none
Accessing WSUS through a Firewall

    질문

  • I have a slightly unusual setup at the minute, so bear with me while I set the scene first...

    I'm currently undertaking a Domain Migration, so there are two domains (OLDDOMAIN and NEWDOMAIN) operating on the same network.  The domains have no trust, but are fully able to resolve each other's DNS.

    There are two subnets in question here (SUBNET A and SUBNET B), which are seperated by an ISA 2006 Firewall, which is a member of OLDDOMAIN.

    The WSUS Server is located in SUBNET B, and is a member of NEWDOMAIN.

    Computers in SUBNET B in both domains are successfully connecting to and pulling updates from WSUS.  However, in SUBNET A only members of OLDDOMAIN can contact the WSUS Server.  I don't have the exact error code to hand at the minute, but basically, the connection is timing out.

    I've verified that affected computers are able to resolve and ping the WSUS box.  WSUS is running over port 80 at the moment, but with plans to move it to 443 once NEWDOMAIN has PKI in place.

    I've tried using no proxy setting in IE on the affected servers and setting the ISA as a proxy server, but it's made no difference.  I've also tried turning on and off the Proxy Support for the Internal Network on the ISA Server, which hasn't made any difference.

    I get the same errors when trying to manually browse to the WSUS URI from a browser on the affected computers.  Eventually it returns an error page from ISA reporting that it could not recieve a timely response from the server.

    I'm at a bit of a loss what to try next, any help would be greatly appreciated.

    2013년 6월 28일 금요일 오후 2:11

모든 응답

  • I think there's a piece of information missing, but before we proceed, let me make sure I've understood the situation.

    OLDDOMAIN is SUBNET A and has an ISA2006 firewall protecting it from everything else.

    NEWDOMAIN is SUBNET B and has the WSUS Server in the local network.

    And, to your statement: "...in SUBNET A only members of OLDDOMAIN can contact the WSUS Server."

    So, my question is this: What exactly is in SUBNET A that's not a member of OLDDOMAIN? (And that's probably why it can't connect to the WSUS server... how did you configure these "not a member of OLDDOMAIN" systems to know about the WSUS server over in NEWDOMAIN/SUBNET B?)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    2013년 7월 8일 월요일 오전 12:23
    중재자
  • Hi and many thanks for your reply.

    Both Subnets contain servers from both domain.  All servers in SUBNET B (where WSUS is located) can access WSUS.  In SUBNET A, OLDDOMAIN servers can access WSUS OK, but NEWDOMAIN servers cannot.

    Having said all that, however, the ISA 2006 box suffered a hardware failure over the weekend.  It turned out to be unrecoverable, so the TMG 2010 box that was being built as a replacement for it was rushed into service.  As it was a rush job, it doesn't have a fully populated ruleset yet, and contains an allow all rule from SUBNET A to SUBNET B, and one from SUBNET B to SUBNET A (I know, very bad practice, but service was down, so needs must).  Since putting this in, everything in SUBNET A is able to contact WSUS for updates.

    2013년 7월 10일 수요일 오후 8:47
  • Both Subnets contain servers from both domain.  All servers in SUBNET B (where WSUS is located) can access WSUS.  In SUBNET A, OLDDOMAIN servers can access WSUS OK, but NEWDOMAIN servers cannot.

    My condolensces on the untimely loss of your ISA box.. ;-)

    FWIW, based on the information clarified, my working guess would be that the ISA rules were set up with authentication requirements, and the machines in NEWDOMAIN in SUBNET A didn't have a pathway through the firewall to SUBNET B.

    There's no other scenario I can think of where domain membership would impact one machine's ability to egress the firewall and not another's.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    2013년 7월 11일 목요일 오후 4:46
    중재자