|
|
Has anyone experienced this error, following 2.0 - 3.0 upgrade?
WebException: The server committed a protocol violation.
Section=ResponseStatusLine
at System.Net.HttpWebRequest.GetRequestStream()
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters)
at
Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
at
Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
at
Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager
authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie
cookie, WebServiceCommunicationHelper webServiceHelper)
at
Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
at
Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)
Attaching to the update site using a proxy server.. no settings changed from
a working 2.0 install... so I'm rather lost!
Simon
|
|
|
|
Lawrence
Many thanks for your reply... yes, I did come across that in the release
notes, and I tried, but it didn't help.
We don't actually require authentication for access to our proxy server, so
I'm still a bit lost. We allow anonymous access.
WSUS is getting through to the proxy, as I can see it in the log files. In
my WSUS2 install, I never experienced a problem with synching... but it's
hard to tell lwhere it's breaking down.
Simon
"Lawrence Garvin (MVP)" wrote:
[Quoted Text] > "Simon P" <Simon P[ at ]discussions.microsoft.com> wrote in message > news:C57CCF30-2A8D-4F38-BFF9-6367BFF060E0[ at ]microsoft.com... > > Has anyone experienced this error, following 2.0 - 3.0 upgrade? > > Yep.. it's been experienced a lot! > > And it's documented in the Release Notes, too. :-) > > > > WebException: The server committed a protocol violation. > > > Attaching to the update site using a proxy server.. no settings changed > > from > > a working 2.0 install... so I'm rather lost! > > You need to re-enter your proxy server password on the Options | Update > Source and Proxy Server dialog, on the Proxy Server tab. > > -- > Lawrence Garvin, M.S., MCTS, MCP > Independent WSUS Evangelist > MVP-Software Distribution (2005-2007) > https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E> > Everything you need for WSUS is at > http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx> > And, almost everything else is at > http://wsusinfo.onsitechsolutions.com> ..... > > > |
|
"Simon P" <SimonP[ at ]discussions.microsoft.com> wrote in message
news:C3F6EA1E-C818-471D-B653-805FC666E2B1[ at ]microsoft.com...
[Quoted Text] > Many thanks for your reply... yes, I did come across that in the release
> notes, and I tried, but it didn't help.
Hmmm.. :-(
> We don't actually require authentication for access to our proxy server,
> so
> I'm still a bit lost. We allow anonymous access.
Well, then, if you allow anonymous access, there's no reason to even have a
username/password configured.
> WSUS is getting through to the proxy, as I can see it in the log files.
> In
> my WSUS2 install, I never experienced a problem with synching... but it's
> hard to tell lwhere it's breaking down.
My next best suggestion is to correlate the proxy logs with the WSUS
SoftwareDistribution log and see, first, if you can isolate the specific
cause or reason for the failure.
Also, check the Application Event Log. WSUS and BITS quite often log issues
there.
Also.... Which firewall product are you using?
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
Hi Lawrence
OK.. we may be getting closer to the issue.
I had our firewall (CheckPoint) guy open up a connection direct to the www
just allowing port 80, and avoiding the proxy server.
And we got synched! So it would appear for sure that the proxy server is an
issue, or at least going through it is.
It's a very very old box... running WinNT and running Microsoft Internet
Information Server 3.0 !! (not my idea... I hasten to add)
It could be that we have to end up having a firewall rule, just allowing
that server to connect to the websites (*.microsoft.com) through 80.. but
it's a bit clumsy.
It could well be that the proxy server doesn't like this newer version. As
I said, I'd run 2.0 without issues... and we have no restrictions on the
proxy server... http and https allowed.
