How to allow only Windows Update Services from ISA Server

You experience problems when you access the Windows Update through a server that is running ISA Server. When you access the Windows Update through a server that is running Microsoft Internet Security and Acceleration (ISA) Server, and that server requires authentication, you may experience the problems while accessing updates through ISA Server.

To work around the problem that is described above, give anonymous access to the relevant Windows Update sites. Include the following destinations when you create the destination set/URL set for Windows Update:

  • http://download.windowsupdate.com
  • http://*.download.windowsupdate.com
  • http://download.microsoft.com
  • https://*.update.microsoft.com
  • http://*.update.microsoft.com
  • https://update.microsoft.com
  • http://update.microsoft.com
  • http://*.windowsupdate.com
  • http://*.windowsupdate.microsoft.com
  • http://windowsupdate.microsoft.com
  • https://*.windowsupdate.microsoft.com
  • http://ntservicepack.microsoft.com
  • http://wustat.windows.com

 Create an anonymous access rule for Windows Update. To do this, follow these steps:

  1. Open the ISA Management console.
  2. In the left pane, right-click Firewall Policy, click New, and then click Access Rule.
  3. In the Name field, type Windows Update, and then click Next.
  4. Click Allow, and then click Next.
  5. In the This rule applies to list, click Selected Protocols.
  6. Click Add.
  7. In the Add Protocols dialog box, expand Web.
  8. Click HTTP, and then click Add.
  9. Click HTTPS, and then click Add.
  10. Click Close, and then click Next.
  11. In the Access Rule Sources dialog box, click Add.
  12. In the Add Network Entities dialog box, expand Networks.
  13. Click Internal, and then click Add.
  14. Click the network object for each network that requires access to Windows Update, and then click Add.
  15. Click Close, and then click Next.
  16. In the Access Rule Destinations window, click Add.
  17. In the Add Network Entities window menu bar, click New, and then click URL Set.
  18. In the New URL Set Rule Element window, in the Name field, type Windows Update.
  19. Click New.
  20. In the URLs included in this set list, change the new entry to http://*.download.microsoft.com and update.microsoft.com.
    Note If the URL is an HTTPS URL, make sure that it is specified as such in the URLs included in the URL Set Rule.
  21. Repeat steps 19 and 20 for each remaining URL that is listed in the "Workaround" section, and then click OK.
  22. In the Add Network Entities window, in the URL Sets section, click Windows Update, click Add, and then click Close.
  23. Click Next two times, and then click Finish.
  24. In the top part of the middle pane, click Apply.

    In the top part of the middle pane, Apply and Discard buttons appear.
  25. Click Apply.
  26. When a "Changes to the configuration were successfully applied" message appears in the Apply New Configuration dialog box, click OK.
Make the Windows Update rule the first rule. To do this, follow these steps.

Note If you prefer to list all your Deny rules first, you can list the Window Update rule immediately after those rules.

  1. In the left pane, click Firewall Policy.
  2. If Windows Update is already the first rule in the list, stop here. If not, continue to the next step.
  3. In the middle pane, click Windows Update.
  4. In the right pane, click the Tasks tab.
  5. Click Move the selected rule up until Windows Update is the first rule in the list.

    In the top part of the middle pane, Apply and Discard buttons appear.
  6. Click Apply.
  7. When a "Changes to the configuration were successfully applied" message appears in the Apply New Configuration dialog box, click OK.
Powered by Blogger.