Re: [squid-users] Squid and Windows Update
On Fri, 22 Jun 2007 13:53:57 +1200 (NZST) [EMAIL PROTECTED] wrote: I have just added a FAQ page (http://wiki.squid-cache.org/SquidFaq/WindowsUpdate) with the content of this thread. Can anyone please make a link to http://wiki.squid-cache.org/SquidFaq/WindowsUpdate in http://wiki.squid-cache.org/SquidFaq/ ? Done. And the WU page updated with some more info found recently to make it play nice with Vista and Win98. Amos
Re: [squid-users] Squid and Windows Update - SOLVED!!
fre 2007-06-22 klockan 10:39 +0100 skrev Julian Pilfold-Bagwell: It's cured. You were right about allowing access to winupdate. The confusing aspect is that some time back, we had to wrestle for a day to get it working after Windows updated itself. It turned out that you had to use the always_direct directive to get it work as it would crash out otherwise. Don't know what Microsoft have done to Windows Update but it now has to go back to http_allow. always_direct has little or no effect on things. All always_direct does it making Squid ignore any cache_peers you may have. If you don't have any cache_peer then it's a no-operation thing as going direct is then the only option Squid has.. So if using always_direct did make any difference then you have a cache_peer which doesn't work with windows update, or otherwise it just started to work by accident. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid and Windows Update
Henrik Nordstrom wrote: tor 2007-06-21 klockan 14:22 +0100 skrev Julian Pilfold-Bagwell: If I am to guess you might need to allow access to the windows update servers without using authentication. Is it possible to do that while retaining authentication for users? Yes. Just allow access to the windows update servers before where you normally require authentication. Regards Henrik Hi again, Does the first acl line: acl winupdate dstdomain .microsoft.com .windowsupdate.com not do this? I put the always_direct rule in before the mynetwork rule but it doesn't seem to do the trick. Thanks, Jools
Re: [squid-users] Squid and Windows Update - SOLVED!!
Hi Henrik, It's cured. You were right about allowing access to winupdate. The confusing aspect is that some time back, we had to wrestle for a day to get it working after Windows updated itself. It turned out that you had to use the always_direct directive to get it work as it would crash out otherwise. Don't know what Microsoft have done to Windows Update but it now has to go back to http_allow. Thanks again, much appreciated, All the best, Julian Pilfold-Bagwell
[squid-users] Squid and Windows Update
Hi All, I have an NTLM authenticated squid proxy and an trying to get to Windows Update. Up until about 3 weeks ago it worked OK but then stopped and I haven't been able to get it going since. I have microsoft.com and windowsupdate.com in an always_direct acl and have used proxycfg to set the proxy up on the windows boxes. I've also ticked http 1.1 connection on proxy in IE6's options. I've spent hours on Google without finding any solution. Could someone have a look through the acls below to see if I've missed something please. Cheers, Jools PS: Below is a snap from the proxy log showing what's happening when I try to connect. Thanks. # Log Output 1182427844.513 RELEASE -1 62992ED631E0F39DDA8C8DC2F898F266 407 1182427844 0 1182427844 text/html 1325/1325 GET http://go.microsoft.com/fwlink/? 1182427844.520 RELEASE -1 2E6A5C7F93EEE6901CCCEE0DEB5A2229 407 1182427844 0 1182427844 text/html 1325/1325 GET http://go.microsoft.com/fwlink/? 1182427844.533 RELEASE -1 DEE0F5C0483083C6578A92A5A262DBA8 407 1182427844 0 1182427844 text/html 1463/1463 POST http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx 1182427844.868 RELEASE -1 A8ABED5E2C14C5B1E9D0C071634A6A5F 407 1182427844 0 1182427844 text/html 1325/1325 GET http://go.microsoft.com/fwlink/? 1182427844.898 RELEASE -1 8A2AF11EB29DC53BECCE375C51ED2564 407 1182427844 0 1182427844 text/html 1325/1325 GET http://go.microsoft.com/fwlink/? 