You experience problems when you access the Windows Update Version 5 or Version 6 Web site through a server that is running ISA Server (885819)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition

SYMPTOMS

When you access the Windows Update Version 5 or Version 6 Web site through a server that is running Microsoft Internet Security and Acceleration (ISA) Server, and that server requires authentication, you may experience the problems that are detailed in the following two scenarios.

Note While this article is specific to ISA Server, you may also experience the problems that detailed here when you access the Windows Update Version 5 or Version 6 Web site through other authenticating proxy servers.

Scenario 1


When you visit the Windows Update Version 5 Web site (v5.windowsupdate.microsoft.com) or the Windows Update Version 6 Web site (update.microsoft.com), Windows Update may fail when the scan for the latest version of the Windows Update software runs. When this problem occurs, you receive an error message that is similar to the following:
Windows Update has encountered an error and cannot display the requested page.
Additionally, you may see "[Error number: 0x80072F78]" in the upper-right corner of the Web page.

Scenario 2

When you visit the Windows Update V5 or V6 Web site, you are prompted to select Express Install or Custom Install. When you select either of these options, Windows Update may fail, and you may receive an error message that is similar to the following:
Windows Update has encountered an error and cannot display the requested page.
Additionally, you may see "[Error number: 0x80244021]" or "[Error number: 0x80244019]" or "[Error number: 0x80244018]" in the upper-right corner of the Web page.

CAUSE

The problem that is described in Scenario 1 occurs when the client sends a HEAD request on a Transmission Control Protocol (TCP) connection that has already been closed by the proxy server.

The problem that is described in Scenario 2 occurs when the Windows Update client authenticates with NULL credentials to the proxy server. If the proxy server does not give access to the requested site for the NULL logon, the request may be denied and Windows Update may fail.

RESOLUTION

Scenario 1

This is a known problem in Internet Explorer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

838893 "The server returned an invalid or unrecognized response" error message in Internet Explorer 6 Service Pack 1

To resolve the problem, install the Internet Explorer update rollup that is described in the following Microsoft Knowledge base article:

871260 An update rollup is available for Internet Explorer versions 5.x and 6.0

Scenario 2

The root cause of this problem is current being examined. See the "Workaround" section for an intermediary solution.

WORKAROUND

To work around the problem that is described in Scenario 2, give anonymous access to the relevant Windows Update sites. Include the following destinations when you create the destination set/URL set for Windows Update:
  • http://download.windowsupdate.com
  • https://*.windowsupdate.microsoft.com
  • http://*.windowsupdate.microsoft.com
  • http://*.update.microsoft.com
  • http://*.download.windowsupdate.com
  • http://update.microsoft.com
  • http://*.windowsupdate.com
  • http://download.microsoft.com
  • http://windowsupdate.microsoft.com
  • http://ntservicepack.microsoft.com
  • http://wustat.windows.com
  • https://*.update.microsoft.com
See the "More Information" section for details about how to configure the required rules for ISA Server 2000 and ISA Server 2004.

Note If you are using any third-party content filters, you may also have to configure them to give unrestricted access to these destinations. See you filter vendor's documentation for information about how to make this configuration change.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

To create an anonymous access rule and an associated destination set for the Windows Update Web sites that are listed in the "Workaround" section, follow these steps.

