How do I allow Windows Updates through the HTTP Proxy?

Fireware/HTTP Proxy
This document applies to: Appliance Appliance Software versions Management Software versions Firebox X Core / Firebox X Core e-Series / Firebox X Peak / Firebox X Peak e-Series FIreware 8.3 / Fireware Pro 8.3 WatchGuard System Manager 8.3

Introduction
If the computers on your network use Microsoft Windows, it is important to have the most recent Windows updates for this operating system. It can be a problem for Firebox X Core or Peak users to get Windows updates through the Firebox if they use the HTTP proxy. If you used the Quick Setup Wizard to configure your Firebox and have not changed your basic configuration, the HTTP Proxy that is configured within the Outgoing proxy is active. Frequently, the HTTP proxy blocks the Windows update files from going through the Firebox to your Windows computers. The proxy can block the files for one or more of these reasons: The proxy can prevent your computer from sending information about itself to the Microsoft update server. The proxy can block cookies from the Windows update site. The proxy can block undefined body content types. Windows update servers identify the content they deliver to a computer as a generic binary stream(such as octet stream), which is blocked by default proxy rules.

Is there anything I need to know before I start?

To allow Windows updates through the HTTP proxy, there are several options: You can change the configuration of your primary HTTP proxy. This option does have security risks. Because Windows update servers do not always correctly identify the content they send, you must configure the proxy to allow content that can be dangerous if it comes from sources that you do not trust. For example, to make sure Windows updates can get through the Firebox, you must allow .exe and .cab files. We do not recommend that you allow .exe and .cab files from every external source. You can also create a new HTTP packet filter or proxy with a higher precedence than the primary HTTP or TCP proxy. Configure this policy to allow connections only to the IP addresses used by Windows Update servers. Unfortunately, Microsoft has many update servers and the IP addresses for these servers can change at any time. It can be difficult to get IP addresses for them all. The third option is to use an update server. When you use an update server, you download Windows updates to one server on your network. That server then distributes the updates to all the computers in your network. To do this, you can use the Microsoft service called Windows Server Update Services. This option is the most secure, but it requires that a computer in your network runs a Windows Server operating system. For information about this option, go to: http://www.microsoft.com/windowsserversystem/updateservices/default.mspx Note
Make sure that your Firebox allows outgoing connections on port 443 and port 80. These are the ports that computers use to contact the Windows Update servers.

How do I allow Windows Updates through the HTTP Proxy?

Allow Windows Updates with your Current HTTP Proxy Policy

If you want to allow Windows updates with your existing HTTP proxy, you must edit your HTTP-Client proxy ruleset to make sure that none of the default rules are configured to block files associated with Windows updates. Be aware that if you have only one HTTP policy that allows all of your trusted computers to get access to the Internet, this procedure decreases security for all HTTP connections. We do not recommend that you use this procedure if the HTTP proxy action you edit is the only HTTP proxy action protecting the computers on your network. 1 Open Policy Manager and find the HTTP proxy policy that controls HTTP client connections. Select Edit > Modify Policy and click the Properties tab.
The Edit Policy Properties dialog box appears.

How do I allow Windows Updates through the HTTP Proxy?

Make sure the proxy action selected is for HTTP client connections. Click the Edit icon to open the proxy ruleset configuration.
The HTTP Proxy Action Configuration dialog box appears.

4 5

Expand the proxy ruleset category list and make all the changes shown below. When you make these changes, make sure that, if the ruleset offers an Advanced View, you use the Advanced View to make the changes. Use the Change View button to move between Simple View and Advanced View. Note that it is not always possible to go back to Simple View after you create rules in Advanced View. See the WSM User Guide, Proxies chapter for more information about configuring rules for proxies. In the General Settings category, select the check box Allow range requests through unmodified. In the HTTP Request category, select URL Paths. Make sure there is not a Deny rule for .exe files, .zip files, or .cab files. Each of these file types must be allowed. These files do not appear in a list by default. You must also make sure the URL Paths Default rule action is set to Allow.
If there is a deny rule for any of these file types, change the Action drop-down list for each rule to Allow.

