e2guardian interfering with Windows Updates

[ch...@inhcomputers.com]

I've been dealing with this problem for several years, starting with DansGuardian and continuing with e2guardian. Several times per year, I spend many hours performing Google searches, trying to find a solution or any reports of other people having this issue. However, I have never seen any reports of this or similar issues, so it would seem that I am alone, but the consistent reproducibility of this issue makes that seem unlikely.

The problem is that Windows Updates do not work in Windows 7 or Windows XP when e2guardian is acting as a proxy (yes, I know that new updates are no longer being released for Windows XP, but I still need to install about 115 updates when I install Windows XP Mode on a new computer). I do not have any other versions of Windows on this network, so I do not know if other versions of Windows are affected.

For the web filter box, I have tried Slackware 13.37 with Squid 3.4.10, Slackware64 14.1 with Squid 3.4.10, and Ubuntu Server 16.04.1 LTS 64-bit with Squid 3.5.12. I have tried physical boxes and VMware Player virtual machines.

For the web filter software, I have tried DansGuardian 2.10.1.1, e2guardian 3.4.0.3, and e2guardian 3.5.0.

In all scenarios, e2guardian (and DansGuardian before it) interferes with Windows Updates, causing error 0x80072efd (and sometimes 0x80244019) to be recorded in WindowsUpdate.log and preventing Windows Updates from detecting any updates.

Normal Internet browsing is successful; Windows Updates is the only thing which seems to be having a problem.

My squid.conf file is the default file, with two changes:
always_direct allow all
cache_effective_user squid

My e2guardian.conf file is the default file, with three changes:
loglevel = 3
anonymizelogs = off
forwardedfor = on

My e2guardianf1.conf is the default file, with one change:
groupmode = 2

Squid is running as user squid and e2guardian is running as user nobody.

The e2guardian log file shows that the requests are "*TRUSTED*" (as are all requests, due to the "groupmode = 2" line), but somehow, it still causes a problem with Windows Updates. This issue occurs in normal filtering mode as well; for simplicity, I use group mode 2 only to show that the issue is not caused by a filtering rule.

Using Wireshark to capture the network traffic, I see that Windows Updates makes several sets of requests when attempting to detect updates. Each set of requests consists of a HEAD request followed by a GET request for the same file. The problem is that when the GET request is sent, there is a 120-second delay before the response is received, and the response is truncated (sometimes, the client PC doesn't even get the full set of response headers). The Squid log shows "TCP_MISS/200" for the successful HEAD requests and "TCP_MISS_ABORTED/200" for the truncated GET requests.

For the record, Windows Updates successfully detects and downloads updates when there is no proxy/filter (NAT only), when using an explicit Squid proxy, and when using a transparent Squid proxy (in which case, the squid.conf file contains line "http_port 3128 intercept"). Windows Updates receives errors only when using e2guardian as a proxy (as a transparent or explicit proxy).

Does anyone have Windows (specifically, Windows XP or Windows 7) successfully detecting and downloading Windows Updates when the traffic passes through e2guardian?

[Renato C. Pacheco]

Why don't you use WSUS instead proxy to download updates? It's so much easy!

My 2 cents...

--
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Renato Carneiro Pacheco
Pós-Graduado em Segurança em Redes de Computadores
Graduado em Redes de Comunicação

http://br.linkedin.com/pub/renato-pacheco/9/b1/5a8
https://www.facebook.com/renatocarneirop

[Spike]

Chris,

I've seen that problem myself with windows 7, but not all the times, not sure why. We've recently had some ppl bringing their laptops with windows10 and that does not have a problem as far as I can see, did many updates without issues. FWIW I've seen similar issues with Macs trying to do a remote recovery. In all those cases I temporarily put the box's ip in a whitelist at fw level to bypass E2G entirely. We primarily run linux desktops so this isn't a huge problem, but with more windows laptops coming in I will probably have to look at it myself.

@Renato, afaik WSUS requires a windows server, which we don't have or want to have given the situation.

best,

Spike

[ch...@inhcomputers.com]

On Thursday, March 9, 2017 at 6:47:27 AM UTC-5, Renato Pacheco wrote:
> Why don't you use WSUS instead proxy to download updates? It's so much easy!
>
> My 2 cents...

I'm only the outside IT person, so I have no authority to do anything on my own, and the company doesn't want the expense of additional hardware and maintenance of another server.

[ch...@inhcomputers.com]

I should have stated this explicitly in my original post, but we are not using any authentication, and we are using only one filter group.

[Chris Nighswonger]

On Thu, Mar 9, 2017 at 2:23 PM, Chris Cloutier <ch...@inhcomputers.com> wrote:

Chris,

The configuration from my post is not our production configuration.  On our production server, we do have E2G filtering the content, both content filtering and URL filtering.

I'm using "groupmode = 2" on my test server to ensure unfiltered access for testing, which illustrates that this problem is not caused by any filtering rules.

Thanks for the clarification.

I'm not sure what to suggest. The production box here runs configs for both servers that are significantly different from the defaults. I've never had issues with Windows updates on any flavor of the beast on this network.

Chris

[tkcdac]

I put these in my exceptionsitelist

windowsupdate.microsoft.com
mail.google.com
mail.yahoo.com
login.yahoo.com
google-analytics.com
mozilla.org
microsoft.com
windows.com
windowsupdate.com
office.net
icloud.com
googleusercontent.com
static.licdn.com
nvidia.com
cdninstagram.com
instagram.com
apple.com
googlevideo.com

IF you only want to do it per box, and not mess with the server side, place these proxy exceptions under   Internet options -> lan settings ->  advanced

 *.local;*.windowsupdate.com;*.microsoft.com;*.windows.com

The following URL gives you the pictures if you want them.

https://www.youngdefender.com/home/installation-instructions/setup-your-computer-and-browsers/

[ch...@inhcomputers.com]

For testing purposes, I configured E2G with "groupmode = 2", which treats every request as an exception (confirmed by viewing the access.log file), and the problem still occurs.

It's possible that it's a Squid configuration issue, but all other web access appears to be okay (no problems with other websites).

I do not have HTTPS traffic filtered; only port 80 traffic is being filtered through E2G (I haven't yet gotten around to reading up on how to configure HTTPS filtering).

- Chris

[flrn.c...@gmail.com]

Have you tried the maxheaderlines parameter in e2guardian.conf ?
https://github.com/e2guardian/e2guardian/wiki/Configuration

Setting this up to 100 (instead of 40) allow me to work with windowsupdate.
I don't really know if it is really usefull. Only a wild guess.

But i still have problem with MicrosoftSecurityEssentials

Regards,

[FredB]

> But i still have problem with MicrosoftSecurityEssentials

Nothing in syslog ? In e2guardian's log ?

>
> Regards,
>