MS Windows Store Download Troubles

Reply
Highlighted
L2 Linker

MS Windows Store Download Troubles

Dear Community,

I'm looking for the best practice to allow user to download apps over the ms windows store. But sometimes the download is successfully and sometimes i get an error. 

Why? 

No Decryption on which ip or url?

Which Apps I need to allow - ms-store and others?

 

I hope you can help me

 

cu

Wolfgang

Highlighted
L3 Networker

If this is only happening over the VPN then this is a known issue and is also a Microsoft issue that impacts any and all/other VPN clients. This is fixable with some GPO changes, we made these changes (did not require a reboot) and everything worked with the app store 100% of the time immediately.

 

I do not have the original post link that I found the fix on but I *think* this is the same fix here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNL5CAO

 

Highlighted
Cyber Elite

@w.naderer,

If this is not over the VPN and you are not doing decryption all of this traffic is going to be primarily identified as ms-store, which works with or without encryption. 

If this is while you are connected to GlobalProtect then @shawnhafen is 100% correct and you'll want to make the Group Policy changes described in the KB article so that this starts functioning correctly again.

Highlighted
L2 Linker

Hi BPry and shawnhafen,

Thanks but thats not my question/solution. I also had Troubles with Downloads/Updates over normal lan. Sometime I can download apps.

I think the problems are the palo settings - no decryption, apps - but which one?

 

I hope you understand my correct and you have other ideas?!

 

Thx

 

cu

Wuff

Cyber Elite

@w.naderer,

If it's happening even on the LAN connection it's more than likely a security rulebase problem.

First and foremost make sure that you have logging enabled on your interzone-default policy, or are otherwise capturing denied traffic to the untrust (internet) interface. By default you won't have logs for this, and if you aren't allowing required traffic you may not have the associated threat logs to look at. Store traffic should be getting identified as ms-store and ssl. 

You mention no decryption but I'm unsure exactly what you mean on this. Are you not performing decryption on traffic at all, or are you wondering what URLs should be set to not decrypt? By default, the firewall already has most of what you will need present in the ssl decryption exclusions automatically. 

 

The following URLs can also be excluded for decryption to prevent any store related issues:

  • login.live.com
  • account.live.com
  • clientconfig.passport.net
  • wustat.windows.com
  • *.windowsupdate.com
  • *.wns.windows.com
  • *.microsoft.com
  • *.s-microsoft.com
  • msftconnecttest.com
Highlighted
L2 Linker

Hi BPry,

Thanks for your Response

I allowed app ms-update and ms-store. I filled in under ssl-decryption exclussion following urls:

 

10-07-_2020_07-28-32.jpg

 

I think it works..

 

Thank you

 

cu

Wolfgang

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!