The best thing to do is don't get picky about the HTTP/HTTPS traffic
destinations. Just allow the WSUS Server to make HTTP/HTTPS outbound
communications where ever it wants. You can allow the WSUS box to do this
without allowing everything else on the network to do that.
MS does list Domain Names involved,..but since you should be running the
WSUS box as a SecureNAT Client the Domain Names are not relevant. SecureNAT
Client only deal with IP# between them and the ISA because SecureNAT Clients
do their own DNS resolution independently on their own before the WSUS
attempt ever hits the ISA,...hence ISA never sees the Domain Names and
cannot react to a rule that uses them.
Why SecureNAT? Well the machine needs to work when no one is logged into
it,..hence the traffic is anonymous,...and SecureNAT is the simplest way to
deal with anonymous traffic (it can't do authenticated traffic anyway).
However you can install the Firewall Client on the Server and try it with
the Domain Names as the Destiantion and see if it works. But there is some
inconsistancy in how FWCs do DNS resolution,...sometimes they do it on their
own like the SecureNAT Clients,...sometimes they let the ISA do it. The
"when & why" is kinda fuzzy to me so I'm not going to try to explain it.
But anything other than IP#s in the Destination Object won't work unless the
ISA does the DNS resolution on behalf of the Client.
I run the FWC on mine but I don't get picky about the destiantions. I *do*
have a rule that gets very "picky" but I moved it below another Rule that
lets the WSUS go wherever it wants so the "picky" rules never really gets
used anymore. I just keep the rule in case I ever change my mind,..then I
can just move it up above the other.
Using WSUS with the FWC is handy if your LAN is complex and does not lend
itself to using machines as SecureNAT Clients to the ISA,...such as a case
where the ISA is not within the default "path" of the LAN.
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
Understanding the ISA 2004 Access Rule Processing
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
Microsoft Internet Security & Acceleration Server: Partners
Microsoft ISA Server Partners: Partner Hardware Solutions
"PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
> Perhaps our colleagues in the ISA-specific newsgroup might be able to lend
> a hand here, Harry? As such, I'm forwarding this thread to
> microsoft.public.isa via crosspost.
> Harry Johnston [MVP] wrote:
>> Greg Wilkerson wrote:
>>> I am not certain, but I do believe it's WSUS (do I have a choice with
>> As discussed in m.p.w.s.update_services, Greg isn't using WSUS.
>>> I am running an ISA Server. If this is using a special port, I can
>>> configure that. I've been installing and uninstalling this on the
>>> for the last week or so (reformatting between each install). I kind of
>>> doubt ISA server is the case, but anything is possible. I just don't
>>> recall this being an issue before.
>> PA Bear, are you familiar with ISA? I'm not sure what sort of
>> troubleshooting steps would be appropriate - perhaps trying a different
>> number, or a different computer name in case the issue is related to the
>> computer's AD