ASA Sfr and windows update

kostasthedelegate · ‎01-22-2020

Hello,

I have ASA with SFR module managed by FMC.

I have a problem with windows update.

I have a new pc and I try to update it, but it fails, when the traffic passes through the SFR.

When I disable the SFR the updates are successful.

It hits the right rule of the SSL policy, which contains the Microsoft update application.

In the events, I see that in the "SSL certificate status" field it says "Invalid issuer".

I installed the certificate to the pc but nothing changed.

How could I allow windows updates to pass?

Thanks and regards,

Konstantinos

Muhammad Awais Khan · ‎01-22-2020

Hi,

It seems you are using SSL decryption for all type of traffic. If allowed by your organization, you can configure a rule in your decryption policy to not to decrypt traffic for Microsoft.

Have a look on the attached snapshot related to add a rule for not to decrypt traffic for Microsoft updates. You can select *.update.microsoft.com from CN tab in this rule.

kostasthedelegate · ‎01-22-2020

Hello Muhammad Awais Khan

Thank you for the reply.

The thing is that the rule already does "not decrypt".

I will though add the *sls.microsoft.com CN, the others already exist

Regards,

Konstantinos

Sheraz.Salim · ‎01-22-2020

what is the default intrusion policy you are using. have you configured the network discovery? as an test you can go into your access control policy acl and change the rule to turst instead of allow.

please do not forget to rate.

kostasthedelegate · ‎01-23-2020

Hello
The thing is that the access rule it hits is "allow". And the event also confirms that the traffic is allowed, but the updates in the pc fail.

kostasthedelegate · ‎01-23-2020

I did the trust rule.
Still the same behavior.
The windows update hit ethe correct rules but in the pc they are not performed,

The only thing I see is that the "SSL Certificate Status" says "Invalid Issuer"