Issue with Windows Insider Updates when using SSL Decrypt

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Issue with Windows Insider Updates when using SSL Decrypt

L2 Linker

PAN-OS 8.0.x

We have users not receiving updates for Windows Insider Program builds when SSL decryption is enabled.  

 

Does anyone know what changes need to be made to make this work?  I've solved a few other SSL decryption issues where decrypt-exceptions needed to be added or the CA imported as a trusted CA in the PA, but so far I have been unable to identify what needs to be done for this.  I've seen decrypt-error and decrypt-cert-validation coming from this PC around the time of an update check so I know a cert probably needs to be added to the PA but have not yet been able to identify which one. 

 

I temporarily used a decrypt profile that does not verify the CA but that alone did not fix it so we'll likely also need to add some exceptions as well.  This was for testing - I am not going to keep a decrypt profile that does not verify CA.

1 accepted solution

Accepted Solutions

I found this in another live community posting regarding Windows updates.  The exceptions were:

*.do.dsp.mp.microsoft.com

*.delivery.mp.microsoft.com

 

Once I added this, it started working.

View solution in original post

9 REPLIES 9

Cyber Elite
Cyber Elite

Hello,

I could be wrong, but I think it uses the same update sites?

 

https://technet.microsoft.com/en-us/library/bb693717.aspx

 

Hope this helps.

I don't know in great detail about how it works, but I suspect it probably works differently.  Normal windows downloads the updates - Insider updates download the build updates to upgrade to the next build.  I believe this is more like an image then an update package.

Just curious, but do you know if the normal Windows update sites need to have SSL decryption exceptions in order to work with PAN-OS 8.0?  

Hello,

All the URL's in that article should not be decrypted.

 

Regards,

@DMast,

It kind of sounds like you could be running into an instance that a lot of enterprises find themselves in, and I'm going to make some assumptions about your enviroment that may or may not be true.

1) You utilize WSUS/SCCM for the 'normal' endpoints to download their updates.

2) You don't run with SSL-Decryption either on your entire server VLAN or specifically for the WSUS/SCCM server.

3) These are the only users you have that require updates directly from Microsoft, as all others would update from the server.

 

Regardless of what the situation is, @OtakarKlier is right that you can't decrypt this traffic due to how the computer and Microsoft authenticate when pulling the updates from Microsoft's servers. I have multiple users utilizing the Insider program, myself included, and I didn't need to modify anything to get this to function correctly.

I am a little confused.  You said you didn't need to modify anything to get it working but you also said you can't decrypt this traffic.  Do you mean that you did needed to add to the no-decrypt URLs as per the article for the regular windows updates but after that you did not need to do anything else for windows insider updates?

 

You are right, we are early in the outgoing on 443 decryption so it is not yet widespread, and also most windows workstations and servers do get central updates.  We are on all Windows 10 if it makes a difference, I have read some things saying it might get updates differently or from a different place.  I was hoping I would not need to add decrypt exceptions for windows since some exist by default, but if needed I will add exceptions.

 

Thanks!

@DMast,

What I was trying to say is that I didn't need to modify anything for my users running Insider builds outside of the decryption exceptions that I've already put in place for other users to pull normal Windows Updates. As @OtakarKlier mentioned Updates require a few decryption exceptions for them to work properly. 

Thank you, I will give it a try and see what happens.

I found this in another live community posting regarding Windows updates.  The exceptions were:

*.do.dsp.mp.microsoft.com

*.delivery.mp.microsoft.com

 

Once I added this, it started working.

  • 1 accepted solution
  • 6068 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!