Still having problem with windows update

From: Richard Cheng (anonymous_at_discussions.microsoft.com)
Date: 09/14/04 

Date: Tue, 14 Sep 2004 15:10:39 -0700

Hi Jim,

We are running ISA 2000 as our firewall. I have applied
the steps you mention below, but when I run windows
update, we are still receiving the following error.

Error number: 0x8024402C

Do you have any other suggestions?

>-----Original Message-----
>Hello everyone,
>
>The core cause of this problem is still being worked
out, but a clear workaround is available and it boils
down to two things:
>- Disable authentication for Windows Update requests.
>- Disable "global authentication" for web proxy requests
>
>Note: you may have heard that
the "ReturnDeniedIfAuthenticated registry setting
explained in http://support.microsoft.com/?id=297324
>is part of the problem. While applying this setting to
ISA 2000 does help expose the WU authentication problems,
it is not the
>cause. If you have applied this setting to your ISA 2000
Server, you did so with good reason to solve a specific
problem. You should
>not remove this setting if you have applied it. By the
same token, if you are not experiencing the problem
outlined in this KB
>article, you don't need to and shouldn't apply it. The
above article applies only to ISA 2000; you should not
apply any ISA 2000
>registry settings to ISA 2004 unless the relevant KB
article explicitly instructs you to. Currently, none do.
>
>Now let's get on with the workaround.
>Per the WU team, there are four destinations that should
be included for creating anonymous Windows Update access
policies:
>
> TABLE 1
> Item FQDN
> 1 *.download.microsoft.com
> 2 *.windowsupdate.com
> 3 *.windowsupdate.microsoft.com
> 4 windowsupdate.microsoft.com
>
>For ISA 2000
> Disable "global" authentication for web proxy
requests
> 1. Open the ISA Management MMC
> 2. Select View, then Advanced
> 3. Expand Servers and Arrays
> 4. R-click <ArrayName>, select Properties
> 5. Select Outgoing Web Requests
> 6. Uncheck Ask Unauthenticated users for
identification
> 7. Click Apply,
> 8. When prompted, select Save the changes and
restart the service(s)
> 9. Click OK
>
> Create a destination set for Windows Update domains
> 1. Expand <ArrayName> and PolicyElements
> 2. R-click Destination Sets, select New, then
Set
> 3. Enter WindowsUpdate in the Name field,
click Next
> 4. Click Add
> 5. Enter *.download.microsoft.com in the
Domain field
> 6. Leave the Path field blank
> 7. Click OK
> 8. Repeat steps 4 through 7 for each remaining
entry in Table 1
> 9. Click OK
>
> Create an anonymous Site and Content rule for
Windows Update requests
> 1. Expand Access Policy
> 2. R-click Site and Content Rules, select New,
then Rule
> 3. Enter Windows Update in the Name field,
click Next
> 4. Select Allow, click Next
> 5. Select Allow access based on destination,
click Next
> 6. In the Apply this rule to: drop-down list,
select Specified Destination Set
> 7. In the Name: drop-down list, select Windows
Update
> 8. Click Next, then Finish
>
>
>For ISA 2004
> Disable "global" authentication for web proxy
requests
> 1. Open the ISA Manglement MMC
> 2. Expand <ArrayName>, then Configuration
> 3. Select Networks
> 4. In the middle pane, select the Networks tab
> 5. R-click Internal and select Properties
> 6. Select the Web Proxy tab
> 7. Click Authentication
> 8. In the Authentication window, uncheck
Require all users to authenticate, click OK
> 9. Click Apply, then OK
> 10. Repeat steps 5 through 9 for each network
object where you allow Web Proxy requests
>
>Create an anonymous Access Rule for Windows Update
> 1. In the left pane, R-click Firewall Policy
and select New, then Access Rule
> 2. Enter Windows Update in the Name field,
click Next
> 3. Select Allow, click Next
> 4. In the This rule applies to: drop-down
list, select Selected Protocols
> 5. Click Add
> 6. In the Add Protocols dialog, expand Web
> 7. Select HTTP and click Add
> 8. Select HTTPS and click Add
> 9. Click Close, then Next
> 10. In the Access Rule Sources dialog, click Add
> 11. In the Add Network Entities dialog, expand
Networks
> 12. Select Internal and click Add
> 13. For each network where you unchecked Require
all users to authenticate, select that network object and
click Add
> 14. Click Close, then Next
> 15. In the Access Rule Destinations window,
click Add
> 16. In the Add Network Entities window menu bar,
click New, then Domain Name Set
> 17. In the New Domain Name Set Policy Element
window, enter Windows Update in the Name field
> 18. Click New
> 19. In the Domain names included in this set
list, change the new entry to *.download.microsoft.com
> 20. Repeat steps 19 and 20 for each remaining
entry in Table 1
> 21. Click OK
> 22. In the New Domain Name Set Policy Element
window, select Windows Update, click Add, then Close
> 23. Click Next, Next, then Finish
> 24. In the top part of the middle pane, Apply
and Discard buttons will appear; click Apply
> 25. When Apply New Configuration dialog
reports "Changes to the configuration were successfully
applied", click OK
>
> Make the Windows Update rule the first rule
> NOTE: If you prefer to list all of your deny rules
first, then you can make the Window Update rule the first
rule following them
> 1. In the left pane, select Firewall Policy
> 2. If Windows Update is already the first rule
in the list, stop here
> 3. In the middle pane, select Windows Update
> 4. In the right pane select the Tasks tab
> 5. Click Move the selected rule up until
Windows Update is the first rule in the list
> 6. In the top part of the middle pane, Apply
and Discard buttons should appear; click Apply
> 7. When Apply New Configuration dialog
reports "Changes to the configuration were successfully
applied", click OK
>
>Look for a WU KB soon that details the that side of the
issue and cross-links to an ISA KB with these
instructions.
>
>--
> Jim Harrison [ISASE]
> Read the help, books and articles!
>
> This posting is provided "AS IS" with no warranties,
and confers no rights.
>
>
>.
>