To All,
Information on step by step instructions when receiving the error and how to
configure the ISA 2000/2003 server to access Windows Update Site.
Symptoms
========
When accessing Windows Update Version 5 site via an ISA Server that
requires authentication, failures may be experienced as detailed in the
following scenarios.
Note: While this article is specific to ISA Server, the problems detailed
here may also be seen through other authenticating Proxy servers.
Scenario 1
When accessing the Windows Update V5 site (v5.windowsupdate.microsoft.com) a
failure may be seen when the check for the latest version of the Windows
Update software is carried out. This would result in an error message
similar to the following:-
- Windows Update has encountered an error and cannot display the
requested page.
In the top right hand corner of the page you may see the following - [Error
number: 0x80072F78]
Scenario 2
After initially accessing the Windows Update V5 site you will be presented
with options for Express Install or Custom Install. When selecting either of
these options Windows Update may fail and display an error message similar
to the following:-
- Windows Update has encountered an error and cannot display the
requested page.
In the top right hand corner of the page you may see the following - [Error
number: 0x80244021] or [Error number: 0x80244019]
Cause
=====
Scenario 1 is due to the client sending a HEAD request on a TCP connection
that has already been closed by the Proxy Server. This is a known issue with
Internet Explorer.
Scenario 2 is due to the Windows Update client authenticating with NULL
credentials to the Proxy server. If the Proxy server does not allow access
to the requested site for the NULL logon the request may be denied resulting
in the failure seen.
Resolution
==========
Scenario 1:
As mentioned above this is a known issue in Internet Explorer as detailed in
the following KB:-
KBLink:838893.KB.[LN]: "The server returned an invalid or
unrecognized
response" error message in Internet Explorer 6 Service Pack 1
To resolve this please install the Internet Explorer roll-up patch from the
following KB article:-
KBLink:871260.KB.[LN]: An update rollup is available for
Internet
Explorer versions 5.x and 6.0
Scenario 2:
The root cause of this is current being analysed. Please see the
"Workaround" section for an intermediary solution.
Workaround
==========
The workaround for Scenario 2 is to give anonymous access to the relevant
Windows Update sites. The following destinations should be included when
creating the Destination Set / Domain Name Set for Windows Update:
- *.download.microsoft.com
- *.windowsupdate.com
- *.windowsupdate.microsoft.com
- windowsupdate.microsoft.com
Please see the "More Information" section for details on configuring the
required rules for ISA2000 and ISA2004.
Note: If any 3rd party content filters are being used it may also be
necessary to configure these to allow unrestricted access to the above
sites. Please see you filter vendor's documentation for how this should be
configured.
Status
======
Microsoft has confirmed that this is a problem in the scenarios detailed
above.
More Information
================
The following instructions detail how to create an Anonymous access rule and
associated Destination Set for the Windows Update sites listed in the
"Workaround" section.
