topic Get this, using Fiddler4 to in Web Security

How do you unblock Windows 10 media creation tool download or Windows 10 upgrade download?

keithsauer507 — Mon, 10 Apr 2017 13:32:27 GMT

If I use the Windows 10 upgrade tool or the Media Creation tool, I always get an error that coincides with an issue downloading the data. If I put a machine's IP address into the BYPASS list, these tools work great. I'd rather not mess with bypass lists because you can forget an IP is in there, plus its messy and unwieldy to maintain. I'd rather put the appropriate URL's in to allow this tool to work.

So I used PUTTY and logged into our S170 and did grep, access logs and put in the IP address of my test machine. I had Putty log all output to a text file and then run the Media Creation tool to download a Windows 10 ISO file. I then opened this putty.log in Notepad++ and found all occurrences of denied. I tried putting some Regex's into our allowed domains whitelist (Custom URL Categories) but its still blocking.

([a-zA-Z]|[0-9])\.dl\.delivery\.mp\.microsoft\.com
[a-zA-Z]+\.windowsupdate\.com
[a-zA-Z]+\.symcd\.com
[a-zA-Z]+\.symcb\.com

I then ran another logging session and the tool still errors out. Here's a preview of some output:

Line 1816: 1491261293.366 0 10.7.3.7 TCP_DENIED/401 0 HEAD http://webfilter/B0000D0000N0001N0001F0000S0000R0004/10.7.3.7/http://7.dl.delivery.mp.microsoft.com/filestreamingservice/files/69aeb898-49f8-4992-9c46-0a11c48a747e - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - "Microsoft-Delivery-Optimization/10.0"
Line 1817: 1491261293.370 0 10.7.3.7 TCP_DENIED/401 0 HEAD http://webfilter/B0000D0000N0001N0001F0000S0000R0004/10.7.3.7/http://7.dl.delivery.mp.microsoft.com/filestreamingservice/files/69aeb898-49f8-4992-9c46-0a11c48a747e - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - "Microsoft-Delivery-Optimization/10.0"
Line 1818: 1491261294.108 0 10.7.3.7 TCP_DENIED/401 0 HEAD http://webfilter/B0000D0000N0001N0001F0000S0000R0004/10.7.3.7/http://2.dl.delivery.mp.microsoft.com/filestreamingservice/files/69aeb898-49f8-4992-9c46-0a11c48a747e - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - "Microsoft-Delivery-Optimization/10.0"

I'll see if this forum lets me attach the whole putty log but if you have any ideas before I open a ticket with Cisco, please let me know what you did to allow this tool to download Windows 10 iso (or usb stick image or in place pc upgrade).

We aren't doing the "download

Ken Stieers — Mon, 10 Apr 2017 14:32:13 GMT

We aren't doing the "download image from the web" thing, so this might not help... but we had issues with the MS Store in Win8/8.1...

We didn't use bypass, we put the following in a custom category, created an identity that didn't require authentication, and set this category to not be decrypted.

.apps.microsoft.com
.download.windowsupdate.com
.update.microsoft.com
.windowsupdate.com
.ws.microsoft.com
apps.microsoft.com
aq.v4.a.dl.ws.microsoft.com
crl.microsoft.com
watson.telemetry.microsoft.com

The WSA access log indicated

Tao Yang — Tue, 11 Apr 2017 00:20:50 GMT

The WSA access log indicated it was blocked due to Proxy Authentication. Try to bypass proxy authentication to see if it helps.

Line 1816: 1491261293.366 0 10.7.3.7 TCP_DENIED/401 0 HEAD http://webfilter/B0000D0000N0001N0001F0000S0000R0004/10.7.3.7/http://7.d... - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - "Microsoft-Delivery-Optimization/10.0"

Ok that is an interesting way

keithsauer507 — Wed, 12 Apr 2017 14:25:25 GMT

Ok that is an interesting way to go about setting it up. I configured that new authentication policy to not do any type of authorization, and the identity is flagged on a URL list with these in. However I am still getting blocked and when I check the blocked transaction in the UI, it seems to be on http://ctldl.windowsupdate.com with Block - Policy as the disposition. There are some ocasional download.windowsupdate.com in there as well but with .windowsupdate.com in the URL list why wouldn't this be allowed?