1182427845.371 RELEASE -1 E376783F93B586292C10EB17CEED8C0D 302 1182427844-1 1182427784 text/html 135/135 GET http://go.microsoft.com/fwlink/? 1182427845.395 RELEASE -1 DB56627F467C065BB2717F8C4807EE04 302 1182427844-1 1182427784 text/html 135/135 GET http://go.microsoft.com/fwlink/? 1182427845.959 RELEASE -1 FC48317C07A19CD1D257DF7931B8CF91 407 1182427845 0 1182427845 text/html 1301/1301 CONNECT update.microsoft.com:443 1182427845.965 RELEASE -1 9FDB6B061BB1A01FD5774EDCF57BFE72 407 1182427845 0 1182427845 text/html 1301/1301 CONNECT update.microsoft.com:443 1182427845.968 RELEASE -1 24E1583A4D3FE04F9CC5D92791D8234F 407 1182427845 0 1182427845 text/html 1301/1301 CONNECT update.microsoft.com:443 1182427846.017 RELEASE -1 307158AE09CFED627438DB4C97BB6DE7 407 1182427846 0 1182427846 text/html 1301/1301 CONNECT update.microsoft.com:443 1182427848.314 RELEASE -1 B54B1B79B60C0A9EE18BCC5F376CCCF0 407 1182427848 0 1182427848 text/html 1463/1463 POST http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx 1182427848.335 RELEASE -1 106150D23930001055AB50F33462E587 407 1182427848 0 1182427848 text/html 1463/1463 POST http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx 1182427848.385 RELEASE -1 8F2EB8EA5C13E1999AA8BBA44C8DE2CC 407 1182427848 0 1182427848 text/html 1463/1463 POST http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx 1182427848.608 RELEASE -1 9AAF6E2DA487093383A0DD59ADB264B4 407 1182427848 0 1182427848 text/html 1301/1301 CONNECT update.microsoft.com:443 1182427848.628 RELEASE -1 552B7EA2E74614B8A4E9E82E193FC296 407 1182427848 0 1182427848 text/html 1301/1301 CONNECT update.microsoft.com:443 1182427848.631 RELEASE -1 B2701012D1DE2296A7678125A6841581 407 1182427848 0 1182427848 text/html 1301/1301 CONNECT update.microsoft.com:443 1182427848.681 RELEASE -1 6194E73C33414591F76E8645DD78AF71 407 1182427848 0 1182427848 text/html 1301/1301 CONNECT update.microsoft.com:443 1182427848.928 RELEASE -1 2B64CB519E1123FE9772D9D2FD6B9D23 407 1182427848 0 1182427848 text/html 1463/1463 POST http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx 1182427848.959 RELEASE -1 BAB09BA63C9B037455216ED743BDE755 407 1182427848 0 1182427848 text/html 1463/1463 POST http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx 1182427849.014 RELEASE -1 964028CC20022B536F59877D37745174 407 1182427849 0 1182427849 text/html 1463/1463 POST http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx 1182427850.033 RELEASE -1 36FDA330BD08904D927FB76ABD56B1D1 407 1182427850 0 1182427850 text/html 1292/1292 CONNECT urs.microsoft.com:443 1182427850.075 RELEASE -1 B5335E465AA32ED4259749CBB2AC4236 407 1182427850 0 1182427850 text/html 1292/1292 CONNECT urs.microsoft.com:443 1182427850.127 RELEASE -1 0D4261BD99331073CAE9F2FA94E0EE61 407 1182427850 0 1182427850 text/html 1292/1292 CONNECT urs.microsoft.com:443 1182427850.130 RELEASE -1 32CCE2EA2FB00E6CA57DF5D5F2CC6799 407 1182427850 0 1182427850
Re: [squid-users] Squid and Windows Update
tor 2007-06-21 klockan 14:22 +0100 skrev Julian Pilfold-Bagwell: If I am to guess you might need to allow access to the windows update servers without using authentication. Is it possible to do that while retaining authentication for users? Yes. Just allow access to the windows update servers before where you normally require authentication. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Squid and Windows Update
Henrik Nordstrom wrote: tor 2007-06-21 klockan 14:22 +0100 skrev Julian Pilfold-Bagwell: If I am to guess you might need to allow access to the windows update servers without using authentication. Is it possible to do that while retaining authentication for users? Yes. Just allow access to the windows update servers before where you normally require authentication. Regards Henrik That's what we do and it works very well. We do the same for common antivirus update sites too. :-) Just a thought on WindowsUpdate via squid though, it's very very slow through squid. Seems to take many minutes to check for updates, but when bypassing the proxy this is not the case. I wonder if this is normal for squid? cheers, Dietrich.
