Jens Hellberg 
South Africa
Member since
1/16/2006
Platinum Membership
Posts: 20
 |
| 11/16/2007 07:54 AM |
|
After installing ISA no client on the domain can process Windows updates (Error number: 0x80072EFD). All clients use FWC. Clients can browse the internet, connect to remote work place, internal websites, just not Windows updates. Any ideas?
Server info:
- SBS 2003 R2 Premium SP2
- ISA 2004 SP3
|
|
|
|
|
|
robert pearman
United Kingdom
Member since
2/23/2007
Platinum Membership
Posts: 1771
|
| 11/16/2007 10:25 AM |
|
this is quite a common issue.
are your firewall clients also configured as web proxy clients -
we had this issue for a while, and it is one microsoft dont have a 'simple fix' for.
there are a lot of different methods to get round this (that we found whilst troubleshooting)
you can try adding all the windows update sites as trusted sites in IE,
http://support.microsoft.com/kb/836941 - useful starting point
http://support.microsoft.com/kb/900935/ - more info
Good luck! |
|
|
|
|
|
Jens Hellberg
South Africa
Member since
1/16/2006
Platinum Membership
Posts: 20
|
| 11/19/2007 07:21 AM |
|
Hi Robert
I've been through a few articles about error 0x80072EFD with no luck so far. I'm thinking about installing WSUS 3.0 and experimenting with that to see if that won't sort out our windows update problem.
I suspect our current problem is linked to our clients using FWC and no web proxy. We have gone this route for logging reasons to show user's name and not ip address as described in an artical on isaserver.org
|
|
|
|
|
|
robert pearman
United Kingdom
Member since
2/23/2007
Platinum Membership
Posts: 1771
|
| 11/19/2007 11:39 AM |
|
well i guess thats a company decision -
i have my fwc set to use a proxy as well, and my username and client machine are logged, so maybe that is somthing you could review.
WSUS may allow you to get around the problem - as you can specefy the proxy settings in the wsus conneciton properties - however the sbs WSUS install that comes with R2 is quite restrictive (IMO) |
|
|
|
|
|
Jens Hellberg
South Africa
Member since
1/16/2006
Platinum Membership
Posts: 20
|
| 11/20/2007 11:20 AM |
|
Hi Robert
I have found a work around although it is not ideal. If I add "All Users" to the "SBS Internet Access Rule" then windows updates work. All domain users are members of "Internet Users", so why does it only work when "All Users" is added? I'm assuming it's got to do with authentication.
|
|
|
|
|
|
robert pearman
United Kingdom
Member since
2/23/2007
Platinum Membership
Posts: 1771
|
| 11/20/2007 12:59 PM |
|
i think this may be down to the way the windows update process works - you could try tightening it down by using 'all authenticated users'
although there is a sbs windows update rule - not sure why this is not kicking in - ill check one of my sbs with isa to see their config. |
|
|
|
|
|
robert pearman
United Kingdom
Member since
2/23/2007
Platinum Membership
Posts: 1771
|
| 11/20/2007 01:06 PM |
|
yes the SBS Microsoft Update Sites Access Rule - is HTTP/HTTPS to 2 system policy allowed Domain Name Sets (includes error reporting and all Microsoft update sites) this rule is set to all users - it should be HIGHER in the list than the SBS internet access rule.
this allows for less restricted access to the updates/error reporting sites for all users. |
|
|
|
|
|
Jens Hellberg
South Africa
Member since
1/16/2006
Platinum Membership
Posts: 20
|
| 11/20/2007 01:22 PM |
|
The windows update rule is higher than the internet access rule and is set to "All Users". If I start a query, logging all requests from a user when performing a windows update, some requests come through as anonymous and are caught by the internet access rule and they are denied because they are not authenticated users, unless I add "All Users".
|
|
|
|
|
|
robert pearman
United Kingdom
Member since
2/23/2007
Platinum Membership
Posts: 1771
|
| 11/20/2007 02:16 PM |
|
| please check that the rule is enabled - and also can you post up the contents of the domain name sets in that update sites rule |
|
|
|
|
|