开发者

Automatic Windows Updates through ISA proxy

Problem Description: Is there a way to allow windows automatic updates go through an ISA proxy that requires NTLM authentication?

I do not have admin access or any access at all to the proxy and c开发者_开发问答annot avoid going through it, I read online about recommendations to allow direct access to microsoft.com, but as I explained, I cannot access the proxy settings.

What can I do to make Automatic Updates work?

Operating System: Windows XP


Automatic updates are using WinHTTP library to route TCP connections. In order to WU (wuauserv) service to connect through your proxy, make sure you configure WinHTTP library to go through that proxy. To configure your WinHTTP library to use a custom proxy, follow the procedure below:

  1. At the elevated command prompt type netsh to start Network Shell command-line tool that allows you alter networking on Windows.
  2. At the NetSh command line type: netsh>winhttp reset proxy This will reset proxy settings for WinHTTP library
  3. Now restart Network Awareness Locator service by typing the following in a different elevated command prompt net stop NlaSvc && net start NlaSvc Confirm the restart of dependent Network List Service.
  4. Return back to the NetSh and type netsh>winhttp set proxy XXX.XXX.XXX.XXX:XXXX Where XXX.XXX.XXX.XXX:XXXX is the TCP socket of your proxy server through which you want WU to go, such as netsh>winhttp set proxy 10.0.14.212:3128
  5. Exit network shell by typing netsh>exit
  6. Restart the Windows Update service by running at the elevated command prompt: net stop wuauserv && net start wuauserv
  7. Now open %systemroot%\windowsupdate.log file to ensure your updates go through the proxy server. 7.1 Alternatively, start NetSh and type at its prompt: netsh winhttp show proxy

These settings will make WU service to go through the specified proxy under the user account which has been used to run command prompt window, this is your user account by default. To ensure Windows Update goes through that proxy when run under different accounts, such as Network Service or Local Service used by Windows Update, make sure you run NetSh at the command prompt which runs under these specific system accounts. To ease the process, download Sysinternas Suite and use the PSExec tool from there.

To interactively start command prompt window with LocalSystem privileges type at the command prompt: PsExec.exe /s /i cmd Execute NetSh commands from there to apply connection changes for LocalSystem account.

To interactively start command prompt window with Network Service privileges type PsExec.exe /i /u "NT AUTHORITY\NETWORKSERVICE" "cmd" Execute NetSh commands from there to apply connection changes for Network Service account.

To interactively start command prompt window with Local Service privileges type PsExec.exe /i /u "NT AUTHORITY\LOCALSERVICE" "cmd" Execute NetSh commands from there to apply connection changes for Local Service account.

To interactively start command prompt window with privileges of your Microsoft account press WindowsKey and type cmd. Right-click the command prompt icon and choose Open file location from the bar. In the opened Windows Explorer window right-click command prompt shortcut when holding Shift key pressed and choose Run as different user. In the Windows Security dialog choose Microsoft account. Specify your Microsoft account credentials.

Use the whoami command to check what account is used to run the command prompt at which you start the Network Shell tool.

If you want to use the same connection settings as you use for WinInet library, which are used by Internet Explorer and most of the desktop apps (Modern UI apps use WinHTTP library), use netsh winhttp import proxy source=ie to import WinInet library's settings to WinHTTP library.

Also, make sure BITS service is routed via local proxy. At the elevated command prompt run: C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalService" to make sure Background Intelligent Transfer service, which is used by Windows Update to download updates, runs via your specified proxy when run with LocalService priviliges.

Do the same checks for other accounts: C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalSystem" C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "NetworkService"

If it shows that BITS goes directly, without using proxy, do the following: C:\Windows\SysWOW64>bitsadmin.exe /Util /SetIEProxy LocalService MANUAL_PROXY 10.0.14.212:3128 NULL

Repeat the same for other system accounts C:\Windows\SysWOW64>bitsadmin.exe /Util /SetIEProxy "LocalSystem" MANUAL_PROXY 10.0.14.212:3128 NULL C:\Windows\SysWOW64>bitsadmin.exe /Util /SetIEProxy "NetworkService" MANUAL_PROXY 10.0.14.212:3128 NULL

In the %systemroot%\WindowsUpdate.log look for the similar looking line: 012-09-14 22:50:09:933 624 17f4 WS WARNING: Proxy List used: 'proxy.domain.com:port', Bypass List used: '(null)', Last Proxy used: 'proxy.domain.com:port', Last auth Schemes used: 'None'.

Use CNTLM to upstream to your corporate proxy if Windows Update fails to authenticate on your corporate proxy returning 407.

Hope this helps a bit.


There is a tool called cntlm It does allow to get through ISA proxy but it won't be easy to integrate it in any application.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