Thomas Shinder Blog RSS

All Blogs  »  Thomas Shinder Blog  »  News  »  Blog article: Windows XP Web Proxy Clients Fail to Connect to Windows and Microsoft Update Sites through the ISA Firewall

Windows XP Web Proxy Clients Fail to Connect to Windows and Microsoft Update Sites through the ISA Firewall

Over the last few months I’ve had a few Windows XP SP2 and Media Center Edition machines that refused to access the Windows Update site. There weren’t mission critical machines so I didn’t worry about it too much, but I found the situation irritating, since a couple of these machines were laptops that updated just fine when I connected to hotel network that didn’t have an ISA Firewall in front them.

What was frustrating is that I had done everything right on the ISA Firewall. I created the correct Direct Access lists for the Web proxy clients, I didn’t mix IP address and FQDNs in my Direct Access lists, and I even configured the clients with local Web proxy bypass lists (which I expect did nothing anyhow, since I was using the autoconfiguration script).

I finally got fed up with the situation and started to think about doing something. The only thing I could think of was that perhaps the Windows/Microsoft Update mechanism used WinHTTP and it wasn’t getting the proxy server setting from the browser.

So I opened a command prompt and entered:

proxycfg -?

And I saw this:

C:\Documents and Settings\tshinder.TACTEAM>proxycfg ?
Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.

usage:

proxycfg -? : to view help information

proxycfg : to view current WinHTTP proxy settings

proxycfg [-d] [-p <server-name> [<bypass-list>]]

-d : set direct access
-p : set proxy server(s), and optional bypass list

proxycfg -u : import proxy settings from current user’s Microsoft Internet Explorer manual settings (in HKCU)

===================

I then ran:

proxycfg

and saw something like this:

 

C:\Documents and Settings\tshinder.TACTEAM>proxycfg
Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.

Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :

Proxy Server(s) : <none>
Bypass List : <local>

=======================

This suggested that the WinHTTP proxy settings weren’t using the ISA Firewall, so I ran:

proxycfg -u

and I saw this:

Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :

Proxy Server(s) : CELESTIX-H5L4CS.tacteam.net:8080
Bypass List : <local>

===================

After doing that automatic updates started downloading immediately! Good news.

I’d like to tell you that I know exactly why this worked, and what the relationship between the WinHTTP proxy settings are and Windows/Microsoft Update, and why it didn’t work before, but I can’t tell you that. Documentation in this area is about as weak as the documentation on the relationship between brain and mind :)

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

This entry was posted on Wednesday, November 29th, 2006 at 8:10 pm and is filed under News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Windows XP Web Proxy Clients Fail to Connect to Windows and Microsoft Update Sites through the ISA Firewall”

  1. joe Says:

    December 11th, 2006 at 3:05 am

    Dear Sir,

    We have a licenced ISA server.
    I tried the following method :

    Configure the HTTP policy rule that blocks MSN Messenger traffic and Windows Live Messenger traffic
    1. In the left pane of the ISA Server Management console, right-click the access rule that you created, and then click Configure HTTP.
    2. In the Configure HTTP policy for rule dialog box, click the Signatures tab, and then click Add.
    3. In the Signature dialog box, enter a name for the signature in the Name field.
    4. In the Search in list, click Request headers.
    5. In the HTTP header box, type User-Agent:.
    6. To block MSN Messenger traffic, type MSN Messenger in the Signature box.
    7. To block Windows Live Messenger traffic, type Windows Live Messenger in the Signature box.
    8. Click OK, and then click OK again.
    9. In the ISA Server Management console, click Apply.

    I was unable to block MSN Live in my network in ISA.

    Pls recommend some solution.

    Thank You,

    Joe.

  2. matheesha Says:

    March 12th, 2007 at 4:40 am

    Hi Tom

    I just read KB900935 which says the following.

    ….The Automatic Updates service can automatically download and install updates from the Windows Update Web site. The Automatic Updates service does not require user interaction because this service runs in the context of the Local System account. The Automatic Updates service does not have access to the user-specific proxy server settings that may be configured in Internet Explorer. …..

    Cheers

    M@

  3. Thomas Shinder Says:

    March 12th, 2007 at 4:45 am

    Hi Mat,

    Don’t believe it. I’ve seen the requirement to use proxycfg too many times.

    HTH,
    Tom

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center