Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2552
Views
0
Helpful
3
Replies

WSA Ironport allow exe downloads from specific URL's (WSUS Server)

scott.walker1
Level 1
Level 1

‎02-22-2016 06:05 AM

Good Morning guys,

 

I have a task to allow the WSUS Server the ability to download .exe files from the windowsupdate sites etc...

 

So far i have

 

1) Created a new Access Policy

2) Specified the relevant account to from the Identity (still using authentication)

3) Removed Object Blocking from the Access Policy

 

Everything else uses the global setting such as malware and user agents, at this stage.

 

However as stated i need to find away of only allowing .exe downloads from a url list therefore blocking .exe's from elsewhere for this account. Is this possible? and if so any pointers as im now struggling. 

Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎02-22-2016 07:44 AM

Have you grepped the access log then clicked Sync Now in WSUS to see what's going on?

SSH to the WSA and

wsav1> grep to the WSA

wsav1> grep

   .

   .

   .
39. "webcat_logs" Type: "Web Categorization Logs" Retrieval: FTP Poll
40. "webrootlogs" Type: "Webroot Logs" Retrieval: FTP Poll
41. "welcomeack_logs" Type: "Welcome Page Acknowledgement Logs" Retrieval: FTP
Poll
Enter the number of the log you wish to grep.

[]> 1 <enter>


Enter the regular expression to grep.
[]> <ip address of wsus box> <enter>

Do you want this search to be case insensitive? [Y]> <enter>

Do you want to search for non-matching lines? [N]> <enter>

Do you want to tail the logs? [N]> Y <enter>

Do you want to paginate the output? [N]> <enter>

Press Ctrl-C to stop.

That may tell you what's going on. 

I know that at one point, I had to add one Microsoft's intermediate certificates to the WSA as the logs showed untrusted root cert issues. 

We also ended up marking all of the Windows Store and Windows update sites to not be decrypted... (put them in a custom category, and set them as passthrough in the decryption policy.)

0 Helpful

scott.walker1
Level 1
Level 1
In response to Ken Stieers

‎02-22-2016 07:53 AM

Hi,

 

Yes we have done a grep and a also the reporting from GUI.

 

They are being blocked due to Object blocking and file types. i.e. we block .exe in the global policy.

 

I can create a new access policy to allow the user account or machine to download different object types, however I need to only allow .exe downloads from  a defined domain. so Microsoft url can download .exe whilst blocking .exe downloads from other locations.

0 Helpful

Handy Putra
Cisco Employee
Cisco Employee
In response to scott.walker1

‎02-23-2016 04:54 PM

The other workaround is to create a custom URL category for Microsoft .exe download while still blocking other .exe object in that policy.

1. create custom URL category and put the microsoft download URL in the 'sites' box and under Regular Expressions box put expression such as \.exe

2. Include that custom URL category to your access policy

3. Set that custom URL category to "Allow" (do not set it to "Monitor" since it will be scanned with the object scanning that you have set to block all .exe extension file) 

0 Helpful
Customers Also Viewed These Support Documents