Microsoft Windows Update Fails When Connecting Through the WSA When Authentication is Enabled

Introduction

This document describes why Microsoft Windows updates fail when you connect through the Web Security Appliance (WSA) when authentication is enabled.

Problem

The Windows update fails when you connect through the proxy with NT LAN Manager (NTLM) enabled. When a client sits behind the proxy that requires authentication, the Windows update just hangs or prints an error message.

Environment: Cisco WSA, all versions of AsyncOS

Solution

Note: This Knowledge Base article references software which is not maintained or supported by Cisco. The information is provided as a courtesy for your convenience. For further assistance, contact the software vendor.

Windows updates and Microsoft BITS application does not support authentication.

You will need to add these Windows update servers to an authentication exemption custom URL category on the WSA. Then create a new identity, choose No Authentication in the Authentication section, and choose the new custom URL category as a membership criteria. Finally, create a new access policy and under the Identities and Users section, choose the auth exempt identity to it.
------------------------------------------------------------------------------------

download.windowsupdate.com
.windowsupdate.microsoft.com
.update.microsoft.com
.download.windowsupdate.com
update.microsoft.com
.windowsupdate.com
download.microsoft.com
windowsupdate.microsoft.com
ntservicepack.microsoft.com
wustat.windows.com
c.microsoft.com

watson.microsoft.com
------------------------------------------------------------------------------------

This allows unauthenticated access to the servers and should resolve the issue.

More information can be found at:

• You experience problems when you access the Windows Update Version 6 Web site through a server that is running ISA Server
• An update is available for Background Intelligent Transfer Service (BITS) 2.0 for Windows XP