Vladimir Yakovlev

Windows Update Services on Server 2016 are being blocked by HTTPS inspection

Discussion created by Vladimir Yakovlev Champion on Mar 24, 2018
Latest reply on Mar 26, 2018 by Vladimir Yakovlev

Windows Server 2016 update services reporting "We couldn't connect to the update service. We'll try again later, or you can check now. If it still doesn't work, make sure you're connected to the Internet."

 

HTTPS cert from the R80.10 T_70 gateway was installed on the server and HTTPS sites were accessible with certificate substitution properly reported.

 

Option "Bypass HTTPS inspection of all traffic to all known software update services is checked.

Adding manual bypass rule for the source host's traffic in HTTPS Inspection rules did not help.

 

After spending an ungodly amount of time looking into Microsoft's side of things, I've decided to look into Checkpoint.

The findings are:

1. Windows Update fails through Security Gateway with enabled HTTPS Inspection 

2. Specific HTTPS sites that use ECDHE ciphers are not accessible when HTTPS Inspection is enabled 

 

With changes described in the above SKs made, still getting same error.

Implemented HTTPS Inspection Enhancements in R77.30 and above , Section:

Improvements in HTTPS Inspection Bypass mechanism - Probe Bypass

Not really a good option, as:

  • HTTPS Inspection will not work for sites that require SNI extension in the SSL "Client hello" packet.

 

Still experiencing errors.

 

Disabling HTTPS inspection on the gateway completely allows Windows Update to work.

Outcomes