ITT: SUS server Sync error caused by Surfcontrol and ISA (Solved)

First week on the new job, problem nr1 solved.

(hostnames changed to generic names)


We where getting continuous Sync errors like follows:

Update for Windows Server 2003 (KB898792): Failed to download from URL ‘http://download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/WindowsServer2003-KB898792-v2-x86-enu_ca965b3c805f48f2fe8ee1a420ddbf4.exe’. (Error 0x80072F78: Invalid server response.) – WindowsServer2003-KB898792-v2-x86-enu_ca965b3c805f48f2fe8ee1a420ddbf4.exe

Here is a copy paste of what happens on the ISA side:


10.31.129.254 anonymous – N 2005-07-10 03:00:23 w3proxy SRV-ISA01 – www.msus.windowsupdate.com – 80 – 150 2798 http TCP GET http://www.msus.windowsupdate.com/msus/v1/aucatalog1.cab – – 407
10.31.129.254 anonymous – N 2005-07-10 03:00:23 w3proxy SRV-ISA01 – www.msus.windowsupdate.com – 80 – – 738 http TCP GET
http://www.msus.windowsupdate.com/msus/v1/aucatalog1.cab – – 407
10.31.129.254 DOMAIN1 – Y 2005-07-10 03:00:32 w3proxy SRV-ISA01 – www.msus.windowsupdate.com 207.46.197.119 80 9281 286 75921 http TCP GET
http://www.msus.windowsupdate.com/msus/v1/aucatalog1.cab application/octet-stream Inet 64
10.31.129.254 anonymous – N 2005-07-10 03:01:33 w3proxy SRV-ISA01 – www.msus.windowsupdate.com – 80 – 147 421 http TCP HEAD
http://www.msus.windowsupdate.com/msus/v1/aurtf1.cab – – 407
10.31.129.254 anonymous – N 2005-07-10 03:01:33 w3proxy SRV-ISA01 – www.msus.windowsupdate.com – 80 – – 754 http TCP HEAD
http://www.msus.windowsupdate.com/msus/v1/aurtf1.cab – – 407
10.31.129.254 DOMAIN1 – Y 2005-07-10 03:01:34 w3proxy SRV-ISA01 – www.msus.windowsupdate.com 207.46.197.119 80 344 302 334 http TCP HEAD
http://www.msus.windowsupdate.com/msus/v1/aurtf1.cab application/octet-stream Inet 200
10.31.129.254 anonymous – N 2005-07-10 03:02:20 w3proxy SRV-ISA01 – download.windowsupdate.com – 80 – 239 2798 http TCP GET
http://download.windowsupdate.com/msdownlo…e1a420ddbf4.exe – – 407
10.31.129.254 anonymous – N 2005-07-10 03:02:20 w3proxy SRV-ISA01 – download.windowsupdate.com – 80 – – 827 http TCP GET
http://download.windowsupdate.com/msdownlo…e1a420ddbf4.exe – – 407
10.31.129.254 DOMAIN1 – Y 2005-07-10 03:02:21 w3proxy SRV-ISA01 – download.windowsupdate.com 195.22.198.151 80 438 375 – http TCP GET
http://download.windowsupdate.com/msdownlo…e1a420ddbf4.exe application/x-msdownload Inet 12210
10.31.129.254 anonymous – N 2005-07-10 03:03:07 w3proxy SRV-ISA01 – download.windowsupdate.com – 80 – 239 2798 http TCP GET
http://download.windowsupdate.com/msdownlo…e1a420ddbf4.exe – – 407
10.31.129.254 anonymous – N 2005-07-10 03:03:07 w3proxy SRV-ISA01 – download.windowsupdate.com – 80 – – 827 http TCP GET
http://download.windowsupdate.com/msdownlo…e1a420ddbf4.exe – – 407
10.31.129.254 DOMAIN1 – Y 2005-07-10 03:03:07 w3proxy SRV-ISA01 – download.windowsupdate.com 195.22.198.151 80 94 375 – http TCP GET
http://download.windowsupdate.com/msdownlo…e1a420ddbf4.exe application/x-msdownload Inet 12210

Now the purely annonymous connections that result in the 407 are normal I assume, as you need an initial 407 from the proxy in order to initiate authentication information being sent from the client.

But after 2 x 407, ISA itself comes with its 12210 error, which MS states as: An Internet Server API (ISAPI) filter caused an error or terminated with an error

Well that is intereting!

Guess what we use on the ISA server aswell? Surfcontrol!
Surfcontrol is a web-content filter, used to stop people surfing porn or downloading crap.. its plugged into ISA server as a custom ASAPI filter.

We had the SUS server in there, attached to our “unrestriced internet’ rule (guess who else uses that rule? wink.gif

Anyway… the SUS server was defined in Surtcontrol by FQDN (Fully Qualified Domain Name).

It turns out, the way our ISA server is set up, is that its not doign any kind of resolving on incoming client requests.. the ISA logs show this; all clients identified by IP adress, no hostnames at all.

Because of this, Surfcontrol was unable to apply the rule, and was sending back 502 errors to SUS (Internally 12210)… which SUS translates as [b]Error 0x80072F78: Invalid server response[b]

Though changing the definition is Surfcontrol solved the issue, I am left wondering if this ISA behavior is by design or not. It might simply be the way we have it set up, I will have to look into this further.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.