Windows XP Web Proxy Clients Fail to Connect to Windows and Microsoft Update Sites through the ISA Firewall

Over the last few months I've had a few Windows XP SP2 and Media Center Edition machines that refused to access the Windows Update site. There weren't mission critical machines so I didn't worry about it too much, but I found the situation irritating, since a couple of these machines were laptops that updated just fine when I connected to hotel network that didn't have an ISA Firewall in front them.

What was frustrating is that I had done everything right on the ISA Firewall. I created the correct Direct Access lists for the Web proxy clients, I didn't mix IP address and FQDNs in my Direct Access lists, and I even configured the clients with local Web proxy bypass lists (which I expect did nothing anyhow, since I was using the autoconfiguration script).

I finally got fed up with the situation and started to think about doing something. The only thing I could think of was that perhaps the Windows/Microsoft Update mechanism used WinHTTP and it wasn't getting the proxy server setting from the browser.

So I opened a command prompt and entered:

proxycfg -?

And I saw this:

C:\Documents and Settings\tshinder.TACTEAM>proxycfg ?
Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.

usage:

proxycfg -? : to view help information

proxycfg : to view current WinHTTP proxy settings

proxycfg [-d] [-p <server-name> [<bypass-list>]]

-d : set direct access
-p : set proxy server(s), and optional bypass list

proxycfg -u : import proxy settings from current user's Microsoft Internet Explorer manual settings (in HKCU)

===================

I then ran:

proxycfg

and saw something like this:

C:\Documents and Settings\tshinder.TACTEAM>proxycfg
Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.

Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :

Proxy Server(s) : <none>
Bypass List : <local>

=======================

This suggested that the WinHTTP proxy settings weren't using the ISA Firewall, so I ran:

proxycfg -u

and I saw this:

Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :

Proxy Server(s) : CELESTIX-H5L4CS.tacteam.net:8080
Bypass List : <local>

===================

After doing that automatic updates started downloading immediately! Good news.

I'd like to tell you that I know exactly why this worked, and what the relationship between the WinHTTP proxy settings are and Windows/Microsoft Update, and why it didn't work before, but I can't tell you that. Documentation in this area is about as weak as the documentation on the relationship between brain and mind 🙂

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: [email protected]
MVP — Microsoft Firewalls (ISA)