We have users not receiving updates for Windows Insider Program builds when SSL decryption is enabled.
Does anyone know what changes need to be made to make this work? I've solved a few other SSL decryption issues where decrypt-exceptions needed to be added or the CA imported as a trusted CA in the PA, but so far I have been unable to identify what needs to be done for this. I've seen decrypt-error and decrypt-cert-validation coming from this PC around the time of an update check so I know a cert probably needs to be added to the PA but have not yet been able to identify which one.
I temporarily used a decrypt profile that does not verify the CA but that alone did not fix it so we'll likely also need to add some exceptions as well. This was for testing - I am not going to keep a decrypt profile that does not verify CA.
Solved! Go to Solution.
I could be wrong, but I think it uses the same update sites?
Hope this helps.
I don't know in great detail about how it works, but I suspect it probably works differently. Normal windows downloads the updates - Insider updates download the build updates to upgrade to the next build. I believe this is more like an image then an update package.
Just curious, but do you know if the normal Windows update sites need to have SSL decryption exceptions in order to work with PAN-OS 8.0?
It kind of sounds like you could be running into an instance that a lot of enterprises find themselves in, and I'm going to make some assumptions about your enviroment that may or may not be true.
1) You utilize WSUS/SCCM for the 'normal' endpoints to download their updates.
2) You don't run with SSL-Decryption either on your entire server VLAN or specifically for the WSUS/SCCM server.
3) These are the only users you have that require updates directly from Microsoft, as all others would update from the server.
Regardless of what the situation is, @Otakar.Klier is right that you can't decrypt this traffic due to how the computer and Microsoft authenticate when pulling the updates from Microsoft's servers. I have multiple users utilizing the Insider program, myself included, and I didn't need to modify anything to get this to function correctly.
I am a little confused. You said you didn't need to modify anything to get it working but you also said you can't decrypt this traffic. Do you mean that you did needed to add to the no-decrypt URLs as per the article for the regular windows updates but after that you did not need to do anything else for windows insider updates?
You are right, we are early in the outgoing on 443 decryption so it is not yet widespread, and also most windows workstations and servers do get central updates. We are on all Windows 10 if it makes a difference, I have read some things saying it might get updates differently or from a different place. I was hoping I would not need to add decrypt exceptions for windows since some exist by default, but if needed I will add exceptions.
What I was trying to say is that I didn't need to modify anything for my users running Insider builds outside of the decryption exceptions that I've already put in place for other users to pull normal Windows Updates. As @Otakar.Klier mentioned Updates require a few decryption exceptions for them to work properly.
I found this in another live community posting regarding Windows updates. The exceptions were:
Once I added this, it started working.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!