Re: [squid-users] Squid and Windows Update
We implement windows update through proxy without delay pool and there's no problem at all. acl fast dstdom_regex download.windowsupdate.com update.microsoft.com acl fast dstdom_regex download.microsoft.com ds.microsoft.com #direct bandwitdhfull access to websites delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_access 1 allow fast delay_access 1 deny all
Re: [squid-users] Squid and Windows Update
Henrik Nordstrom wrote: tor 2007-06-21 klockan 14:22 +0100 skrev Julian Pilfold-Bagwell: If I am to guess you might need to allow access to the windows update servers without using authentication. Is it possible to do that while retaining authentication for users? Yes. Just allow access to the windows update servers before where you normally require authentication. Regards Henrik That's what we do and it works very well. We do the same for common antivirus update sites too. :-) Just a thought on WindowsUpdate via squid though, it's very very slow through squid. Seems to take many minutes to check for updates, but when bypassing the proxy this is not the case. I wonder if this is normal for squid? It is a side effect of WindowsUpdate that has been seen before on occasion under some squid configs. WindowsUpdate apparently pulls its data from the main servers using partial Ranges. Squid does not to my knowledge fully support storage of partial ranges (we have plans to improve this but no sponsor yet I think). Also some configurations are set to always pull the entire file when a range is requested. The cachability settings of the WU servers may also be a factor. If your config has been set to always pull the entire file and cache it, you could try allowing squid to pull ranges and not cache them. Amos
Re: [squid-users] Squid and Windows Update
[EMAIL PROTECTED] wrote: Thanks for that Amos. Can anyone please point me in the right direction to documentation about configuring such features? The WU issues probably needs expanding upon in the FAQs I guess. :-) Thanks in advance. Dietrich The relevant squid.conf settings I know of are: http_access and range_offset. Earlier posts here in squid-users or google may have better details. I have just added a FAQ page (http://wiki.squid-cache.org/SquidFaq/WindowsUpdate) with the content of this thread. Amos Brilliant! Thanks. :-) Dietrich
[squid-users] squid and Windows update
Any problems downloading windows update througth squid ? Thank you. -- Dominique Bagnato - Head of the Technology Department. French International School - Bethesda, MD. USA Tel:301 530 8260 Ext:279 - http://www.rochambeau.org
Re: [squid-users] squid and Windows update
For me, sometimes it works, sometimes it doesn't. I made sure that .microsoft.com url is not cached or needing authentication. - Original Message - From: Dominique Bagnato [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Monday, March 06, 2006 4:36 PM Subject: [squid-users] squid and Windows update Any problems downloading windows update througth squid ? Thank you. -- Dominique Bagnato - Head of the Technology Department. French International School - Bethesda, MD. USA Tel:301 530 8260 Ext:279 - http://www.rochambeau.org
Re: [squid-users] squid and Windows update
Any problems downloading windows update througth squid ? Thank you. http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.54 M.
RE: [squid-users] Squid and Windows Update.
On Wed, 3 Dec 2003, Sturgis, Grant wrote: I am having the exact problem (see my post from yesterday). I have created a temporary work around by adding: acl windowsupdate dstdomain .windowsupdate.microsoft.com no_cache deny windowsupdate to squid.conf. Any other ideas? Look in access.log and try to figure out which cache hit is causing the conflict and then PURGE this object from the cache. Then complain to Microsoft for making WU server updates in a way which is not compatible with caches. Maybe they will eventually learn how to work in cooperation with caches. Regards Henrik
[squid-users] Squid and Windows Update.
Hello, I'm having a bit of an issue with Squid and Windows Update. In the last day or so we have noticed machines on campus failing to get their WUs. All goes well until I click the scan for updates link and then I get an error, the M$ error is the seemingly infamous '0x800a138F' error. Many pages from the search below blame the new hosting arrangements that M$ have with Akamai, stating that Akamai are also a host for many ad banners so are often blocked by admin's. http://www.google.com/search?sourceid=navclientie=UTF-8oe=UTF-8q=0x800a13 8F However we don't appear to have any rules in our squid.conf that block access to that site, neither when I log the requests from my test machine does it deny access to any of the requests; Anyway on further investigation I have retrieved another M$ error code from the WU Log file on the client PC, this is '0x800C0002' which according to M$ is Invalid URL. I only get this problem going through the squid boxes. Another twist to this is that if I turn the cache settings off in IE do a WU scan which succeeds and then turn the cache settings back on it works fine thereafter. However it is not possible for us to turn the cache setting off all the machines here, even if it were we'd have to open up the firewall to allow port 80 access for all machines rather than just the WWW and a select few admin machines. Is this a known bug with squid? Many thanks, Jezz Palmer. Jezz Palmer. Internet Systems Officer. Library and Information Services University of Wales, Swansea Singleton Park Swansea SA2 8PP
RE: [squid-users] Squid and Windows Update.