Best regards
Simon
"Lawrence Garvin (MVP)" wrote:
[Quoted Text] > "Simon P" <SimonP[ at ]discussions.microsoft.com> wrote in message > news:C3F6EA1E-C818-471D-B653-805FC666E2B1[ at ]microsoft.com... > > > Many thanks for your reply... yes, I did come across that in the release > > notes, and I tried, but it didn't help. > > Hmmm.. :-( > > > We don't actually require authentication for access to our proxy server, > > so > > I'm still a bit lost. We allow anonymous access. > > Well, then, if you allow anonymous access, there's no reason to even have a > username/password configured. > > > > WSUS is getting through to the proxy, as I can see it in the log files. > > In > > my WSUS2 install, I never experienced a problem with synching... but it's > > hard to tell lwhere it's breaking down. > > My next best suggestion is to correlate the proxy logs with the WSUS > SoftwareDistribution log and see, first, if you can isolate the specific > cause or reason for the failure. > > Also, check the Application Event Log. WSUS and BITS quite often log issues > there. > > > Also.... Which firewall product are you using? > > -- > Lawrence Garvin, M.S., MCTS, MCP > Independent WSUS Evangelist > MVP-Software Distribution (2005-2007) > https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E> > Everything you need for WSUS is at > http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx> > And, almost everything else is at > http://wsusinfo.onsitechsolutions.com> ..... > > > |
|
"Simon P" <SimonP[ at ]discussions.microsoft.com> wrote in message
news:59627650-6DC0-4BD9-A63B-AABA6C49F736[ at ]microsoft.com...
[Quoted Text] > Hi Lawrence
>
> OK.. we may be getting closer to the issue.
>
> I had our firewall (CheckPoint) guy open up a connection direct to the www
> just allowing port 80, and avoiding the proxy server.
> And we got synched!
Well, that was a bloody miracle.. considering that synchronization only runs
on HTTPS, which requires access on port 443! :-)
> So it would appear for sure that the proxy server is an
> issue, or at least going through it is.
The proxy server needs to permit access for HTTP (port 80) -and- HTTPS (port
443), and most significantly, it needs to allow simultaneous connections to
be open from the same host to different destinations on those two ports.
> It's a very very old box... running WinNT and running Microsoft Internet
> Information Server 3.0 !! (not my idea... I hasten to add)
What's a very old box... the CheckPoint server? Well, there's likely to be
your second hurdle to overcome. I'll bet a fair wage that a CheckPoint
product runnign on Windows NT is highly unlikely to properly support the
HTTP v1.1 protocol specification, which you'll find is necessary to
faciliate download of content using Background Intelligent Transfer Service.
> It could be that we have to end up having a firewall rule, just allowing
> that server to connect to the websites (*.microsoft.com) through 80.. but
> it's a bit clumsy.
Why would you *not* think this would be a requirement??? How would you
expect the WSUS server to be able to access the Internet unless you created
an outbound access rule permitting that access? I'm very confused. Perhaps
you're trying to express something else than what I'm understanding?
> It could well be that the proxy server doesn't like this newer version.
> As
> I said, I'd run 2.0 without issues... and we have no restrictions on the
> proxy server... http and https allowed.
Huh? That statement directly contradicts what I just quoted you as saying in
the previous statement.
Do you have unrestricted outbound access on HTTP/HTTPS, or not? And, if so,
what 'firewall rule' did you create, and for what purpose?
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
Hi Lawrence
Yes, quite right... 1000 apologies, I've re-read that original post, and
it's not at all clear :o(
Here's our setup...
WSUS3 installed. No difference in set up to the WSUS2 install, which has
been working for comfortably over 2 years.
WSUS accesses the internet solely through our proxy server, which is an old
NT Server, running MIIS 3.0.
Synchronisation error has only occurred since changing to v3.. I remembered
reading the release notes about the proxy access account... but we allow
anonymous through it, so assumed that wouldn't be the problem.
After your suggestion that proxy was most likely the problem... I asked our
firewall guy to open up a specific rule for the WSUS server, by-passing the
proxy.. and I only asked for port 80 access (my mistake!).
However, he misheard me, and added the server to our proxy server rule,
which allows 80, 443 and 21.
This is naturally why worked... no miracle I'm afraid ;o)
FYI, CheckPoint is running on the stripped down version of Linux... and
wouldn't appear to be the issue, since we got a successful manual synch.
The reason I didn't want a specific rule for WSUS was because it had been
working under v2, using the proxy server... and as the firewall guy likes to
keep his baby neat and tidy... if it could work through the proxy, I know
he'd rather have that.
I'll bribe him.... !!
