WSUS 3.0 IP addresses are incorrect Chris Callison 7/2/2007 4:14:02 PM I just recently upgraded my WSUS 2.0 to WSUS 3.0 using the update package from WSUS. All servers are using GPO-enforced settings that connect to the server by it's NetBIOS name. The workstations are connecting by a externally available IP address, published through our ISA 2004 server so that they can connect without having to use VPN. All of the reported servers and workstations are showing the IP address of the proxy server that they use to connect to the server. Any ideas on how to fix this? Does the WSUS server not detect a proxy session?

Re: WSUS 3.0 IP addresses are incorrect "Lawrence Garvin \(MVP\)" <onsitech[ at ]community.nospam> 7/2/2007 5:05:49 PM "Chris Callison" <ChrisCallison[ at ]discussions.microsoft.com> wrote in message news:9008531C-3C19-4BB5-90D9-AA240B41D707[ at ]microsoft.com... [Quoted Text] >I just recently upgraded my WSUS 2.0 to WSUS 3.0 using the update package > from WSUS. > > All servers are using GPO-enforced settings that connect to the server by > it's NetBIOS name. I'll save this soapbox for another time.... but suffice it to say (again) that NetBIOS has nothing to do with this process. When you configure http://hostname in a URL, the application doing the hostname lookup to obtain an =IPAddress= automatically appends the Default Domain Suffix to that string (and any other connection-specific or search-specified domain suffixes), and does a lookup on the name 'hostname.yourdomain'. > The workstations are connecting by a externally available > IP address, published through our ISA 2004 server so that they can connect > without having to use VPN. Aside from being a violation of the WSUS license by making the WSUS server "publicly available", it's also a security hole the size of a meteor. > All of the reported servers and workstations are showing the IP address of > the proxy server that they use to connect to the server. Yep.... because, most likely, you've configured the ISA server not to provide the internal web server with the =actual= IP Address of the requesting client. > Any ideas on how to fix this? Does the WSUS server not detect a proxy > session? Aside from your unorthodox avoidance of VPN connectivity, and unlicensed publication of the WSUS server to the Internet, this is exclusively an ISA 2004 configuration error. On the web publishing rule dialog, on the TO tab... in the section "Proxy requests to published server", you've selected the option "Requests appear to come from the ISA Server computer". The correct option in this scenario is "Requests appear to come from the original client". -- Lawrence Garvin, M.S., MCTS, MCP Independent WSUS Evangelist MVP-Software Distribution (2005-2007) https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E Everything you need for WSUS is at http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx And, almost everything else is at http://wsusinfo.onsitechsolutions.com .....

Re: WSUS 3.0 IP addresses are incorrect Chris Callison 7/3/2007 2:30:01 AM That doesn't explain why the server that are connected to WSUS by "http:\WSUSServerName" are showing up in the database with the ISA server as their IP address. All ISA servers have been configured to bypass the firewall for local traffic, both in the firewall client and the web browser configuration. "Lawrence Garvin (MVP)" wrote: [Quoted Text] > > "Chris Callison" <ChrisCallison[ at ]discussions.microsoft.com> wrote in message > news:9008531C-3C19-4BB5-90D9-AA240B41D707[ at ]microsoft.com... > >I just recently upgraded my WSUS 2.0 to WSUS 3.0 using the update package > > from WSUS. > > > > All servers are using GPO-enforced settings that connect to the server by > > it's NetBIOS name. > > I'll save this soapbox for another time.... but suffice it to say (again) > that NetBIOS has nothing to do with this process. > > When you configure http://hostname in a URL, the application doing the > hostname lookup to obtain an =IPAddress= automatically appends the Default > Domain Suffix to that string (and any other connection-specific or > search-specified domain suffixes), and does a lookup on the name > 'hostname.yourdomain'. > > > > The workstations are connecting by a externally available > > IP address, published through our ISA 2004 server so that they can connect > > without having to use VPN. > > > Aside from being a violation of the WSUS license by making the WSUS server > "publicly available", it's also a security hole the size of a meteor. > > > > All of the reported servers and workstations are showing the IP address of > > the proxy server that they use to connect to the server. > > Yep.... because, most likely, you've configured the ISA server not to > provide the internal web server with the =actual= IP Address of the > requesting client. > > > > Any ideas on how to fix this? Does the WSUS server not detect a proxy > > session? > > Aside from your unorthodox avoidance of VPN connectivity, and unlicensed > publication of the WSUS server to the Internet, this is exclusively an ISA > 2004 configuration error. > > On the web publishing rule dialog, on the TO tab... in the section "Proxy > requests to published server", you've selected the option "Requests appear > to come from the ISA Server computer". The correct option in this scenario > is "Requests appear to come from the original client". > > > -- > Lawrence Garvin, M.S., MCTS, MCP > Independent WSUS Evangelist > MVP-Software Distribution (2005-2007) > https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E > > Everything you need for WSUS is at > http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx > > And, almost everything else is at > http://wsusinfo.onsitechsolutions.com > ..... > > >