For ISA Server 2000

Create a destination set for Windows Update domains. To do this, follow these steps:
  1. Open the ISA Management console.
  2. Expand ArrayName, and then expand Policy Elements.
  3. Right-click Destination Sets, click New, and then click Set.
  4. In the Name field, type Windows Update, and then click Next.
  5. Click Add.
  6. In the Destination field, type download.microsoft.com and update.microsoft.com.
  7. Leave the Path field blank, and then click OK.
  8. Repeat steps 5 through 7 for each remaining URL from the "Workaround" section, and then click OK.
Create an anonymous Site and Content rule for Windows Update requests. To do this, follow these steps:
  1. Open the ISA Management console.
  2. Expand Access Policy.
  3. Right-click Site and Content Rules, click New, and then click Rule.
  4. In the Name field, type Windows Update, and then click Next.
  5. Click Allow, and then click Next.
  6. Click Allow access based on destination, and then click Next.
  7. In the Apply this rule to list, click Specified Destination Set.
  8. In the Name list, click Windows Update.
  9. Click Next, and then click Finish.
Note If your existing protocol rules require authentication (user/group-limited), you will have to create an anonymous protocol rule for HTTP and HTTPS. To do this, follow these steps:
  1. Open the ISA Management console.
  2. Expand Access Policy.
  3. Right-click Protocol Rules, click New, and then click Rule.
  4. In the Name field, type Windows Update, and then click Next.
  5. Click Allow, and then click Next.
  6. In the Apply this rule to list, click Selected protocols.
  7. In the Protocols list, click HTTP and HTTPS, and then click Next.
  8. Click Next two times, and then click Finish.
Note Changes to ISA Server 2000 policies do not take effect immediately and do not affect existing sessions. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

281985 ISA Server configuration changes are not instantaneous

For ISA Server 2004

Create an anonymous access rule for Windows Update. To do this, follow these steps:
  1. Open the ISA Management console.
  2. In the left pane, right-click Firewall Policy, click New, and then click Access Rule.
  3. In the Name field, type Windows Update, and then click Next.
  4. Click Allow, and then click Next.
  5. In the This rule applies to list, click Selected Protocols.
  6. Click Add.
  7. In the Add Protocols dialog box, expand Web.
  8. Click HTTP, and then click Add.
  9. Click HTTPS, and then click Add.
  10. Click Close, and then click Next.
  11. In the Access Rule Sources dialog box, click Add.
  12. In the Add Network Entities dialog box, expand Networks.
  13. Click Internal, and then click Add.
  14. Click the network object for each network that requires access to Windows Update, and then click Add.
  15. Click Close, and then click Next.
  16. In the Access Rule Destinations window, click Add.
  17. In the Add Network Entities window menu bar, click New, and then click URL Set.
  18. In the New URL Set Rule Element window, in the Name field, type Windows Update.
  19. Click New.
  20. In the URLs included in this set list, change the new entry to http://*.download.microsoft.com and update.microsoft.com.
    Note If the URL is an HTTPS URL, make sure that it is spicified as such in the URLs included in the URL Set Rule.
  21. Repeat steps 19 and 20 for each remaining URL that is listed in the "Workaround" section, and then click OK.
  22. In the Add Network Entities window, in the URL Sets section, click Windows Update, click Add, and then click Close.
  23. Click Next two times, and then click Finish.
  24. In the top part of the middle pane, click Apply.

    In the top part of the middle pane, Apply and Discard buttons appear.
  25. Click Apply.
  26. When a "Changes to the configuration were successfully applied" message appears in the Apply New Configuration dialog box, click OK.
Make the Windows Update rule the first rule. To do this, follow these steps.

Note If you prefer to list all your Deny rules first, you can list the Window Update rule immediately after those rules.
  1. In the left pane, click Firewall Policy.
  2. If Windows Update is already the first rule in the list, stop here. If not, continue to the next step.
  3. In the middle pane, click Windows Update.
  4. In the right pane, click the Tasks tab.
  5. Click Move the selected rule up until Windows Update is the first rule in the list.

    In the top part of the middle pane, Apply and Discard buttons appear.
  6. Click Apply.
  7. When a "Changes to the configuration were successfully applied" message appears in the Apply New Configuration dialog box, click OK.
Note Changes to ISA 2004 policies do not affect existing sessions. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

841140 Changes to the firewall policy only affect new connections in ISA Server 2004

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

897225 How to install hotfixes that are included in cumulative security updates for Internet Explorer 6 Service Pack 1

Modification Type:MinorLast Reviewed:8/2/2006
Keywords:kbprb KB885819 kbAudDeveloper kbAudEndUser kbAudITPRO kbAudOEM
©2004 Microsoft Corporation. All rights reserved.