I'm having the same issue here too, which I first noticed yesterday. It looks like https://v4.windowsupdate.microsoft.com/ works though. I assume that because Squid just relays SSL traffic, whatever causes the non-secure site to break is not affected. Any ideas on a permanent fix or workaround would be appreciated, though! Mike -Original Message- From: Palmer J.D.F. [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 7:19 AM To: [EMAIL PROTECTED] Subject: [squid-users] Squid and Windows Update. Hello, I'm having a bit of an issue with Squid and Windows Update. In the last day or so we have noticed machines on campus failing to get their WUs. All goes well until I click the scan for updates link and then I get an error, the M$ error is the seemingly infamous '0x800a138F' error. Many pages from the search below blame the new hosting arrangements that M$ have with Akamai, stating that Akamai are also a host for many ad banners so are often blocked by admin's. http://www.google.com/search?sourceid=navclientie=UTF-8oe=UTF-8q=0x800a13 8F However we don't appear to have any rules in our squid.conf that block access to that site, neither when I log the requests from my test machine does it deny access to any of the requests; Anyway on further investigation I have retrieved another M$ error code from the WU Log file on the client PC, this is '0x800C0002' which according to M$ is Invalid URL. I only get this problem going through the squid boxes. Another twist to this is that if I turn the cache settings off in IE do a WU scan which succeeds and then turn the cache settings back on it works fine thereafter. However it is not possible for us to turn the cache setting off all the machines here, even if it were we'd have to open up the firewall to allow port 80 access for all machines rather than just the WWW and a select few admin machines. Is this a known bug with squid? Many thanks, Jezz Palmer. Jezz Palmer. Internet Systems Officer. Library and Information Services University of Wales, Swansea Singleton Park Swansea SA2 8PP
RE: [squid-users] Squid and Windows Update.
I am having the exact problem (see my post from yesterday). I have created a temporary work around by adding: acl windowsupdate dstdomain .windowsupdate.microsoft.com no_cache deny windowsupdate to squid.conf. Any other ideas? Grant -Original Message- From: Mike McCall [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 7:38 AM To: [EMAIL PROTECTED] Cc: 'Palmer J.D.F.' Subject: RE: [squid-users] Squid and Windows Update. I'm having the same issue here too, which I first noticed yesterday. It looks like https://v4.windowsupdate.microsoft.com/ works though. I assume that because Squid just relays SSL traffic, whatever causes the non-secure site to break is not affected. Any ideas on a permanent fix or workaround would be appreciated, though! Mike -Original Message- From: Palmer J.D.F. [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 7:19 AM To: [EMAIL PROTECTED] Subject: [squid-users] Squid and Windows Update. Hello, I'm having a bit of an issue with Squid and Windows Update. In the last day or so we have noticed machines on campus failing to get their WUs. All goes well until I click the scan for updates link and then I get an error, the M$ error is the seemingly infamous '0x800a138F' error. Many pages from the search below blame the new hosting arrangements that M$ have with Akamai, stating that Akamai are also a host for many ad banners so are often blocked by admin's. http://www.google.com/search?sourceid=navclientie=UTF-8oe=UTF-8q=0x800a13 8F However we don't appear to have any rules in our squid.conf that block access to that site, neither when I log the requests from my test machine does it deny access to any of the requests; Anyway on further investigation I have retrieved another M$ error code from the WU Log file on the client PC, this is '0x800C0002' which according to M$ is Invalid URL. I only get this problem going through the squid boxes. Another twist to this is that if I turn the cache settings off in IE do a WU scan which succeeds and then turn the cache settings back on it works fine thereafter. However it is not possible for us to turn the cache setting off all the machines here, even if it were we'd have to open up the firewall to allow port 80 access for all machines rather than just the WWW and a select few admin machines. Is this a known bug with squid? Many thanks, Jezz Palmer. Jezz Palmer. Internet Systems Officer. Library and Information Services University of Wales, Swansea Singleton Park Swansea SA2 8PP This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.