Apologies once again for drawing this out... if I'd taken the time to read
what I'd written.. I'd have thought I was a nutter! ;o)
Simon
"Lawrence Garvin (MVP)" wrote:
[Quoted Text] > "Simon P" <SimonP[ at ]discussions.microsoft.com> wrote in message > news:59627650-6DC0-4BD9-A63B-AABA6C49F736[ at ]microsoft.com... > > Hi Lawrence > > > > OK.. we may be getting closer to the issue. > > > > I had our firewall (CheckPoint) guy open up a connection direct to the www > > just allowing port 80, and avoiding the proxy server. > > And we got synched! > > Well, that was a bloody miracle.. considering that synchronization only runs > on HTTPS, which requires access on port 443! :-) > > > So it would appear for sure that the proxy server is an > > issue, or at least going through it is. > > > The proxy server needs to permit access for HTTP (port 80) -and- HTTPS (port > 443), and most significantly, it needs to allow simultaneous connections to > be open from the same host to different destinations on those two ports. > > > > It's a very very old box... running WinNT and running Microsoft Internet > > Information Server 3.0 !! (not my idea... I hasten to add) > > What's a very old box... the CheckPoint server? Well, there's likely to be > your second hurdle to overcome. I'll bet a fair wage that a CheckPoint > product runnign on Windows NT is highly unlikely to properly support the > HTTP v1.1 protocol specification, which you'll find is necessary to > faciliate download of content using Background Intelligent Transfer Service. > > > > It could be that we have to end up having a firewall rule, just allowing > > that server to connect to the websites (*.microsoft.com) through 80.. but > > it's a bit clumsy. > > Why would you *not* think this would be a requirement??? How would you > expect the WSUS server to be able to access the Internet unless you created > an outbound access rule permitting that access? I'm very confused. Perhaps > you're trying to express something else than what I'm understanding? > > > > It could well be that the proxy server doesn't like this newer version. > > As > > I said, I'd run 2.0 without issues... and we have no restrictions on the > > proxy server... http and https allowed. > > > Huh? That statement directly contradicts what I just quoted you as saying in > the previous statement. > > Do you have unrestricted outbound access on HTTP/HTTPS, or not? And, if so, > what 'firewall rule' did you create, and for what purpose? > > > > -- > Lawrence Garvin, M.S., MCTS, MCP > Independent WSUS Evangelist > MVP-Software Distribution (2005-2007) > https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E> > Everything you need for WSUS is at > http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx> > And, almost everything else is at > http://wsusinfo.onsitechsolutions.com> ..... > > > |
|
"Simon P" <SimonP[ at ]discussions.microsoft.com> wrote in message
news:AB1DDD5E-86F0-47CD-A1D4-FAE33A6FB871[ at ]microsoft.com...
[Quoted Text] > WSUS3 installed. No difference in set up to the WSUS2 install, which has
> been working for comfortably over 2 years.
> WSUS accesses the internet solely through our proxy server,
Side note: Does your organizational policy *require* that the WSUS Server
access the Internet through a Proxy Server? If not, I would *strongly*
recommend that you simply bypass the proxy server entirely === especially
if it's an ancient NT-based product, which is probably so full of unplugged
security holes that it's more risk to run with it, than without!
> which is an old NT Server, running MIIS 3.0.
Okay.. first problem.... IIS 3.0 doesn't have anything to do with your proxy
server.
Perhaps this machine is running Microsoft Proxy Server 2.0?
IIS 3.0 is a WEB server, not a PROXY server -- and a very bad one at that.
Windows NT Service Pack 4 NT Option Pack offered the upgrade to IIS 4.0.
It's free. Any Windows NT machine running IIS should absolutely be running
IIS4 -- but that's all irrelevant to the WSUS/Proxy question.
> Synchronisation error has only occurred since changing to v3.. I
> remembered
> reading the release notes about the proxy access account... but we allow
> anonymous through it, so assumed that wouldn't be the problem.
I agree. If you have no account name/password configured on the WSUS Server,
then that release note item is irrelevant.
> After your suggestion that proxy was most likely the problem... I asked
> our
> firewall guy to open up a specific rule for the WSUS server, by-passing
> the
> proxy.. and I only asked for port 80 access (my mistake!).
Aha!.... "Bypassing the Proxy!" :-)
You should *bypass* the proxy on both ports 80 and 443, and be done with it.
> However, he misheard me, and added the server to our proxy server rule,
> which allows 80, 443 and 21.
How kind of him. He gave you a lucky break.
> The reason I didn't want a specific rule for WSUS was because it had been
> working under v2, using the proxy server... and as the firewall guy likes
> to
> keep his baby neat and tidy... if it could work through the proxy, I know
> he'd rather have that.
