Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
0
Helpful
2
Replies

AnyConnect VPN on ASA to do Windows Updates via Internet

DMel
Level 1
Level 1

‎06-15-2022 06:01 AM

We are running Anyconnect v4.10.5095, with ASA 5525-X/5545-X v9.14.1 and ISE v3.1

We have unmanaged laptops (for now) connecting to our VPN with ISE Posturing setup.

 

We can't do split tunneling per SecPol, so our challenge is how to get these unmanaged laptops to check for and install Windows Updates via the Microsoft update server on the Internet.

We currently have all 80/443 traffic being proxied through a web filter internally, and I THINK I see our VPN client IP attempting to hit various MS sites. But on the client, I don't see any evidence of WinUpdate check checking and it fails posture.

However, I have noticed that if I have manually downloaded and installed all available Windows Updates, I will pass the posture check.

I uninstalled 2 Winupdates, rebooted, and tried to connect to VPN, and it is recognized that those updates are needed, but never downloads/installs them and after 3 minutes it times out and fails the posture check.

 

Any help on this is appreciated.

 

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎06-15-2022 06:47 AM

I think you need allow certain URL for windows to get updated - especially you controlling using Proxy based setup. if you are not pushing the updated from SCCM.

 

as you mentioned split tunnel not allowed due to policy.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

DMel
Level 1
Level 1
In response to balaji.bandi

‎06-17-2022 05:15 AM

I have the various MS URLs (mentioned in other posts related to MS updates) in both our 'posture redirect' ACL on the ASA (to not redirect), and also allowed within our internal web proxy. As I said, I am certain that I see the VPN clients being allowed through our proxy to various MS sites during the posture process.

 

I just don't see any evidence on the client side that it is actually launching 'wuauclt /detectnow /updatenow' command. And it obviously isn't installing any updates.

 

As I stated above, I have used ISE for a long time (although it has been 4+ years since my last time), and have done posturing on the VPN for Windows clients and I thought I could actually see windows update running if I went to the 'windows update page' on the client.

 

Again, ISE can definitely detect if/when the client needs updates, that part is working.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents