Windows Update fails when Check Point HTTPS-inspection is enabled

In a freshly installed Windows Server 2016-environment, there was feedback that Windows Update failed when HTTPS-inspection was enabled. Even though “Bypass HTTPS inspection of traffic to well known software update services” was ticked off.

The servers was stuck with this error message:

Some update files aren’t signed correctly.
Error code: (0x800b0109)

In the tracker I could see that traffic to Microsoft were infact wrongly being subjected to inspection.

TL:DR

Windows Update Services are signed by a certificate not known to Check Point and the root and intermediate CA had to be manually added in my case.

Bypass addresses

There was a suggestion on Check Point Check Mates, that one should manually add bypass-entries for the following list of addresses.
nexus.officeapps.live.com
fe2.update.microsoft.com
delivery.mp.microsoft.com
vortex-win.data.microsoft.com
cp601-prod.do.dsp.mp.microsoft.com
geover-prod.do.dsp.mp.microsoft.com
big.telemetry.microsoft.com

I did not try to add these addresses, as I wanted to see if I could find some other solution.

Missing Trusted CA

I followed Check Points article Windows Update fails through Security Gateway with enabled HTTPS Inspection (sk96125) which lead me to test fe2.update.microsoft.com using Qualys SSL Labs test.
And there I saw that the certificates of the sites the server was trying to access, wasn’t signed by a widespread CA.
Check Point for one, does not know of this CA.


 http://www.microsoft.com/pkiops/certs/Microsoft%20Update%20Secure%20Server%20CA%202.1.crt

Use IP Bypass

According to Check Points article Bypass by URL in HTTPS Inspection does not work when the site certificate is invalid (sk122158), you are left with “IP Bypass” as your option if the certificate is invalid.
Sounds very much like the suggestion posted on Check Mates.

By design HTTPS Inspection according to URL needs to validate the certificate to determine the match for rule, if it’s not matched because the certificate can’t be validated, the https cleanup rule will match the traffic.

Solution
If the site certificate cannot be validated, use IP bypass

Add Windows Update Services-CA to trusted CA store

What I did instead though, was adding the newly discovered CA-certs to the trusted CA-store of Check Point and hey presto – Bypass worked like a charm and the servers were able to update themselves. :)

Added certificates

5.00 avg. rating (99% score) - 4 votes

Leave a Reply

Your email address will not be published. Required fields are marked *