Microsoft Windows Updates fail to install through ProxySG or Advanced Secure Gateway

book

Article ID: 166719

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

I am trying to install Windows Updates, but the installation of the selected updates fails with an error.

Resolution

The Windows Update application does not like to be proxied. The application has issues with the proxy's authentication, caching,  ICAP services, and SSL interception.
 

The main reasons why Windows Update cannot be cached at this time:

Dynamically-created filenames
Almost all Windows Updates are downloaded using dynamically-created temporary filenames – the proxy recognizes cache hits based on the requested URI – since this will be different for each client, it cannot determine if the object has been cached or not, therefore a new request is made. 

The main reason Microsoft does this is because most updates are tailored to the Operating System requesting the file. As a result, updates may differ from PC to PC and it should not be assumed that one patch will be ideal for all PC’s unless it’s a cumulative package downloaded from the MS Download Center for that particular patch.

Limited HTTP Range Support
Microsoft Update uses a BITS client (Background Intelligent Transfer) which can request partial file contents using the HTTP Range header, something the proxy cannot support at this time. The proxy can only recognize entire objects. 

Service Pack Dynamic Downloads
Large updates such as Service Packs are also tailored for the individual machine. (This is why the download size varies from machine to machine). The ProxySG appliance cannot cache this as the file size will be different depending on what updates that particular file contains. The only way the proxy can reliably cache this is if the network installer is used (the complete Service Pack image), which will not be offered by Windows Update.

 

Workaround:

The following CPL disables the above proxy functions to the currently known Microsoft Update servers, as of this writing.

You should install this CPL into your Local Policy file exactly as it appears. If you continue to have issues with the Microsoft Updates after installing this CPL, please call your Blue Coat Support provider and be prepared to provide a policy trace and a client side packet capture.

;::::::::::::::::::: ByPass Windows Update :::::::::::::::::::
<ssl-intercept> 
server.certificate.hostname=ByPassWindowsUpdate ssl.forward_proxy(no) 
server.certificate.hostname.substring="microsoft" ssl.forward_proxy(no) 

<Proxy>
ALLOW condition=ByPassWindowsUpdate authenticate(no) bypass_cache(yes) detect_protocol (none) 

<Cache>
condition=ByPassWindowsUpdate response.icap_service(no) webpulse.categorize.mode(none) pipeline(no)

<Proxy> 
Allow request.application.name="Microsoft Update"  authenticate (no) bypass_cache(yes) detect_protocol (none)

;;Add sites here to the bypass list
define condition ByPassWindowsUpdate
url.domain=update.microsoft.com
url.regex=.*\.update.microsoft.com.*
url.domain=download.windowsupdate.com
url.regex=.*\.download.windowsupdate.com.*
url.domain=download.microsoft.com
url.regex=.*\.download.microsoft.com.*
url.domain=windowsupdate.com
url.regex=.*\.windowsupdate.com.*
url.domain=ntservicepack.microsoft.com
url.domain=wustat.windows.com 
url.domain=login.live.com 
url.domain=mp.microsoft.com
url.regex=.*\.mp.microsoft.com.*
end condition ByPassWindowsUpdate
;::::::::::::::::::: End Windows Update Bypass :::::::::::::::::::

 

Note, that for SGOS older than 6.6.3.x, instead of using:

request.application.name

you should use the command:

url.application.name

Attachments

Windows_Updates.txt get_app