Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Milos_Stanojevi
Explorer

Problem with Windows Update R80.20

Hello,
we are having issues accessing Windows Update with HTTPs Inspection enabled (Check Point R80.20 ) and "Bypass HTTPS inspection of traffic to well-known software update services" option checked. We made a group with all the known Microsoft addresses:

The hosts are which also include some other Microsoft services:

ams15s32-in-f3\.1e100\.net
wdcp\.microsoft\.com
wns\.windows\.com
wdcpalt\.microsoft\.com
update\.microsoft\.com
download\.microsoft\.com
windowsupdate\.microsoft\.com
download\.windowsupdate\.com
wustat\.windows\.com
ntservicepack\.microsoft\.com
stats\.microsoft\.com
wns\.windows\.com
nexus\.officeapps\.live\.com
fe2\.update\.microsoft\.com
delivery\.mp\.microsoft\.com
vortex-win\.data\.microsoft\.com
cp601-prod\.do\.dsp\.mp\.microsoft\.com
geover-prod\.do\.dsp\.mp\.microsoft\.com
big\.telemetry\.microsoft\.com
ctldl\.windowsupdate\.com
audownload\.windowsupdate\.nsatc\.net
au\.download\.windowsupdate\.com\.hwcdn\.net
slscr\.update\.microsoft\.com
sfdataservice\.microsoft\.com
windowsupdate\.com
windows\.com
slscr\.update\.microsoft\.com
slscr\.update\.microosft\.com\.akadns\.net
v10\.events\.data\.microsoft\.com
v10\.event\.data\.microsoft\.com\.aria\.akadns\.net
onecollector\.cloudapp\.aria\.akadns\.net
fe2cr\.update\.microsoft\.com
fe2cr\.update\.microsoft\.com\.akadns\.net

and creating a bypass rule with all address. We did everything as in sk96125 - Windows Update fails through Security Gateway with enabled HTTPS Inspection.

And the update still doesn't work. When we turn off HTTPS inspection everything works fine.

 

Any advice ?

 

Thank you,

Miloš

 

 

 

0 Kudos
3 Replies
Nick_Doropoulos
Advisor

Hey Milos,

Your issue appears to be very similar to the one found here:

https://community.checkpoint.com/t5/General-Management-Topics/Windows-Update-Services-with-HTTPS-ins...

So, I think it's probably to do with the fact that Microsoft have changed their servers to support only ECDSA cipher suites which are not proposed by the firewall as default.

You might need to end up enabling ECDSA and update https_inspection_white_list.bin so contact Check Point TAC to get the solution.

I hope this helps.

0 Kudos
Ilya_Yusupov
Employee
Employee

Hi,

 

known issue just enable ECDSA will fix the problem.

 

Thanks,

Ilya 

0 Kudos
Milos_Stanojevi
Explorer

Thanks a lot . I'll try with enable ECDSA. 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events