Microsoft Windows Server 2012 Updates Fail to Install

book

Article ID: 166709

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Applying the recommeneded CPL code in TECH242437 while bypassing SSL interception, ICAP service, authentication, and cache still prevents Windows Updates from installing on Windows 2012 server. This issue doesn't occur on Windows Server 2003/2008.

Resolution

Windows Update fails on Windows 2012 server because the server connects to fe1.update.microsoft.com but the server certificate hostname from the Microsoft update server doesn't match the existing source conditions in the CPL code. For more details on existing CPL codes, see TECH242437.

There are two methods of resolving this issue:

  • Option 1:

Add a new source object for fe1.update.microsoft.com in the existing ssl-intercept policy

        <ssl-intercept>
        server.certificate.hostname=www.update.microsoft.com ssl.forward_proxy(no)
        server.certificate.hostname=update.microsoft.com ssl.forward_proxy(no)
        server.certificate.hostname=fe1.update.microsoft.com ssl.forward_proxy(no)

There are some machine requesting for fe2.update.microsoft.com, so if it is found in PCAP, please add additional line (or multiple lines if found additional domain destinations from Microsoft WindowsUpdates) to cater for this domain as below.

        server.certificate.hostname=fe2.update.microsoft.com ssl.forward_proxy(no)
  • Option 2:

Replace the trigger to server.certificate.hostname.substring (contains) from server.certificate.hostname (exact match) so that all transactions to *.update.microsoft.com can match the condition.
 
        <ssl-intercept>
        server.certificate.hostname.substring=update.microsoft.com ssl.forward_proxy(no)