This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2018-03-24 10:55 AM

Windows Update Services on Server 2016 are being blocked by HTTPS inspection

Windows Server 2016 update services reporting "We couldn't connect to the update service. We'll try again later, or you can check now. If it still doesn't work, make sure you're connected to the Internet."

HTTPS cert from the R80.10 T_70 gateway was installed on the server and HTTPS sites were accessible with certificate substitution properly reported.

Option "Bypass HTTPS inspection of all traffic to all known software update services is checked.

Adding manual bypass rule for the source host's traffic in HTTPS Inspection rules did not help.

After spending an ungodly amount of time looking into Microsoft's side of things, I've decided to look into Checkpoint.

The findings are:

1. Windows Update fails through Security Gateway with enabled HTTPS Inspection 

2. Specific HTTPS sites that use ECDHE ciphers are not accessible when HTTPS Inspection is enabled 

With changes described in the above SKs made, still getting same error.

Implemented HTTPS Inspection Enhancements in R77.30 and above , Section:

Improvements in HTTPS Inspection Bypass mechanism - Probe Bypass

Not really a good option, as:

  • HTTPS Inspection will not work for sites that require SNI extension in the SSL "Client hello" packet.

Still experiencing errors.

Disabling HTTPS inspection on the gateway completely allows Windows Update to work.

2 Replies
Korkut_Ozcan
Explorer
‎2018-03-26 01:11 AM

Hi Vladimir,

You need to write bypass for the following sites for windows updates as a result of checking the https inspection i have done on checkpoint firewall.

nexus.officeapps.live.com
fe2.update.microsoft.com
delivery.mp.microsoft.com
vortex-win.data.microsoft.com
cp601-prod.do.dsp.mp.microsoft.com
geover-prod.do.dsp.mp.microsoft.com
big.telemetry.microsoft.com

Korkut

Vladimir
Champion
Champion
‎2018-03-26 05:30 AM
In response to Korkut_Ozcan

Thank you!

I am a bit surprised that these URLs are not updates automatically, as it states they should have:

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events