For ISA 2000
Create a Destination Set for Windows Update domains:
1. Open ISA Management Console
2. Expand "<ArrayName>" and "Policy Elements"
3. Right click "Destination Sets", select "New", then "Set"
4. Enter <Windows Update> in the "Name" field, click "Next"
5. Click "Add"
6. Enter< *.download.microsoft.com> in the "Domain" field
7. Leave the "Path" field blank, and click "OK"
8. Repeat steps 5 through 7 for each remaining URL from the Workaround
section, and click "OK"
Create an anonymous Site and Content rule for Windows Update requests:
1. Open ISA Management console
2. Expand "Access Policy"
3. Right click "Site and Content Rules", select "New", then "Rule"
4. Enter <Windows Update> in the "Name" field, click "Next"
5. Select "Allow", click "Next"
6. Select "Allow access based on destination", click "Next"
7. In the "Apply this rule to" drop-down list, select "Specified
Destination Set"
8. In the "Name" drop-down list, select <Windows Update>
9. Click "Next", then "Finish"
NOTE: if your existing protocol rules require authentication
(user/group-limited) you will have to create an anonymous protocol rule for
HTTP and HTTPS as follows:
1. Open ISA Management console
2. Expand "Acess Policy"
3. Right click "Protocol Rules," select "New", then "Rule"
4. Enter <Windows Update> in the "Name" field, click "Next"
5. Select "Allow", click "Next"
6. In the "Apply this rule to" drop-down list, select "Selected
protocols"
7. In the "Protocols" list, select "HTTP" and "HTTPS", click "Next"
8. Click "Next", "Next", then "Finish"
NOTE: Changes to ISA 2000 policies do not take effect immediately and do not
affect existing sessions. Please see the following KB for details:
KBLink:281985.KB.[LN]: ISA Server Configuration Changes Are Not
Instantaneous
For ISA 2004
Create an anonymous Access Rule for Windows Update:
1. Open the ISA Management Console
2. In the left pane, right-click "Firewall Policy" and select "New",
then "Access Rule"
3. Enter <Windows Update> in the "Name" field, click "Next"
4. Select "Allow", click "Next"
5. In the "This rule applies to" drop-down list, select "Selected
Protocols"
6. Click "Add"
7. In the "Add Protocols "dialog, expand "Web"
8. Select "HTTP" and click "Add"
9. Select "HTTPS" and click "Add"
10. Click "Close", then "Next"
11. In the "Access Rule Sources" dialog, click "Add"
12. In the "Add Network Entities" dialog, expand "Networks"
13. Select "Internal" and click "Add"
14. For each network which requires access to Windows Update select
that network object and click "Add"
15. Click "Close", then "Next"
16. In the "Access Rule Destinations" window, click "Add"
17. In the "Add Network Entities" window menu bar, click "New", then
"Domain Name Set"
18. In the "New Domain Name Set Policy Element "window, enter <Windows
Update> in the "Name" field
19. Click "New"
20. In the "Domain names included in this set" list, change the new
entry to <*.download.microsoft.com>
21. Repeat steps 19 and 20 for each remaining domain listed in the
workaround section
22. Click OK
23. In the "Add Network Entities" window, select <Windows Update> from
the "Domain Name Sets" section, click "Add", then "Close"
24. Click "Next", "Next", then "Finish"
25. In the top part of the middle pane, "Apply" and "Discard" buttons
will appear; click "Apply"
26. When "Apply New Configuration" dialog reports "?Changes to the
configuration were successfully applied?", click "OK"
Make the Windows Update rule the first rule:
Note: If you prefer to list all of your deny rules first, then you can make
the Window Update rule the first rule following these.
1. In the left pane, select "Firewall Policy"
2. If <Windows Update> is already the first rule in the list, stop here
3. In the middle pane, select the< Windows Update >rule
4. In the right pane select the "Tasks" tab
5. Click "Move the selected rule up" until <Windows Update> is the
first rule in the list
6. In the top part of the middle pane, "Apply "and "Discard" buttons
should appear; click "Apply"
7. When "Apply New Configuration" dialog reports "?Changes to the
configuration were successfully applied?", click "OK"
NOTE: Changes to ISA 2004 policies do not affect existing sessions. Please
see the following KB for details:
KBLink:841140.KB.[LN]: Changes to the firewall policy only
affect new
connections in ISA Server 2004
Thanks,
Allen Hill [MSFT}
"David Barker" <> wrote in message
news:106d01c4a0b0$fb0da440$...
> If you are still having trouble after you have tried
> everything, then you will probably find your answer here.
>
> After trying various KB including KB 883821, I have
> discovered the cause of the infamous 0x8024402C
> error for XP workstations that sit behind ISA firewalls.
> You may only be seeing a 0x80072f78 error because you
> haven't gotten to the update site whereby you get the
> 0x8024402C error. Either way, this Technical note may help
> you solve your problem.
>
> Please see the following web page (URL may wrap to two
> linie but is meant to be one):
>
> http://www.electrosonics.net/technot...0x8024402C.htm
Similar Threads
Linear Mode
