Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
439
Views
0
Helpful
0
Comments

[WSA-Training] Bypass Microsoft Updates Traffic

amojarra
Cisco Employee
Cisco Employee

on ‎10-22-2024 05:53 AM

Microsoft Updates 

Microsoft Updates are essential patches, security updates, and feature enhancements released by Microsoft for its operating systems and software applications. These updates are crucial for maintaining the security, stability, and performance of computers and network devices. They ensure that systems are protected against vulnerabilities, bugs are fixed, and new features or improvements are integrated into the software.


The impact of Microsoft Updates on proxy servers, such as Cisco SWA can be significant. These updates often involve downloading large files or numerous smaller files, which can consume considerable bandwidth and processing resources on the proxy. This can lead to congestion, slower network performance, and increased load on the proxy infrastructure, potentially affecting the overall user experience and other critical network operations.


Bypassing Microsoft Update traffic from the proxy can be a safe and effective way to manage these challenges. Since Microsoft Updates are sourced from trusted Microsoft servers, allowing this traffic to bypass the proxy can help reduce the load on the proxy server without compromising network security. This ensures that essential updates are delivered efficiently while preserving proxy resources for other security and content filtering tasks. It is important, however, to implement such bypass configurations carefully to maintain overall network security and compliance with organizational policies.

Bypass Microsoft Updates

If you are considering avoiding proxying Microsoft Updates traffic, there are two main approaches

  1. Bypass: This involves configuring the network to redirect the traffic so that it never reaches the SWA.
  2. Passthrough: This involves configuring the SWA to neither decrypt nor scan the Microsoft Updates traffic, allowing it to pass through the proxy without inspection.

Bypassing Traffic in SWA

To bypass Microsoft Updates traffic in networks equipped with SWA, the approach varies depending on your proxy deployment setup:

Deployment type

Bypassing the traffic 

Transparent Deployment

You can redirect Microsoft Updates traffic at the router or Layer 4 switches that are responsible for forwarding traffic to the proxy server.

You can configure bypass settings directly within the SWA graphical user interface (GUI).

Explicit Deployment

To prevent the Microsoft Updates traffic from reaching the SWA, you must configure the bypass at the source. This means exempting the relevant URLs on the client machines to ensure that the traffic is not redirected to the SWA.


If bypassing specific traffic requires extensive network redesign and is not feasible, an alternative approach is to configure the SWA to pass through certain types of traffic. This can be achieved by setting the SWA to neither decrypt nor scan the designated traffic, allowing it to pass through the proxy without inspection. This method ensures that essential traffic is delivered efficiently while minimizing the impact on network performance and proxy resources.

 

 

Steps to Passthrough Microsoft Updates

There are four main stages to Passthrough Microsoft Updates traffics:

Stage

Steps

1. Create a Custom URL Category for Microsoft Updates URLs

Step 1.FromGUI, ChooseWeb Security Manager and then click Custom and External URL Categories.
Step 2.ClickAdd Categoryto add a Custom URL Category.
Step 4.Assign a unique CategoryName.
Step 5. (Optional) Add Description.

Step 6. From List Order, choose the first category to position on top.

Step 7. From Category Type drop-down list, choose Local Custom Category.

Step 8. Add Microsoft Updates URLs in the Sites Section.


 

Tip: You can check the list of Microsoft updates from this link: Step 2 - Configure WSUS | Microsoft Learn


 

Caution: Do not Copy/Paste the URLs as are in the Microsoft Documents; format them properly as SWA format. For more information, please visit: Configure Custom URL Categories in Secure Web Appliance - Cisco

Step 9. Submit

2. Create an Identification Profile to exempt Microsoft Updates traffic from Authentication

Step 10.FromGUI, ChooseWeb Security Manager and then click Identification Profiles.
Step 11.ClickAdd Profileto add a profile.
Step 12.Use theEnable Identification Profilecheck box to enable this profile, or to quickly disable it without deleting it.
Step 13.Assign a unique profileName.
Step 14. (Optional) Add Description.
Step 15.From theInsert Abovedrop-down list, choose where this profile is to appear in the table.

Step 16. In theUser Identification Methodsection, chooseExempt from authentication/ identification.

Step 17.In the Define Members by Subnet, If you would like to Passthrough Microsoft traffic for some specific users, enter the IP addresses or Subnets that applies, or else leave this field blank to include all IP address. 

Step 18. From Advanced section, choose Custom URL Categories.

Step 19. Add the Custom URL Category that was created for Microsoft updates.

Step 20. Click Done.

Step 21. Submit

3. Create a Decryption Policy To Passthrough Microsoft Updates Traffic

Step 22.FromGUI, ChooseWeb Security Manager and then clickDecryption Policy.

Step 23. ClickAdd Policyto add a Decryption Policy.

Step 24.Use theEnable Policy check box to enable this policy.
Step 25.Assign a unique PolicyName.
Step 26. (Optional) Add Description.
Step 27.From theInsert Above Policydrop-down list, choose the first Policy.

Step 28.From theIdentification Profiles and Users, choose the Identification Profile that you created in the previous steps.

Step 29. Submit.

Step 30.In theDecryption Policiespage, underURL Filtering, click on the link associated with this new Decryption Policy.

Step 32.SelectPassthroughas the action for Microsoft Updates URL category.

Step 32. Submit

4. Create an Access Policy to Allow Microsoft Updates Traffic

Step 33.FromGUI, ChooseWeb Security Manager and then clickAccess Policy.

Step 34. ClickAdd Policyto add an Access Policy.

Step 35.Use theEnable Policy check box to enable this policy.
Step 36.Assign a unique PolicyName.
Step 37. (Optional) Add Description.
Step 38.From theInsert Above Policydrop-down list, choose the first Policy.

Step 39.From theIdentification Profiles and Users, choose the Identification Profile that you created in the previous steps.

Step 40. Submit.

Step 41. On the Access Policies page, under URL Filtering, click on the link associated with this new Access Policy

Step 42.Select Allowas the action for the Custom URL category created for the Microsoft Updates.

Step 43. Submit

Step 44. Commit Changes.

Related Information

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents