Clients behind SBS 2003 Premium server not connecting properly to external WSUS 2 server

Discussion in 'Update Services' started by KeithL, Aug 23, 2007.

  1. KeithL

    KeithL Guest

    We have a WSUS v2 installation at one of our datacentres which we're using
    to supply updates to all the servers & clients we maintain. These machines
    are a combination of domain servers and clients with the configuration done
    via GPO, and workgroup servers where the configuration is done via the
    registry. For the most part they're all working fine with one exception.

    At one client location we have a Windows 2003 SBS Premium installation,
    using ISA Server, and behind it a load of Windows XP Pro desktops. The WSUS
    config is done through a GPO to all the machines on the network, including
    the server, however only the server manages to successfully report to the
    WSUS server properly.

    On the clients if I check the WindowsUpdate.log file I can see that they are
    attempting to connect to the correct location :

    ---


    2007-07-24 07:13:40:080 1172 760 AU #############
    2007-07-24 07:13:40:080 1172 760 AU ## START ## AU: Search for updates
    2007-07-24 07:13:40:080 1172 760 AU #########
    2007-07-24 07:13:40:080 1172 760 AU <<## SUBMITTED ## AU: Search for
    updates [CallId = {C596298D-3A6D-4247-9A54-1CF7696012E5}]
    2007-07-24 07:13:40:080 1172 718 Agent *************
    2007-07-24 07:13:40:080 1172 718 Agent ** START ** Agent: Finding updates
    [CallerId = AutomaticUpdates]
    2007-07-24 07:13:40:080 1172 718 Agent *********
    2007-07-24 07:13:40:080 1172 718 Agent * Online = Yes; Ignore download
    priority = No
    2007-07-24 07:13:40:080 1172 718 Agent * Criteria = "IsHidden=0 and
    IsInstalled=0 and DeploymentAction='Installation' and IsAssigned=1 or
    IsHidden=0 and IsPresent=1 and DeploymentAction='Uninstallation' and
    IsAssigned=1 or IsHidden=0 and IsInstalled=1 and
    DeploymentAction='Installation' and IsAssigned=1 and RebootRequired=1 or
    IsHidden=0 and IsInstalled=0 and DeploymentAction='Uninstallation' and
    IsAssigned=1 and RebootRequired=1"
    2007-07-24 07:13:40:080 1172 718 Agent * ServiceID =
    {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
    2007-07-24 07:13:40:080 1172 718 Misc Validating signature for
    C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\wuident.cab:
    2007-07-24 07:13:40:080 1172 718 Misc Microsoft signed: Yes
    2007-07-24 07:14:11:984 1172 718 Misc WARNING: Send failed with hr =
    80072efd.
    2007-07-24 07:14:11:984 1172 718 Misc WARNING: SendRequest failed with hr
    = 80072efd. Proxy List used: <(null)> Bypass List used : <(null)> Auth
    Schemes used : <>
    2007-07-24 07:14:11:984 1172 718 Misc WARNING: WinHttp:
    SendRequestUsingProxy failed for <http://<our wsus
    server>:8530//selfupdate/wuident.cab>. error 0x80072efd
    2007-07-24 07:14:11:984 1172 718 Misc WARNING: WinHttp:
    SendRequestToServerForFileInformation MakeRequest failed. error 0x80072efd
    2007-07-24 07:14:11:984 1172 718 Misc WARNING: WinHttp:
    SendRequestToServerForFileInformation failed with 0x80072efd
    2007-07-24 07:14:11:984 1172 718 Misc WARNING: WinHttp:
    ShouldFileBeDownloaded failed with 0x80072efd
    2007-07-24 07:14:32:932 1172 718 Misc WARNING: Send failed with hr =
    80072efd.
    2007-07-24 07:14:32:932 1172 718 Misc WARNING: SendRequest failed with hr
    = 80072efd. Proxy List used: <(null)> Bypass List used : <(null)> Auth
    Schemes used : <>
    2007-07-24 07:14:32:932 1172 718 Misc WARNING: WinHttp:
    SendRequestUsingProxy failed for <http://<our wsus
    server>:8530//selfupdate/wuident.cab>. error 0x80072efd
    2007-07-24 07:14:32:932 1172 718 Misc WARNING: WinHttp:
    SendRequestToServerForFileInformation MakeRequest failed. error 0x80072efd
    2007-07-24 07:14:32:932 1172 718 Misc WARNING: WinHttp:
    SendRequestToServerForFileInformation failed with 0x80072efd
    2007-07-24 07:14:32:932 1172 718 Misc WARNING: WinHttp:
    ShouldFileBeDownloaded failed with 0x80072efd
    2007-07-24 07:14:53:880 1172 718 Misc WARNING: Send failed with hr =
    80072efd.
    2007-07-24 07:14:53:880 1172 718 Misc WARNING: SendRequest failed with hr
    = 80072efd. Proxy List used: <(null)> Bypass List used : <(null)> Auth
    Schemes used : <>
    2007-07-24 07:14:53:880 1172 718 Misc WARNING: WinHttp:
    SendRequestUsingProxy failed for <http://<our wsus
    server>:8530//selfupdate/wuident.cab>. error 0x80072efd
    2007-07-24 07:14:53:880 1172 718 Misc WARNING: WinHttp:
    SendRequestToServerForFileInformation MakeRequest failed. error 0x80072efd
    2007-07-24 07:14:53:880 1172 718 Misc WARNING: WinHttp:
    SendRequestToServerForFileInformation failed with 0x80072efd
    2007-07-24 07:14:53:880 1172 718 Misc WARNING: WinHttp:
    ShouldFileBeDownloaded failed with 0x80072efd
    2007-07-24 07:15:26:719 1172 718 Misc WARNING: Send failed with hr =
    80072efd.
    2007-07-24 07:15:26:719 1172 718 Misc WARNING: SendRequest failed with hr
    = 80072efd. Proxy List used: <(null)> Bypass List used : <(null)> Auth
    Schemes used : <>
    2007-07-24 07:15:26:719 1172 718 Misc WARNING: WinHttp:
    SendRequestUsingProxy failed for <http://<our wsus
    server>:8530//selfupdate/wuident.cab>. error 0x80072efd
    2007-07-24 07:15:26:719 1172 718 Misc WARNING: WinHttp:
    SendRequestToServerForFileInformation MakeRequest failed. error 0x80072efd
    2007-07-24 07:15:26:719 1172 718 Misc WARNING: WinHttp:
    SendRequestToServerForFileInformation failed with 0x80072efd
    2007-07-24 07:15:26:719 1172 718 Misc WARNING: WinHttp:
    ShouldFileBeDownloaded failed with 0x80072efd
    2007-07-24 07:15:26:719 1172 718 Misc WARNING: DownloadFileInternal failed
    for http://<our wsus server>:8530//selfupdate/wuident.cab: error 0x80072efd
    2007-07-24 07:15:26:719 1172 718 Setup FATAL: IsUpdateRequired failed with
    error 0x80072efd
    2007-07-24 07:15:26:719 1172 718 Setup WARNING: SelfUpdate: Default
    Service: IsUpdateRequired failed: 0x80072efd
    2007-07-24 07:15:26:719 1172 718 Setup WARNING: SelfUpdate: Default
    Service: IsUpdateRequired failed, error = 0x80072EFD
    2007-07-24 07:15:26:719 1172 718 Agent * WARNING: Skipping scan,
    self-update check returned 0x80072EFD
    2007-07-24 07:15:27:405 1172 718 Agent * WARNING: Exit code = 0x80072EFD
    2007-07-24 07:15:27:405 1172 718 Agent *********
    2007-07-24 07:15:27:405 1172 718 Agent ** END ** Agent: Finding updates
    [CallerId = AutomaticUpdates]
    2007-07-24 07:15:27:405 1172 718 Agent *************
    2007-07-24 07:15:27:405 1172 718 Agent WARNING: WU client failed Searching
    for update with error 0x80072efd
    2007-07-24 07:15:27:405 1172 244 AU >>## RESUMED ## AU: Search for updates
    [CallId = {C596298D-3A6D-4247-9A54-1CF7696012E5}]
    2007-07-24 07:15:27:405 1172 244 AU # WARNING: Search callback failed,
    result = 0x80072EFD
    2007-07-24 07:15:27:405 1172 244 AU # WARNING: Failed to find updates with
    error code 80072EFD
    2007-07-24 07:15:27:405 1172 244 AU #########
    2007-07-24 07:15:27:405 1172 244 AU ## END ## AU: Search for updates
    [CallId = {C596298D-3A6D-4247-9A54-1CF7696012E5}]
    2007-07-24 07:15:27:405 1172 244 AU #############
    2007-07-24 07:15:27:405 1172 244 AU AU setting next detection timeout to
    2007-07-24 09:57:10
    2007-07-24 07:15:27:405 1172 244 AU Setting AU scheduled install time to
    2007-07-30 04:00:00
    2007-07-24 07:15:48:321 1172 718 Misc WARNING: Send failed with hr =
    80072efd.
    2007-07-24 07:15:48:321 1172 718 Misc WARNING: SendRequest failed with hr
    = 80072efd. Proxy List used: <(null)> Bypass List used : <(null)> Auth
    Schemes used : <>
    2007-07-24 07:15:48:321 1172 718 PT + Last proxy send request failed with
    hr = 0x80072EFD, HTTP status code = 0
    2007-07-24 07:15:48:321 1172 718 PT + Caller provided credentials = No
    2007-07-24 07:15:48:321 1172 718 PT + Impersonate flags = 0
    2007-07-24 07:15:48:321 1172 718 PT + Possible authorization schemes used
    =
    2007-07-24 07:15:48:321 1172 718 PT WARNING: GetConfig failure, error =
    0x80072EFD, soap client error = 5, soap error code = 0, HTTP status code =
    200
    2007-07-24 07:15:48:321 1172 718 PT WARNING: PTError: 0x80072efd
    2007-07-24 07:15:48:321 1172 718 PT WARNING: GetConfig_WithRecovery
    failed: 0x80072efd
    2007-07-24 07:15:48:321 1172 718 PT WARNING: RefreshConfig failed:
    0x80072efd
    2007-07-24 07:15:48:321 1172 718 PT WARNING: RefreshPTState failed:
    0x80072efd
    2007-07-24 07:15:48:321 1172 718 PT WARNING: PTError: 0x80072efd
    2007-07-24 07:15:48:321 1172 718 Report WARNING: Reporter failed to upload
    events with hr = 80072efd.


    ---

    So they are obviously picking up the GPO data correctly. If I check the ISA
    firewall logs I can see WSUS connections going out on port 8530 from the
    client PC's to our WSUS server, but yet nothing shows up on the WSUS server.
    In the ISA logs I don't see any errors come up, relating to anything
    connected with the WSUS server.

    The ISA server is configured to allow http, https, kerberos-sec and wsus
    (8530) from the server and the desktops to our WSUS server. I've confirmed
    that there are no proxies / filters setup on the firewall rule. I can't see
    anything which would prevent the WSUS server from replying to the request.

    Does anyone know of anything else I can try? Perhaps it's an oddity with ISA
    or with SBS, as this is the only installation we've setup on our WSUS thus
    far which uses either, let alone both together. Unfortunately we've got
    several other similar installations which need to be setup, which are
    currently waiting for this one to be resolved before I make a start on them.

    Thanks
    Keith
     
    KeithL, Aug 23, 2007
    #1
    1. Advertisements

  2. KeithL

    DaveMills Guest

    Sounds like you have an issue getting through the ISA firewall from the clients
    Can a user use IE to access http://<wsus-url>/selfupdate/iuident.cab. It they
    can then look at the security issues related to getting Internet access for a
    computer account. SBS requires membership of an Internet access group to get
    out. If the user can download the CAB file then trouble shoot why.




     
    DaveMills, Aug 23, 2007
    #2
    1. Advertisements



  3. The problem, quite specifically, is the trailing slash after the port number
    in the configured URL:
    Remove the trailing slash and the clients will be able to successfully
    communicate with the web server.

    --
    Lawrence Garvin, M.S., MCTS, MCP
    MVP - Software Distribution (2005-2007)
    MS WSUS Website: http://www.microsoft.com/wsus
    My Websites: http://www.onsitechsolutions.com;
    http://wsusinfo.onsitechsolutions.com
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin [MVP], Aug 27, 2007
    #3
  4. KeithL

    KeithL Guest

    Good point, though I don't think it is actually relevant. Both the server
    (which can connect) and the clients (which can't) get their WSUS connection
    information from the same GPO, which was obviously configured previously to
    http://<our wsus server>:8530/. Where there is no connection problem is
    seems Windows / Updates Services is intelligent enough to ignore the
    superfluous slash character, and correctly connects using just a single one.
    I've also notice in previous setups with this same setup that where I'd
    forgotten to configure a firewall correctly the log would show the double
    slashes, as soon as the firewall configuration was corrected it would start
    logging just a single slash.

    That said, for the purposes of tidyness I have made the change and checked
    the clients again, and am still getting the error (identical text but with
    one slash), so there must be something else at fault.

    Keith
     
    KeithL, Aug 28, 2007
    #4
  5. KeithL

    KeithL Guest

    Yeah, it's just weird that there is nothing showing up in the ISA logs about
    it. Will give your suggestion a try once I can get access to one of the
    client machines interactively and see what happens.

    Thanks
    Keith

     
    KeithL, Aug 28, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.