14 October 2010

TMG update center fails to update malware and NIS with a webchain

The TMG update center allows you to update the Malware and NIS signatures or definitions.  You can specify if you want to use your own internal WSUS server or point directly to Windows Update (recommended).

There are system policies that allows access to the Windows update server. so these don't need to be changed.

If it all works it is great, if it doesn't it's a pain to troubleshoot.  My scenario involves a TMG array placed behind the external TMG array, so no direct internet access is available.

This means that the only way for my update center to update is to use my external TMG as it's proxy.

Windows Update and indeed the update center make use of the Windows update service. So troubleshooting issues there will fix your update center.


So the problem symptoms:

Red x Icons in the Update Center


Checking for updates takes forever to fail.
Alerts in the dashboard and event log stating:


Log Name:      Application
Source:        Microsoft Forefront TMG Update Agent
Date:          2010/10/13 05:54:41 PM
Event ID:      23450
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Description:
An error occurred during an attempt to check for, download, or install definition updates on the server . 





Log Name:      Application
Source:        Microsoft Forefront TMG Update Agent
Date:          2010/10/13 05:54:41 PM
Event ID:      23481
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A

Description:
The last 60 attempts to check for updates for the Malware Inspection protection mechanism on the server  failed.


When checking out the c:\windows\windowsupdate.log file you also see the following errors.



2010-10-14 11:58:26:749 924 a90 Agent ** START **  Agent: Finding updates [CallerId = Forefront TMG]
2010-10-14 11:58:26:749 2600 aa0 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = Forefront TMG]
2010-10-14 11:58:26:749 924 a90 Agent *********
2010-10-14 11:58:26:749 924 a90 Agent  * Online = Yes; Ignore download priority = No
2010-10-14 11:58:26:749 924 a90 Agent  * Criteria = "(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains '84a54ea9-e574-457a-a750-17164c1d1679' and CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b') or (IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains 'ae4483f4-f3ce-4956-ae80-93c18d8886a6' and CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b')"
2010-10-14 11:58:26:749 924 a90 Agent  * ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
2010-10-14 11:58:26:749 924 a90 Agent  * Search Scope = {Machine}
2010-10-14 11:58:26:753 924 a90 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
2010-10-14 11:58:26:757 924 a90 Misc Microsoft signed: Yes
2010-10-14 12:00:33:767 924 a90 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x801901f8
2010-10-14 12:00:33:768 924 a90 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x801901f8
2010-10-14 12:02:40:782 924 a90 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x801901f8
2010-10-14 12:02:40:782 924 a90 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x801901f8
2010-10-14 12:04:47:794 924 a90 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x801901f8



These all indicate that there is an error connecting to the Windows Update sites.  First step I did was to check if I could access the sites from IE on the TMG server.  This worked so since windows update uses WinHTTP  I imported my IE proxy settings


Open a command prompt as administrator



  • NetSH 
  • WinHTTP 
  • import Proxy ie
This then ensures that the proxy is set so you don't have to worry about it auto detecting.
If you want to know a bit more about WinHTTP check out this link



But still the problem persisted,  checking the Firewall logs on both TMG arrays also did not help because I simply did not see any request during the windows update process.   The only requests I saw were for traffic coming through this array in a Webchain.


Web chaining is a way to link proxy server together so that the one forwards it's request to another upstream proxy.


My web chain rule restricted access to only one specified URL set.  The I changed the web chain rule and included the Microsoft Update Sites from he Domain Name Sets. 




The I tried the updates again and this time it succeeded. 







NOTE:
If you are using WSUS on any port other than 80 and 443 you need to create an additional protocol and create an allow rule from the TMG servers to the WSUS server.




Conclusion
It is highly unlikely that you will have the same problem as I did, but going through the logs and setting will helpfully assist you with finding your own problem area.  The only place where you will get any useful information is the c:\windows\windowsupdate.log

No comments:

Post a Comment