012:06:17-19:21:32 httpproxy[23818]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.x.y" dstip="209.84.11.254" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11853" request="0x92b7b68" url="http://download.windowsupdate.com/v9/wsus/redir/wsusredir.cab?126171761935" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension" error="" application="winupdat"

    2012:06:17-19:21:43 httpproxy[23818]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="192.168.x.y" dstip="65.55.13.190" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9244b60" url="https://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension" error=""

    Thank you

    TheExpert

    Kind Regards

    TheExpert

  • 0 in reply to TheExpert
    This is actually simpler than you think ... simply create an exception for windows update (the URL), that excepts all functions of the proxy for WSUS.

    Microsoft Windows Update [Allows Windows Update without content scanning side effects.]

    Skipping: Authentication / Caching / Antivirus / Extension blocking / MIME type blocking / URL Filter / Content Removal / SSL scanning / Certificate Trust Check / Certificate Date Check

    Matching these URLs:
    ^https?://([A-Za-z0-9.-]*\.)?windowsupdate\.com/


    Works fine here and for customers.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to TheExpert
    This is actually simpler than you think ... simply create an exception for windows update (the URL), that excepts all functions of the proxy for WSUS.

    Microsoft Windows Update [Allows Windows Update without content scanning side effects.]

    Skipping: Authentication / Caching / Antivirus / Extension blocking / MIME type blocking / URL Filter / Content Removal / SSL scanning / Certificate Trust Check / Certificate Date Check

    Matching these URLs:
    ^https?://([A-Za-z0-9.-]*\.)?windowsupdate\.com/


    Works fine here and for customers.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
No Data
Cookie Information Banner