2 Replies Latest reply on Nov 17, 2016 7:47 AM by Regis

    Windows update trouble - explicit proxy.  HEAD requests normal ?

    Regis

      Greetings gentle gurus,

       

      I'm having an extraordinarily hard time with a direct Microsoft Windows update for a standalone windows 7 workstation box today that's associated with a Gigastore sniffer.   Proxy settings are by PAC, fallback proxy set, the netsh winhttp stuff is set, traffic is getting to the proxy, and I've even gone so far as to bypass this host from all web proxy policy in teh global whitelist, setting timeouts higher, stripping X-Forward-For headers, disabling Via header, enabling http tunnel.   It still hates me.

       

      Q:  Can someone tell me whether or not the HEAD  method for these windows update cab's is normal?      Or is this pattern symptomatic that something is broken?  Has Microsoft changed things in their update delivery method  that perhaps web gateway 7.5.2.9 is having trouble with?

       

      Updates never seem to really progress on the  Windows update GUI.  

       

      This is what I'm seeing in the access log (it appears to be trying to grab sp1's cab file):

       

      <code>

      [16/Nov/2016:15:40:34 -0600] "" 10.10.10.40 0 "HEAD http://ds.download.windowsupdate.com/v11/2/windowsupdate/redir/v6-win7sp1-wuredi r.cab?1611162140 HTTP/1.1" "" "-" "" 354 228 "Windows-Update-Agent" "" "0" "" 23.62.239.26

      [16/Nov/2016:15:40:51 -0600] "" 10.10.10.40 0 "GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl HTTP/1.1" "" "-" "" 225 299 "Microsoft-CryptoAPI/6.1" "" "0" "" 184.26.44.97

      [16/Nov/2016:15:40:51 -0600] "" 10.10.10.40 0 "GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1" "" "-" "" 227 311 "Microsoft-CryptoAPI/6.1" "" "0" "" 184.26.44.97

      [16/Nov/2016:15:41:13 -0600] "" 10.10.10.40 0 "HEAD http://ds.download.windowsupdate.com/v11/2/windowsupdate/redir/v6-win7sp1-wuredi r.cab?1611162140 HTTP/1.1" "" "-" "" 354 228 "Windows-Update-Agent" "" "0" "" 23.62.239.27

      [16/Nov/2016:15:41:13 -0600] "" 10.10.10.40 200 "CONNECT fe2.update.microsoft.com:443 HTTP/1.1" "" "-" "" 9057 1930 "" "" "0" "" 134.170.58.125

      [16/Nov/2016:15:41:39 -0600] "" 10.10.10.40 0 "HEAD http://ds.download.windowsupdate.com/v11/2/windowsupdate/redir/v6-win7sp1-wuredi r.cab?1611162141 HTTP/1.1" "" "-" "" 354 228 "Windows-Update-Agent" "" "0" "" 23.62.239.27

      [16/Nov/2016:15:41:51 -0600] "" 10.10.10.40 0 "GET http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl HTTP/1.1" "" "-" "" 227 307 "Microsoft-CryptoAPI/6.1" "" "0" "" 184.26.44.97

      [16/Nov/2016:15:42:43 -0600] "" 10.10.10.40 200 "CONNECT fe2.update.microsoft.com:443 HTTP/1.1" "" "-" "" 5613 886 "" "" "0" "" 134.170.58.125

      [16/Nov/2016:15:42:44 -0600] "" 10.10.10.40 0 "HEAD http://ds.download.windowsupdate.com/v11/2/windowsupdate/redir/v6-win7sp1-wuredi r.cab?1611162141 HTTP/1.1" "" "-" "" 354 228 "Windows-Update-Agent" "" "0" "" 23.62.239.8

      [16/Nov/2016:15:42:45 -0600] "" 10.10.10.40 0 "HEAD http://ds.download.windowsupdate.com/v11/2/windowsupdate/redir/v6-win7sp1-wuredi r.cab?1611162142 HTTP/1.1" "" "-" "" 354 228 "Windows-Update-Agent" "" "0" "" 23.62.239.8

      [16/Nov/2016:15:42:47 -0600] "" 10.10.10.40 0 "HEAD http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x64/Wi n7SP1/wsus3setup.cab?1611162142 HTTP/1.1" "" "-" "" 346 243 "Windows-Update-Agent" "" "0" "" 23.62.239.8

      [16/Nov/2016:15:43:12 -0600] "" 10.10.10.40 0 "HEAD http://ds.download.windowsupdate.com/v11/2/windowsupdate/redir/v6-win7sp1-wuredi r.cab?1611162142 HTTP/1.1" "" "-" "" 354 228 "Windows-Update-Agent" "" "0" "" 23.62.239.27

