topic Issue with Windows Insider Updates when using SSL Decrypt in General Topics

Issue with Windows Insider Updates when using SSL Decrypt

Demast — Fri, 11 May 2018 16:10:35 GMT

PAN-OS 8.0.x

We have users not receiving updates for Windows Insider Program builds when SSL decryption is enabled.

Does anyone know what changes need to be made to make this work? I've solved a few other SSL decryption issues where decrypt-exceptions needed to be added or the CA imported as a trusted CA in the PA, but so far I have been unable to identify what needs to be done for this. I've seen decrypt-error and decrypt-cert-validation coming from this PC around the time of an update check so I know a cert probably needs to be added to the PA but have not yet been able to identify which one.

I temporarily used a decrypt profile that does not verify the CA but that alone did not fix it so we'll likely also need to add some exceptions as well. This was for testing - I am not going to keep a decrypt profile that does not verify CA.

Re: Issue with Windows Insider Updates when using SSL Decrypt

OtakarKlier — Fri, 11 May 2018 16:16:13 GMT

Hello,

I could be wrong, but I think it uses the same update sites?

https://technet.microsoft.com/en-us/library/bb693717.aspx

Hope this helps.

Re: Issue with Windows Insider Updates when using SSL Decrypt

Demast — Fri, 11 May 2018 16:33:06 GMT

I don't know in great detail about how it works, but I suspect it probably works differently. Normal windows downloads the updates - Insider updates download the build updates to upgrade to the next build. I believe this is more like an image then an update package.

Re: Issue with Windows Insider Updates when using SSL Decrypt

Demast — Fri, 11 May 2018 18:52:28 GMT

Just curious, but do you know if the normal Windows update sites need to have SSL decryption exceptions in order to work with PAN-OS 8.0?

Re: Issue with Windows Insider Updates when using SSL Decrypt

OtakarKlier — Fri, 11 May 2018 18:54:06 GMT

Hello,

All the URL's in that article should not be decrypted.

Regards,

Re: Issue with Windows Insider Updates when using SSL Decrypt

BPry — Sun, 13 May 2018 02:35:45 GMT

@Demast,

It kind of sounds like you could be running into an instance that a lot of enterprises find themselves in, and I'm going to make some assumptions about your enviroment that may or may not be true.

1) You utilize WSUS/SCCM for the 'normal' endpoints to download their updates.

2) You don't run with SSL-Decryption either on your entire server VLAN or specifically for the WSUS/SCCM server.

3) These are the only users you have that require updates directly from Microsoft, as all others would update from the server.

Regardless of what the situation is, @OtakarKlier is right that you can't decrypt this traffic due to how the computer and Microsoft authenticate when pulling the updates from Microsoft's servers. I have multiple users utilizing the Insider program, myself included, and I didn't need to modify anything to get this to function correctly.

Re: Issue with Windows Insider Updates when using SSL Decrypt

Demast — Mon, 14 May 2018 14:20:09 GMT

I am a little confused. You said you didn't need to modify anything to get it working but you also said you can't decrypt this traffic. Do you mean that you did needed to add to the no-decrypt URLs as per the article for the regular windows updates but after that you did not need to do anything else for windows insider updates?

You are right, we are early in the outgoing on 443 decryption so it is not yet widespread, and also most windows workstations and servers do get central updates. We are on all Windows 10 if it makes a difference, I have read some things saying it might get updates differently or from a different place. I was hoping I would not need to add decrypt exceptions for windows since some exist by default, but if needed I will add exceptions.

Thanks!

Re: Issue with Windows Insider Updates when using SSL Decrypt

BPry — Mon, 14 May 2018 15:00:25 GMT

@Demast,

What I was trying to say is that I didn't need to modify anything for my users running Insider builds outside of the decryption exceptions that I've already put in place for other users to pull normal Windows Updates. As @OtakarKlier mentioned Updates require a few decryption exceptions for them to work properly.

Re: Issue with Windows Insider Updates when using SSL Decrypt

Demast — Mon, 14 May 2018 15:02:12 GMT

Thank you, I will give it a try and see what happens.

Re: Issue with Windows Insider Updates when using SSL Decrypt

Demast — Wed, 16 May 2018 19:13:49 GMT

I found this in another live community posting regarding Windows updates. The exceptions were:

*.do.dsp.mp.microsoft.com

*.delivery.mp.microsoft.com

Once I added this, it started working.