+ Post New Thread
Results 1 to 6 of 6
Internet Related/Filtering/Firewall Thread, TMG 2010 and Smoothwall - TMG won't update definitions in Technical; I'm trying to get my TMG 2010 server to update its definitions (for NIS) through our Smoothwall proxy. I've set ...
  1. #1
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,289
    Thank Post
    112
    Thanked 86 Times in 58 Posts
    Rep Power
    28

    TMG 2010 and Smoothwall - TMG won't update definitions

    I'm trying to get my TMG 2010 server to update its definitions (for NIS) through our Smoothwall proxy.

    I've set a web chaining rule to point the TMG at the Smootwall for Microsoft Update sites and set the Smoothwall server to allow unauthenticated access to all of the MS update sites.

    When I try and update the NIS definitions on the TMG, I can see entries in the Smoothwall log allowing access to the following sites:

    download.windowsupdate.com
    update.microsoft.com:443


    But on the TMG server I always get the error:

    An error occurred during an attempt to check for, download, or install definition updates on the server SERVER.
    The failure is due to error: 0x80244021


    The web chaining is obviously working but I can't find what that error code means anywhere?

  2. #2


    AMLightfoot's Avatar
    Join Date
    Feb 2011
    Location
    Hampshire, England
    Posts
    2,121
    Thank Post
    367
    Thanked 608 Times in 390 Posts
    Rep Power
    248
    Try adding the following domains to the 'Do not require authentication for these domains' list and ensure that 'Unauthenticated IP's' are allowed to use the proxy (filtered):

    windowsupdate.microsoft.com
    update.microsoft.com
    c.microsoft.com
    download.windowsupdate.com
    genuine.microsoft.com

    It's probably an NTLM incompatibility thing. Microsoft updates are like that :-7

  3. #3
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,289
    Thank Post
    112
    Thanked 86 Times in 58 Posts
    Rep Power
    28
    Thats bascially what I've already got, I even tried allowing *.microsoft.com for unauthenticated users!

    I have a rule that allows the same sites for unauthenticated users. I can't see anything being blocked by the smoothwall, but it doesn't show blocked request for unauthenticated users does it?

    Every time I run Windows update on the TMG I see this in the Smoothwall log:

    Code:
     http://download.windowsupdate.com/v9/windowsupdate/redi 0 Warning OK (200) 
    exception Exception site match 
    15:22:28 http://download.windowsupdate.com/v9/microsoftupdate/re 0 Warning OK (200) 
    exception Exception site match 
    15:22:28  http://download.windowsupdate.com/v9/windowsupdate/redi 0 Warning OK (200) 
    exception Exception site match 
    15:22:28  http://www.update.microsoft.com/v9/windowsupdate/selfup 0 Warning OK (200) 
    exception Exception site match 
    15:22:29 http://download.windowsupdate.com/v9/microsoftupdate/re 0 Warning OK (200) 
    exception Exception site match 
    15:22:29 https://www.update.microsoft.com:443 0 Warning OK (200) 
    exception Exception site match
    The exception match is because the update sites are all in a policy for unauthenticated users to have access to them.

    So its Windows Update and also the NIS updates that fail with the same error code.
    Last edited by Sheridan; 10th May 2011 at 03:27 PM.

  4. #4


    AMLightfoot's Avatar
    Join Date
    Feb 2011
    Location
    Hampshire, England
    Posts
    2,121
    Thank Post
    367
    Thanked 608 Times in 390 Posts
    Rep Power
    248
    Another place to check is your file download rules - it might be worth trying disabling the entire file download policy and see if the same error occurs again as it might be one of the settings there.

  5. #5

    rob_f's Avatar
    Join Date
    May 2008
    Location
    Leeds
    Posts
    224
    Thank Post
    15
    Thanked 73 Times in 56 Posts
    Rep Power
    25
    If it's listed as "Exception" then file download rules aren't being applied to that domain.

    The ultimate test is to put the TMG server's address in Guardian > Web Proxy "Exception IP Addresses" and set TMG to use port 801 on the Smoothwall... this is the most extreme form of whitelist/bypass and should help you eliminate your policy configuration.

  6. #6
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,289
    Thank Post
    112
    Thanked 86 Times in 58 Posts
    Rep Power
    28
    I've managed to get this working by setting the TMG box to update from our WSUS server. Ironically our WSUS server gets its updates using the Smoothwall as a proxy (even more ironically the Smoothwall box utimately goes out through the TMG!)

    I'll have a crack at the exception IP address and see if that makes a difference.

SHARE:
+ Post New Thread

Similar Threads

  1. TMG 2010
    By kevin_lane in forum Enterprise Software
    Replies: 1
    Last Post: 26th February 2011, 10:03 PM
  2. Problem with forefront tmg 2010
    By flaviorodrigues in forum Wireless Networks
    Replies: 1
    Last Post: 25th February 2011, 06:32 PM
  3. TMG 2010 Slow Uploads
    By deano in forum Enterprise Software
    Replies: 1
    Last Post: 11th February 2011, 08:41 PM
  4. Sharepoint 2010/TMG SSL
    By craigg in forum Windows Server 2008 R2
    Replies: 11
    Last Post: 11th February 2011, 02:18 PM
  5. TMG 2010 publishing
    By localzuk in forum Windows Server 2008 R2
    Replies: 5
    Last Post: 27th September 2010, 01:11 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •