Over the last few months I’ve had a few Windows XP SP2 and Media Center Edition machines that refused to access the Windows Update site. There weren’t mission critical machines so I didn’t worry about it too much, but I found the situation irritating, since a couple of these machines were laptops that updated just fine when I connected to hotel network that didn’t have an ISA Firewall in front them.
What was frustrating is that I had done everything right on the ISA Firewall. I created the correct Direct Access lists for the Web proxy clients, I didn’t mix IP address and FQDNs in my Direct Access lists, and I even configured the clients with local Web proxy bypass lists (which I expect did nothing anyhow, since I was using the autoconfiguration script).
I finally got fed up with the situation and started to think about doing something. The only thing I could think of was that perhaps the Windows/Microsoft Update mechanism used WinHTTP and it wasn’t getting the proxy server setting from the browser.
So I opened a command prompt and entered:
proxycfg -?
And I saw this:
C:\Documents and Settings\tshinder.TACTEAM>proxycfg ?
Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.
usage:
proxycfg -? : to view help information
proxycfg : to view current WinHTTP proxy settings
proxycfg [-d] [-p <server-name> [<bypass-list>]]
-d : set direct access
-p : set proxy server(s), and optional bypass list
proxycfg -u : import proxy settings from current user’s Microsoft Internet Explorer manual settings (in HKCU)
===================
I then ran:
proxycfg
and saw something like this:
C:\Documents and Settings\tshinder.TACTEAM>proxycfg
Microsoft (R) WinHTTP Default Proxy Configuration Tool Copyright (c) Microsoft Corporation. All rights reserved.
Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :
Proxy Server(s) : <none>
Bypass List : <local>
=======================
This suggested that the WinHTTP proxy settings weren’t using the ISA Firewall, so I ran:
proxycfg -u
and I saw this:
Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :
Proxy Server(s) : CELESTIX-H5L4CS.tacteam.net:8080
Bypass List : <local>
===================
After doing that automatic updates started downloading immediately! Good news.
I’d like to tell you that I know exactly why this worked, and what the relationship between the WinHTTP proxy settings are and Windows/Microsoft Update, and why it didn’t work before, but I can’t tell you that. Documentation in this area is about as weak as the documentation on the relationship between brain and mind 🙂
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: [email protected]
MVP — Microsoft Firewalls (ISA)