Okay here's where I get ugly.... concerning your firewall guy running
Checkpoint on Linux... I can't believe for a millisecond that he has an
ounce of faith, or interest, in anything that has to do with a proxy server
running on Windows NT Server. Fact, is whether it's the proxy server, or the
firewall, *BOTH* are going to have to be able to permit *simultaneous*
connections from the WSUS Server on ports 80 and 443. However they do that
is their baliwick -- but it does have to happen.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
Hi Lawrence
You're correct on ... well, probably all points!
I currently have no influence whatsoever on out proxy setup.. our firewall
guy is also responsible for looking after that.
I took advice from him on what's installed on the proxy...
He tells me that he stops and starts the services via the Internet Services
Manager GUI... which is why he thought IIS3.0 was running it... because "it
shows in the programs list" ... !!
Unfortunately, I've got no way of accessing the server to see what's on it
to confirm.. I have no access to our DMZ at all!
Personally, what I want.. is a nice shiny Win2008 server, with ISA 2006 on
it... !!! :o) I've been making recommendations for ISA since 2004.. without
success.
Anywayyyy... bottom line is... I've now got a route through the firewall,
avoiding the proxy... as per suggestion :o)
Job done... synching successfully.
Can I thank very much for your assistance..
Best regards
Simon
PS and PPS .. Here's hoping for ISA 2006! And yes... firewall man thinks
Windows is awful!
"Lawrence Garvin (MVP)" wrote:
[Quoted Text] > "Simon P" <SimonP[ at ]discussions.microsoft.com> wrote in message > news:AB1DDD5E-86F0-47CD-A1D4-FAE33A6FB871[ at ]microsoft.com... > > > WSUS3 installed. No difference in set up to the WSUS2 install, which has > > been working for comfortably over 2 years. > > > WSUS accesses the internet solely through our proxy server, > > Side note: Does your organizational policy *require* that the WSUS Server > access the Internet through a Proxy Server? If not, I would *strongly* > recommend that you simply bypass the proxy server entirely === especially > if it's an ancient NT-based product, which is probably so full of unplugged > security holes that it's more risk to run with it, than without! > > > which is an old NT Server, running MIIS 3.0. > > Okay.. first problem.... IIS 3.0 doesn't have anything to do with your proxy > server. > > Perhaps this machine is running Microsoft Proxy Server 2.0? > > IIS 3.0 is a WEB server, not a PROXY server -- and a very bad one at that. > Windows NT Service Pack 4 NT Option Pack offered the upgrade to IIS 4.0. > It's free. Any Windows NT machine running IIS should absolutely be running > IIS4 -- but that's all irrelevant to the WSUS/Proxy question. > > > > Synchronisation error has only occurred since changing to v3.. I > > remembered > > reading the release notes about the proxy access account... but we allow > > anonymous through it, so assumed that wouldn't be the problem. > > I agree. If you have no account name/password configured on the WSUS Server, > then that release note item is irrelevant. > > > > After your suggestion that proxy was most likely the problem... I asked > > our > > firewall guy to open up a specific rule for the WSUS server, by-passing > > the > > proxy.. and I only asked for port 80 access (my mistake!). > > > Aha!.... "Bypassing the Proxy!" :-) > > You should *bypass* the proxy on both ports 80 and 443, and be done with it. > > > > However, he misheard me, and added the server to our proxy server rule, > > which allows 80, 443 and 21. > > How kind of him. He gave you a lucky break. > > > > The reason I didn't want a specific rule for WSUS was because it had been > > working under v2, using the proxy server... and as the firewall guy likes > > to > > keep his baby neat and tidy... if it could work through the proxy, I know > > he'd rather have that. > > Okay here's where I get ugly.... concerning your firewall guy running > Checkpoint on Linux... I can't believe for a millisecond that he has an > ounce of faith, or interest, in anything that has to do with a proxy server > running on Windows NT Server. Fact, is whether it's the proxy server, or the > firewall, *BOTH* are going to have to be able to permit *simultaneous* > connections from the WSUS Server on ports 80 and 443. However they do that > is their baliwick -- but it does have to happen. > > > > > > -- > Lawrence Garvin, M.S., MCTS, MCP > Independent WSUS Evangelist > MVP-Software Distribution (2005-2007) > https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E> > Everything you need for WSUS is at > http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx> > And, almost everything else is at > http://wsusinfo.onsitechsolutions.com> ..... > > > > > |
|
|