Get this, using Fiddler4 to

keithsauer507 — Wed, 12 Apr 2017 14:49:55 GMT

Get this, using Fiddler4 to analyze what traffic the Windows Media Creation Tool is trying to get to shows a session terminated by remote server to: http://fg.ds.b1.download.windowsupdate.com/c/Upgr/2017/03/15063.0.170317-1834.rs2_release_clientcombinedsl_ret_x64fre_en-us_64317f9f897ab3cab7e45cbcafd139d30396c81f.esd

However if I copy and paste this into Google Chrome on the same machine, I get a download of a 2.9 GB file.

Why would it not work in their tool, but the blocked connection is not blocked using the chrome browser?

GET http://fg.ds.b1.download.windowsupdate.com/c/Upgr/2017/03/15063.0.170317-1834.rs2_release_clientcombinedsl_ret_x64fre_en-us_64317f9f897ab3cab7e45cbcafd139d30396c81f.esd HTTP/1.1
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Wed, 22 Mar 2017 11:27:14 GMT
Range: bytes=0-2147483646
User-Agent: Microsoft BITS/7.5
Connection: Keep-Alive
Host: fg.ds.b1.download.windowsupdate.com

10:42:02:5201 Fiddler Running...
10:44:08:7697 fiddler.network.streaming> Streaming of response #5 to client failed: An existing connection was forcibly closed by the remote host. Leaking aborted.
10:44:08:8636 fiddler.network.streaming> Streaming of response #6 to client failed: An existing connection was forcibly closed by the remote host. Leaking aborted.
10:44:09:0200 fiddler.network.streaming> Streaming of response #7 to client failed: An existing connection was forcibly closed by the remote host. Leaking aborted.
10:44:09:2076 fiddler.network.streaming> Streaming of response #8 to client failed: An existing connection was forcibly closed by the remote host. Leaking aborted.
10:44:10:4118 fiddler.network.streaming> Streaming of response #9 to client failed: An existing connection was forcibly closed by the remote host. Leaking aborted.
10:44:11:5848 fiddler.network.streaming> Streaming of response #10 to client failed: An existing connection was forcibly closed by the remote host. Leaking aborted.
10:44:11:6004 fiddler.network.readresponse.failure> Session #10 was aborted System.OperationCanceledException Aborting orphan stream < An existing connection was forcibly closed by the remote host
10:44:12:8202 fiddler.network.streaming> Streaming of response #11 to client failed: An existing connection was forcibly closed by the remote host. Leaking aborted.

Do you have range requests

Ken Stieers — Wed, 12 Apr 2017 15:33:47 GMT

Do you have range requests enabled?

enabled in what... WSA? What

keithsauer507 — Wed, 12 Apr 2017 16:54:20 GMT

enabled in what... WSA? What page is that on and what does it do?

See Eric's answer here:

Ken Stieers — Wed, 12 Apr 2017 17:39:23 GMT

See Eric's answer here:

https://supportforums.cisco.com/discussion/11608631/ironport-wsa-rangerequestdownload-option

It used to be in the CLI... I know in 9.1 its in Security Services/Web Proxy, at the bottom.

Ah ok I see it is currently

keithsauer507 — Wed, 12 Apr 2017 18:29:26 GMT

Ah ok I see it is currently disabled. I am a little cautious to enable it if AMP and Virus scanning is going to have a harder time finding malware and virus signatures. I don't get why this has to be a global option. If I had my way I would turn it on for the Microsoft Updates Identity but leave it off for everything else.

I got the ISO file I needed by allowing the direct link to the Windows 10 .ESD file that I found the Media Creation Tool was trying to pull via google chrome. Googling how to convert an ESD file to ISO file lead me to an article along with download links to a tool that does this.

I'll experiment with this just to see if it makes a difference, but I'll likely put it back to disabled to stay secure. I don't know if anyone from Cisco is reading this forums, but guys... you really should be putting this checkbox under each identity for more granular control. This all or nothing approach just does not work.

EDIT: Thats what it was Ken. You are a valuable asset to this community! You've helped me in the past on various posts and I can't thank you enough. The Media creation tool is actually working now. I am cautious about leaving this on however because security is very important to the team. Again I just can't believe Cisco would make this an all or nothing setting. That does not seem to be the right direction for this feature. I will inquire TAC about if that can be changed before leaving Cisco WSA for an alternate solution in the 2018 budget year. If they don't change it, they dug their grave.