In a freshly installed Windows Server 2016-environment, there was feedback that Windows Update failed when HTTPS-inspection was enabled. Even though “Bypass HTTPS inspection of traffic to well known software update services” was ticked off.
The servers was stuck with this error message:
Some update files aren’t signed correctly.
Error code: (0x800b0109)
In the tracker I could see that traffic to Microsoft were infact wrongly being subjected to inspection.
Windows Update Services are signed by a certificate not known to Check Point and the root and intermediate CA had to be manually added in my case.
There was a suggestion on Check Point Check Mates, that one should manually add bypass-entries for the following list of addresses.
I did not try to add these addresses, as I wanted to see if I could find some other solution.
Missing Trusted CA
I followed Check Points article Windows Update fails through Security Gateway with enabled HTTPS Inspection (sk96125) which lead me to test fe2.update.microsoft.com using Qualys SSL Labs test.
And there I saw that the certificates of the sites the server was trying to access, wasn’t signed by a widespread CA.
Check Point for one, does not know of this CA.
Use IP Bypass
According to Check Points article Bypass by URL in HTTPS Inspection does not work when the site certificate is invalid (sk122158), you are left with “IP Bypass” as your option if the certificate is invalid.
Sounds very much like the suggestion posted on Check Mates.
By design HTTPS Inspection according to URL needs to validate the certificate to determine the match for rule, if it’s not matched because the certificate can’t be validated, the https cleanup rule will match the traffic.
If the site certificate cannot be validated, use IP bypass
Add Windows Update Services-CA to trusted CA store
What I did instead though, was adding the newly discovered CA-certs to the trusted CA-store of Check Point and hey presto – Bypass worked like a charm and the servers were able to update themselves. :)