      [16/Nov/2016:15:43:34 -0600] "" 10.10.10.40 0 "GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl HTTP/1.1" "" "-" "" 225 305 "Microsoft-CryptoAPI/6.1" "" "0" "" 184.26.44.97

      [16/Nov/2016:15:43:35 -0600] "" 10.10.10.40 0 "GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl HTTP/1.1" "" "-" "" 225 299 "Microsoft-CryptoAPI/6.1" "" "0" "" 184.26.44.97

      ^[[A[16/Nov/2016:15:44:14 -0600] "" 10.10.10.40 200 "CONNECT fe2.update.microsoft.com:443 HTTP/1.1" "" "-" "" 9095 202998 "" "" "0" "" 134.170.58.125

      [root@mcweb-a access.log]# fgrep 10.10.10.40  access.log

      [16/Nov/2016:15:45:49 -0600] "" 10.10.10.40 0 "HEAD http://ds.download.windowsupdate.com/v11/2/windowsupdate/redir/v6-win7sp1-wuredi r.cab?1611162143 HTTP/1.1" "" "-" "" 354 228 "Windows-Update-Agent" "" "0" "" 23.62.239.27

      [16/Nov/2016:15:46:29 -0600] "" 10.10.10.40 0 "GET http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1" "" "-" "" 226 306 "Microsoft-CryptoAPI/6.1" "" "0" "" 184.26.44.98

      [16/Nov/2016:15:46:31 -0600] "" 10.10.10.40 200 "CONNECT iecvlist.microsoft.com:443 HTTP/1.1" "" "-" "" 8735 1672 "" "" "0" "" 72.21.81.200

      [16/Nov/2016:15:46:31 -0600] "" 10.10.10.40 200 "CONNECT r20swj13mr.microsoft.com:443 HTTP/1.1" "" "-" "" 8884 1754 "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko" "" "0" "" 72.21.81.200

      </code>

       

      Thanks for any insights or observations from other standalone hosts that aren't using a SUS server locally.

        • 1. Re: Windows update trouble - explicit proxy.  HEAD requests normal ?
          jacek

          Hi Regis,

           

          I have seen HEAD and GET (both) requests in proxy logs over 2 years ago, so it is quite normal for me. In normal situation right after HEAD request, should be GET request (which is missing in your log).

           

          I'm not sure it is Web gateway issue (strange is HTTP status code of 0 for HEAD requests in a log above), but try whitelist Microsoft Update servers in "Extended Global Whitelist With SmartMatch" ruleset (can be imported from Library). There is an option: "Enable Microsoft Update Whitelist"

          winupd1.JPG

          or the same rule "Global Whitelist: Windows Activation Hosts or Windows Update Hosts or Windows Update User-Agents" in unlocked view:

          winupd2.JPG

           

          But once more - verify also this is not a workstation problem. Check WindowsUpdate.log file on workstation (by default in C:\Windows directory). I know that some Windows 7 had problems checking for updates (it took many hours and 100% CPU usage by svchost.exe process): https://support.microsoft.com/en-us/kb/3102810 and it was already fixed by Microsoft.

          1 of 1 people found this helpful
          • 2. Re: Windows update trouble - explicit proxy.  HEAD requests normal ?
            Regis

            jacek wrote:

             

            Hi Regis,

             

            I have seen HEAD and GET (both) requests in proxy logs over 2 years ago, so it is quite normal for me. In normal situation right after HEAD request, should be GET request (which is missing in your log).

            ...

            But once more - verify also this is not a workstation problem. Check WindowsUpdate.log file on workstation (by default in C:\Windows directory). I know that some Windows 7 had problems checking for updates (it took many hours and 100% CPU usage by svchost.exe process): https://support.microsoft.com/en-us/kb/3102810 and it was already fixed by Microsoft.

             

            This is very helpful jacek.   I agree the absence of the GET requests did seem what was odd for me now that you mention it.    Thanks for reminding me where the WindowsUpdate.log was (as I'd forgotten).  I wasn't aware of the known issues with updates and I'll definitely check out that kb.  These are new/unpatched boxes so perhaps a manual sp1 download will have to be the way of things to get it over some bug hump.        Good eye on that http 0 return code.   I'd totally missed that and I may inquire again with support over that.

             

            I agree that this has all the feelings of a workstation issue as I've whitelisted the IP of the workstation past everything  by creating a rule for its client.ip at the top of the global whitelist rule  with a stop cycle on it.        The McAfee managed list for windows update servers definitely does deserve a mention in any thread like this though!

             

            I'll followup once the box owner gives that a whirl.