WSUS & failed update downloads

[mlc9]

My WinXP clients have not been downloading updates from my WSUS server for some time now. Recently I gave up and configured a fresh Win2K3 server with WSUS 3.0 on it.

Update downloads to clients still continue to fail. When looking in the Windows Update log of multiple clients, I see error 80072efd all over the place.

Any help would be appreciated. Thanks

 

[TechyMcSe2k]

http://windowshelp.microsoft.com/Windows/en-us/help/93b6ab71-8b21-4b50-b40e-abb80eba29271033.mspx

 

[TechyMcSe2k]

or google

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rlz=1T4GGLG_en___US249&q=80072efd

 

[mlc9]

This continues to be frustrating, as most google searches for this error point to something in between client and server (ie: firewall, anti-virus, etc). My test scenarios include a fresh O/S install on Win2k3 on the server and fresh O/S install of WinXP on client. There is no firewall or proxy in between the two, and I purposely have not installed anti-virus on either in order to rule that out. From what I can read, Windows Firewall is pre-configured to allow Windows Updates through.

 

[mlc9]

I seem to have a breakthrough, and it appears to be Windows Firewall. I disabled the Windows Firewall/Internet Connection Sharing service on both the WSUS server and windows client, which effectively turned off the Windows firewall. I did this, b/c Group Policy has the firewall turned on.

Once I did this, my test client found updates and downloaded just fine. This tells me that Windows firewall is blocking something, which I imagine is the path back to the server (

http://wsus).

My question now is where do I build into Group Policy to allow for this, or any, path exceptions? I see where to define local program exceptions, but not external ones.

 

[Ceez]

We dont use the windows firewall on our XP clients or 2003 servers since we're using a cisco pix and i've never had problems with wsus and firewall.

I can tell you that the gpo settings to configure winupdates is under computer configuration-administrative templates-windows components-windows update. In there you can also specify the update service location, ie:

http://wsus:8530

 

[mlc9]

Yea, I have the correct service location set up, and the update logs always have confirmed and saw the correct path. The problem I guess has been getting to that path. Even when typing that path into Internet Explorer on a client, I'd get page can not be displayed. I guess Windows Firewall is/was somehow blocking it.

My question is how to allow my path (

http://wsus)

into the Windows Firewall group policy setting? I can go to GPO settings of Computer Configuration/Windows Components/Network/Network Connections/Windows Firewall/Domain Profile/Windows Firewall: Allow local program exceptions, but I am not sure if that is right. Even if it is the correct area, I am not sure of the syntax to use. Do I just put

http://wsus

in there?

 

[mlc9]

Update.....It seems that the Windows firewall does not matter on the client, but rather only the server. No matter what the client is set to, if Firewall is active on the server, it all fails. If it is turned off on the server, all is well.

Now, I just need help with what and how to open up on the server? Regulations say we MUST have Windows firewall activated on servers, so OFF is not an option.

 

[mlc9]

I believe the issue has now been fixed. Believe it or not, the issue was that Windows Firewall on the WSUS server was blocking port 80.

Thanks for the help of all.