Create a Post
Showing results for 
Search instead for 
Did you mean: 

Windows Update Services on Server 2016 are being blocked by HTTPS inspection

Windows Server 2016 update services reporting "We couldn't connect to the update service. We'll try again later, or you can check now. If it still doesn't work, make sure you're connected to the Internet."

HTTPS cert from the R80.10 T_70 gateway was installed on the server and HTTPS sites were accessible with certificate substitution properly reported.

Option "Bypass HTTPS inspection of all traffic to all known software update services is checked.

Adding manual bypass rule for the source host's traffic in HTTPS Inspection rules did not help.

After spending an ungodly amount of time looking into Microsoft's side of things, I've decided to look into Checkpoint.

The findings are:

1. Windows Update fails through Security Gateway with enabled HTTPS Inspection 

2. Specific HTTPS sites that use ECDHE ciphers are not accessible when HTTPS Inspection is enabled 

With changes described in the above SKs made, still getting same error.

Implemented HTTPS Inspection Enhancements in R77.30 and above , Section:

Improvements in HTTPS Inspection Bypass mechanism - Probe Bypass

Not really a good option, as:

  • HTTPS Inspection will not work for sites that require SNI extension in the SSL "Client hello" packet.

Still experiencing errors.

Disabling HTTPS inspection on the gateway completely allows Windows Update to work.

2 Replies

Hi Vladimir,

You need to write bypass for the following sites for windows updates as a result of checking the https inspection i have done on checkpoint firewall.



Thank you!

I am a bit surprised that these URLs are not updates automatically, as it states they should have:

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events