RE: Windows update access slow from my SBS 2003 Server

Hi Jerome,

Thank you for posting here!

I am sorry for the delayed response due to weekend. Please understand that
the newsgroups are staffed weekdays by Microsoft Support professionals to
answer your systems and applications questions. Your understanding is
greatly appreciated!

For your description, I understand that the SBS server box can not apply
Windows Updates automatically but other clients work well. If I am off
base, please don't hesitate to let me know.

To resolve the issue please follow me to try to check the following
settings to correct the problem:

1. Automatic Update (AU) client only supports Auto-Discovery web proxy
server. It means that AU client will NOT go through the proxy server that
you have configured in Internet Options | Connections tab | LAN Settings
button. If you want the AU clients to access Windows Update web sites
through the ISA, you must configure the WPAD to deploy auto-discovery proxy
settings. To do that, please refer to the following KB article:

816320 HOW TO: Configure Firewall and Web Proxy Client Autodiscovery in
Windows 2003
http://support.microsoft.com/?id=816320

296591 A Description of the Automatic Discovery Feature
http://support.microsoft.com/?id=296591

2. Since AU client is running on the Local System account, you must
configure the Protocol Rule and Site and Content Rule to allow Anonymous to
access the following Windows Update web sites and use the HTTP and HTTPS
protocols:

*.download.microsoft.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
windowsupdate.microsoft.com

For example, you can configure the following settings on the ISA server:

ISA Server 2004
============

Step 1: Create an anonymous access rule for Windows Update.
-------

1) Open the ISA Management console.
2) In the left pane, right-click Firewall Policy, click New, and then click
Access Rule.
3) In the Name field, type Windows Update, and then click Next.
4) Click Allow, and then click Next.
5) In the This rule applies to list, click Selected Protocols.
6) Click Add.
7) In the Add Protocols dialog box, expand Web.
8) Click HTTP, and then click Add.
9) Click HTTPS, and then click Add.
10) Click Close, and then click Next.
11) In the Access Rule Sources dialog box, click Add.
12) In the Add Network Entities dialog box, expand Networks.
13) Click Internal, and then click Add.
14) Click the network object for each network that requires access to
Windows Update, and then click Add.
15) Click Close, and then click Next.
16) In the Access Rule Destinations window, click Add.
17) In the Add Network Entities window menu bar, click New, and then click
Domain Name Set.
18) In the New Domain Name Set Policy Element window, in the Name field,
type Windows Update.
19) Click New.
20) In the Domain names included in this set list, change the new entry to
*.download.microsoft.com.
21) Repeat steps 19 and 20 for each remaining domain that is listed in the
"Workaround" section, and then click OK.
22) In the Add Network Entities window, in the Domain Name Sets section,
click Windows Update, click Add, and then click Close.
23) Click Next two times, and then click Finish.
24) In the top part of the middle pane, click Apply.
25) Click Apply.
26) When a "Changes to the configuration were successfully applied" message
appears in the Apply New Configuration dialog box, click OK.

Step 2: Make the Windows Update rule the first rule.
-------

Note: If you prefer to list all your Deny rules first, you can list the
Window Update rule immediately after those rules.

1) In the left pane, click Firewall Policy.
2) If Windows Update is already the first rule in the list, stop here. If
not, continue to the next step.
3) In the middle pane, click Windows Update.
4) In the right pane, click the Tasks tab.
5) Click Move the selected rule up until Windows Update is the first rule
in the list.
6) Click Apply.
7) When a "Changes to the configuration were successfully applied" message
appears in the Apply New Configuration dialog box, click OK.

If you enterprise policy doesn''t allow the Anonymous outgoing web request,
a workaround is to configure Automatic Updates service to be running on the
user account that has the permission to access the above Destination Sets
and protocols in Service MMC. To do that:

1. Run Services.msc to open Service MMC.
2. Double click Automatic Updates service, click Log On tab, click to
select This Account, type the account name and the password, and then click
OK.
3. Repeat Step 1 and Step 2 to configure the settings on every client.

Since this workaround needs to configure settings on every client, this
will lead to the large administrative tasks and we do not recommend you do
that.

After performing the above steps, please let me know the results. Thank
you.

If the issue persists, please kindly help me collect some information for
further analyze the issue:

1. Could you find any error event in Event Viewer of the server box? If
yes, please tell me the accurate error message information.
2. How about the server box accesses other internet sites and downloads
files?
3. Please use the ISAinfo utility to collect the ISA configuration
information:

a. Download the file from the following URL:
http://www.isatools.org/isainfo/ISAInfo.zip
b. Extract all files to a folder on ISA server
c. Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
d. Please send these files to me at v-yanniw@xxxxxxxxxxxxx

3. Gather the ISA Web Proxy and Firewall service logs when reproducing the
problem:

Enable the full Web Proxy/firewall logging option:
a. Open ISA 2004 management console.
b. Expand the server node and highlight ''Monitoring''.
c. In the right pane, switch to the ''Logging'' tab, make sure the ''Task
Pane'' is showed there.
d. In the ''Task Pane'', click ''Configure Web Proxy Logging'' under
''Logging Tasks'', and then switch the ''log storage format'' from ''MSDE
database'' (default) to ''File''.
e. Switch to the ''Fields'' tab, and then click ''Select All''.
f. Click OK, and then click ''Apply'' to save changes and update the
configuration.
g. Click ''Configure Firewall Logging''. Do step d~f to enable the full
logging options for firewall logging.

Prepare to take the trace:
a. Temporarily stop the Firewall service to clear the current existing W3C
logs: Monitoring->Services tab, and then right click ''Microsoft Firewall''
to choose ''Stop''.
b. Go to the log saving directory and clean any existing .W3C logs. By
default, the logs will be saved to ''C:\Program Files\Microsoft ISA
Server\ISALogs''. (Some MDF may not be able to deleted, that''s normal.)
c. Go back to the ISA 2004 management console, and then Start the stopped
''Microsoft Firewall'' service.

Reproduce the problem:
a. Go to the external client computer. Try to access the RWW web site.
b. Go back to the ISA server. Stop the ''Microsoft Firewall'' service. Open
Windows Explorer, navigate to the ISA log file folder. Collect the recent
w3c files. Save them to a zip package as ''isalogs.zip''. Start the
''Microsoft Firewall'' Service.
c. Send the zip packages to me at v-yanniw@xxxxxxxxxxxxx

I am currently standing by for your test result. I am happy to be
assistance of you and look forward to hearing from you!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: "Jéjé" <willgart@xxxxxxxxxxxxxxxxx>
>Subject: Windows update access slow from my SBS 2003 Server
>Date: Sat, 22 Oct 2005 08:29:52 -0400
>Lines: 18
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>Message-ID: <#4nANRw1FHA.3892@xxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: modemcable109.37-80-70.mc.videotron.ca 70.80.37.109
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:163547
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Hi,
>
>When I try to detect the updates using the windows update web site from my
>SBS server only, the scan process is long (5 to 10 minutes) and the
download
>step not always works correctly...
>all other computers on the network works fine.
>
>I have another server with ISA server 2004 installed.
>I have try the "auto detect" proxy option, fixed proxy values and no proxy
>defiend, there is no changes.
>
>there is anything special to do on the server???
>
>thanks.
>
>Jerome.
>
>
>

.