locked
Wsus client issues - Using wrong proxy RRS feed

  • Question

  • I am having a few problems with my WSUS setup. This setup was working for a long time, no problem, and still works perfectly, but only on the WSUS server itself.

    A bit of background: I have 4 client machines that are not able to talk to the WSUS server, 2 are Windows 7, one is a Vista machine, and one is a W2K8r2 system. These communicated with the server without issue until the end of January, when I decommissioned a proxy server. The proxy server was a direct configuration, not transparent, which was set up in windows, IE, and other browsers. As the hardware was aging, it got replaced by a newer setup that is transparent, that redirects from the firewall, so it is no longer in play with my internal network traffic (WSUS, and the clients are all on the same subnet, no firewalls or routers separating them).

    I have troubleshot this most of yesterday, using the various resources found online. The MS diagnostic tool does not resolve the issue. WinHTTP shows direct connection, from the admin CLI, I have scrubbed the registry manually to remove all instances of the old proxy FQDN, IP, and port. The IP the proxy used to have, has been re-issued to a DNS server on my local subnet, and I am able to use tcpdump on that server, which is where I am seeing my windows clients still trying to hit the legacy proxy port. I have set up the firewall on this system to reject (respond with ICMP port unreachable) which has sped up the failure (as expected).  I have also disabled WPAD on one of the clients (Windows 7), and it still goes out to the legacy proxy, but only when direct connection was setup from a 'netsh winhttp reset proxy' if I configure it as: "netsh winhttp set proxy 192.168.1.90:80 bypass-list="*.mydomain.net" it no longer hits the legacy 192.168.1.50:8989, but WU still fails. I am not concerned with that setup failing, as it would not be the correct configuration for my network.

    There is no WPAD option set up on my DHCP server, nor is there a DNS entry for WPAD on my network. The client machine I am testing from is also statically IP'd, if that has any play in WPAD (it isn't clear on that, but since it is not stated outright I assume WPAD works the same with a static version a Dynamic IP). The WCCP setup on the firewall does not reflect the legacy proxy either, just to the new proxy setup. There are no http redirects that would point this to the proxy, even though I have an HA Proxy load balancer in front of the WSUS servers (only one WSUS is configured to take traffic, for ease of troubleshooting). WSUS configuration for the clients is controlled VIA GPO.

    As of now, I have searched through as much as I can find that makes sense to dig into, and I am rather stumped. Is there anywhere else that the agents would find this erroneous proxy?

    Thursday, April 13, 2017 3:00 PM

All replies

  • Hi Nombrandue,

    Please also try removing to BITS queue:

    bitsadmin /list /allusers

    bitsadmin /reset /allusers

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 14, 2017 9:54 AM
  • Hi,

    Just to check if the above reply could be of help? If yes, you may mark useful reply as answer, if not, welcome to feedback.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 19, 2017 2:33 AM