How to: Configure TMG server to allow for Windows Update (Internet & Corporate WSUS) – 80072EE2
After installing TMG server on a computer I ran into the issue that it could not retrieve updates from either the Internet or the corporate WSUS. I got different error codes (80072EE2) for each of the scenarios but the result was the same.
After looking into the logs I found out the reason for those two behaviors: First the communication to the WSUS server was blocked and then for the Windows Update Service over the internet I needed to use the proxy server for those communications to work.
In order to configure the http proxy you can either use Internet Explorer and set it up there (but then IE will use the proxy as well) or you can use the netsh command to setup the http proxy as follows (don´t forget to run using elevated credentials):
netsh winhttp set proxy localhost:8080
As mentioned above all http traffic will now travel through the proxy. For certain services you don´t want the traffic to use the proxy (perhaps some internal services on your network) set the proxy bypass list. You can learn more about that and other features using the help: nets winhttp set proxy ?
Below is what I ended up doing to set this up in my case:
C:Windowssystem32>netsh winhttp set proxy ?
Usage: set proxy [proxy-server=]<server name> [bypass-list=]<hosts list>
Parameters:
Tag Value
proxy-server – proxy server for use for http and/or https protocol
bypass-list – a list of sites that should be visited bypassing the
proxy (use “<local>” to bypass all short name hosts)
Examples:
set proxy myproxy
set proxy myproxy:80 “<local>;bar”
set proxy proxy-server=”http=myproxy;https=sproxy:88″ bypass-list=”*.foo.com”
C:Windowssystem32>netsh
netsh>winhttp
netsh winhttp>set proxy localhost:8080 “<local>;*.DomainName.local”
Current WinHTTP proxy settings:
Proxy Server(s) : localhost:8080
Bypass List : <local>;*.DomainName.local
netsh winhttp>
In the case you want to use WSUS as well what I did was just to create a new access rule from localhost to my WSUS server using port 8530. The below abstract is obtained from technet and it shows all the steps on how to do this:
Luckily, creating a rule that allows this communication is simple. You do it by performing the following steps.
Create the access rule.
- 1. In the TMG management console left pane:
- a. right-click Firewall Policy
- b. select New, then Access Rule
- 2. in the Welcome to the New Access Rule Wizard page,
- a. enter WSUS from TMG
- b. click Next
- 3. in the Rule Action page
- a. select Allow
- b. click Next
- 4. in the Protocols page, click Add
- 5. in the Add Protocols page, click New, then Protocol
- 6. in the Welcome to the New Protocol Definition Wizard, enter WSUS Client and click Next
- 7. in the Primary Connections Information page, click New
- 8. in the New/Edit Protocol Connection page:
- a. select TCP in the Protocol type: drop-down
- b. select Outbound in the Direction: drop-down
- c. enter 8530 in the Port Range From: and To: boxes
Figure 4 Custom protocol details
- d. click OK to close the New/Edit Protocol Connection page
- 9. in the Primary Connections Information page, verify that the summary agrees with the data in 8.a through 8.c and click Next
- 10. in the Secondary Connections Information page, leave the defaults and click Next
- 11. in the Completing the New Protocol Definition Wizard page, verify that the summary agrees with the figure below and click Finish
Figure 5 Protocol summary
- 12. in the Add Protocols page
- a. expand User-Defined
- b. select WSUS Client
- c. click OK, then Close
- 13. in the Protocols page, click Next
- 14. In the Access Rule Sources page, click Add
- 15. In the Add Network Entities page
- a. Expand Networks
- b. Select Local Host
- c. click Add, then Close
- 16. In the Access Rule Sources page, click Next
- 17. In the Access Rule Destinations page, click Add
- 18. In the Add Network Entities page, Click New, then Computer
- 19. In the New Computer Rule Element page
- a. Enter WSUS Server in the Name field
- b. In the Computer IP address: field, enter the IP address of your WSUS server
Figure 6 WSUS server IP address
- c. click OK
- 20. In the Add Network Entities page
- a. expand Computers
- b. select WSUS Server
- c. click Add, then Close
- 21. In the Access Rule Destinations page, click Next
- 22. In the User Sets page, click Next
- 23. In the Completing the New Access Rule Wizard page, click Finish
- 24. When prompted in the center pane, click Apply to save the changes
- 25. In the Configuration Change Description page
- a. enter any comments that you like
- b. click Apply again
- 26. In the Saving Configuration Changes page, click OK
Figure 7 Custom WSUS policy
Thanks a lot for this documentation, this worked like a charm.