This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Milos_Stanojevi
Explorer
‎2019-10-24 04:41 AM

Problem with Windows Update R80.20

Hello,
we are having issues accessing Windows Update with HTTPs Inspection enabled (Check Point R80.20 ) and "Bypass HTTPS inspection of traffic to well-known software update services" option checked. We made a group with all the known Microsoft addresses:

The hosts are which also include some other Microsoft services:

ams15s32-in-f3\.1e100\.net
wdcp\.microsoft\.com
wns\.windows\.com
wdcpalt\.microsoft\.com
update\.microsoft\.com
download\.microsoft\.com
windowsupdate\.microsoft\.com
download\.windowsupdate\.com
wustat\.windows\.com
ntservicepack\.microsoft\.com
stats\.microsoft\.com
wns\.windows\.com
nexus\.officeapps\.live\.com
fe2\.update\.microsoft\.com
delivery\.mp\.microsoft\.com
vortex-win\.data\.microsoft\.com
cp601-prod\.do\.dsp\.mp\.microsoft\.com
geover-prod\.do\.dsp\.mp\.microsoft\.com
big\.telemetry\.microsoft\.com
ctldl\.windowsupdate\.com
audownload\.windowsupdate\.nsatc\.net
au\.download\.windowsupdate\.com\.hwcdn\.net
slscr\.update\.microsoft\.com
sfdataservice\.microsoft\.com
windowsupdate\.com
windows\.com
slscr\.update\.microsoft\.com
slscr\.update\.microosft\.com\.akadns\.net
v10\.events\.data\.microsoft\.com
v10\.event\.data\.microsoft\.com\.aria\.akadns\.net
onecollector\.cloudapp\.aria\.akadns\.net
fe2cr\.update\.microsoft\.com
fe2cr\.update\.microsoft\.com\.akadns\.net

and creating a bypass rule with all address. We did everything as in sk96125 - Windows Update fails through Security Gateway with enabled HTTPS Inspection.

And the update still doesn't work. When we turn off HTTPS inspection everything works fine.

 

Any advice ?

 

Thank you,

Miloš

 

 

 

0 Kudos
3 Replies
Nick_Doropoulos
Advisor
‎2019-10-24 07:54 AM

Hey Milos,

Your issue appears to be very similar to the one found here:

https://community.checkpoint.com/t5/General-Management-Topics/Windows-Update-Services-with-HTTPS-ins...

So, I think it's probably to do with the fact that Microsoft have changed their servers to support only ECDSA cipher suites which are not proposed by the firewall as default.

You might need to end up enabling ECDSA and update https_inspection_white_list.bin so contact Check Point TAC to get the solution.

I hope this helps.

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2019-10-24 09:26 AM
In response to Nick_Doropoulos

Hi,

 

known issue just enable ECDSA will fix the problem.

 

Thanks,

Ilya 

0 Kudos
Milos_Stanojevi
Explorer
‎2019-10-24 11:07 PM
In response to Ilya_Yusupov

Thanks a lot . I'll try with enable ECDSA. 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events