Re: WSUS 3.0 IP addresses are incorrect Harry Johnston <harry[ at ]scms.waikato.ac.nz> 7/3/2007 3:05:08 AM Chris Callison wrote: [Quoted Text] > That doesn't explain why the server that are connected to WSUS by > "http:\WSUSServerName" are showing up in the database with the ISA server as > their IP address. Yes, it does. Please read Lawrence's post again; he already explained this. Specifically, from Lawrence's post: >> Aside from your unorthodox avoidance of VPN connectivity, and unlicensed >> publication of the WSUS server to the Internet, this is exclusively an ISA >> 2004 configuration error. >> >> On the web publishing rule dialog, on the TO tab... in the section "Proxy >> requests to published server", you've selected the option "Requests appear >> to come from the ISA Server computer". The correct option in this scenario >> is "Requests appear to come from the original client". The ISA server is hiding the client's IP addresses because it has been configured to do so. Change this setting and this particular problem should go away. Harry.

Re: WSUS 3.0 IP addresses are incorrect "Lawrence Garvin \(MVP\)" <onsitech[ at ]community.nospam> 7/3/2007 3:28:04 PM "Chris Callison" <ChrisCallison[ at ]discussions.microsoft.com> wrote in message news:7F5B72DA-D66A-477B-9533-8982E620B776[ at ]microsoft.com... [Quoted Text] > That doesn't explain why the server that are connected to WSUS by > "http:\WSUSServerName" are showing up in the database with the ISA server > as > their IP address. It might... it might not. (btw... the correct format of the url is http://WSUSServerName -- make sure you have the slashes in the correct orientation) If the *only* configured address for the WSUS Server is the IP Address on the *external* interface, then your internal servers will access that resource just like it's a web server on the Internet -- the only difference is you've got a boatload of traffic going through your ISA Server that doesn't need to be there. And, the ISA Server is answering for those internal servers. > All ISA servers have been configured to bypass the > firewall for local traffic, both in the firewall client and the web > browser > configuration. Huh??????? The ISA Server =IS= the firewall!! And, as for "local traffic" none of it should even be touching the ISA Server -- which, btw, last I checked on mine, has no provisions for "bypassing local traffic". Perhaps... just perhaps.... you're a bit confused between the firewall functionality of ISA server and the PROXY functionality of ISA server -- and what you meant to write was: "All clients have been configured to bypass the ISA proxy server for local traffic.."? Either way, though, if the =IP ADDRESS= of the WSUS Server is only accessible via DNS on a =public= address, then that's what's causing the problem, and your proxy client configuration to bypass the proxy for internal addresses is irrelevant, because the WSUS server isn't being accessed on an internal address. -- Lawrence Garvin, M.S., MCTS, MCP Independent WSUS Evangelist MVP-Software Distribution (2005-2007) https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E Everything you need for WSUS is at http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx And, almost everything else is at http://wsusinfo.onsitechsolutions.com .....