6 7 8

In the HTTP Request category, select Header Fields. Make sure that the Referer rule is not enabled. In the HTTP Response category, select Header Fields. Select the Default rule that appears at the bottom of the list and click Edit. From the Action drop-down list, select Allow and click OK. In the HTTP Response category, select Content Types. Select the check box to the left of Allow (None) so that HTTP Responses that have no content type are allowed.

How do I allow Windows Updates through the HTTP Proxy?

From the HTTP Response, Content Types Advanced View, click Add.
The New Content Rule dialog box appears.

10 Make sure all of these content types appear in the list as allowed content types. If any of these content types have not been added or allowed, enter them one at a time. Make sure the rule setting for each rule is set to Exact Match. - application/octet-stream - application/x-javascript - application/x-msdownload - multipart/byteranges 11 In the HTTP Response category, select Cookies and click Change View. Make sure the default is set to Allow. 12 In the HTTP Response category, select Body Content Types. Change Zip Archive, Windows EXE/DLL, and CAB archive to Allow.
If you use the Gateway AntiVirus/IPS service, you can set the action to take for each of these rules to AV Scan, instead of Allow.

13 Click OK to close all proxy dialog boxes. 14 Save your changes to the Firebox.

Allow Windows Updates Through A Separate HTTP Policy

Some of the changes you must make to the HTTP proxy in order to allow Windows Updates can create dangerous security risks if configured in your primary HTTP client proxy ruleset. For example, we do not recommend that you allow .exe and .cab files from every external source. A solution to this problem is to create a new HTTP packet filter or proxy with a higher precedence than the primary HTTP proxy or Outgoing policy. Configure the packet filter policy or proxy policy to allow connections only to the external IP addresses used by Windows update servers. It is important to understand, however, that Microsoft uses many update servers around the world, and the IP addresses of these servers change frequently. Because of the way Microsoft uses round-robin DNS to load-balance their servers, Microsoft does not publish a static list of IP addresses for their servers. They only publish domain names for their update servers. Unfortunately you cannot configure a firewall policy to allow connections to a domain name. Although Policy Manager can do domain name lookups when you configure a policy, you can only allow connections to IP addresses. Because there is no way for the Policy Manager to dynamically change the IP addresses in your policies, and because the IP addresses of the Windows Update servers can change at any time, you must regularly look up the IP addresses of the Windows update server you want to use (usually one time each month, as Windows updates are released one time each month). To manually look up the IP address for the Microsoft Update servers: 1 Open a command prompt. 2 Type nslookup then a space, and each of these domains: - windowsupdate.microsoft.com - download.windowsupdate.com - update.microsoft.com

How do I allow Windows Updates through the HTTP Proxy?

download.microsoft.com ntservicepack.microsoft.com wustat.windows.com v4.windowsupdate.microsoft.com v5.windowsupdate.microsoft.com

For example, you will type: nslookup windowsupdate.microsoft.com to get the IP address for the domain windowsupdate.microsoft.com.

In Policy Manager, you must create an HTTP packet filter or proxy policy that allows traffic from Any Trusted to the IP addresses of the Windows Update servers. You can add the IP addresses you found when you used nslookup as described above. Or, you can have Policy Manager do the domain name lookup for you by selecting Host Name (perform Lookup) from the Choose Type drop-down list when you configure the To parameters of the policy. Remember to update the packet filter with new IP addresses at least one time each month.

Using Windows Server Update Services

This third option to allow Windows updates through the HTTP proxy is the most secure option. When you use Windows Server Update Services (WSUS), only one computer needs to be allowed access to download Windows updates through a firewall policy that has a very permissinve HTTP proxy action or through an HTTP packet filter. For information about this option, go to: http://www.microsoft.com/windowsserversystem/updateservices/default.mspx

Was this document helpful? Please send your feedback to faq@watchguard.com.

SUPPORT:

COPYRIGHT 2006 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of www.watchguard.com/support WatchGuard Technologies, Inc. in the United States and/or other countries. U.S. and Canada +877.232.3531 All Other Countries +1.206.613.0456