5. Procedure – Enabling Windows update

Purpose: 

To enable Windows update for the clients protected by the firewall, you have to import the certificate of the PNS CA that signs the certificates in keybridging into the client machines. To accomplish this, complete the following steps on the client hosts.

Note

An alternative to this solution is to disable SSL-proxying for the v4.windowsupdate.microsoft.com domain. This method is described in detail in the Technical Tutorial Proxying secure channels — the Secure Socket Layer. The advantage of the alternative method is that you do not need to modify the client hosts.

Prerequisite: 

You will need the certificate of the PNS CA that signs the certificates in keybridging into the client machines. Export this certificate from MS, and make it available on your client hosts.

Steps: 

  1. Start the Microsoft Management Console (Start Menu > Run application > MMC).

  2. Select File > Add/Remove Snap-in.

  3. Click Add, then select Certificates.

  4. Select Computer account, then click Next.

  5. Select Local computer and click Finish. The Certificates module has been added to the Console Root tree.

  6. Expand the Certificates node, then expand the Trusted Root Certification Authorities node. Right-click on the Certificates node, select All Tasks, then click Import.

  7. Click Next on the Welcome to the Certificate Import Wizard page. On the File to Import page, click Browse, and locate the certificate of the PNS CA to be imported.

  8. On the Certificate Store page, accept the default setting (Place all certificates in the following store), click Next, then Finish.

    Note

    Application-level Gateway must be able to verify the certificates of the Windows Update servers. To accomplish this, the certificates of the certificate authorities (CAs) issuing the certificates of the Windows update servers have to be imported into Application-level Gateway, if not already present. The following certificates have to be imported:

    • Microsoft Secure Server Authority

    • Microsoft Internet Authority

    • GTE CyberTrust Global Root