In Wsyncmgr log there was this error.
This update cannot be approved for installation because its Microsoft Software License Terms are still downloading.
I tried running "wsusutil reset" command but it didn't do any good. Wsuscontent folder had all required permissions. Network team confirmed they have opened the required URLs and ports.
So out of options I thought of completely remove and reinstall SUP and WSUS. But before that I installed a WSUS role on a seperate Server 2016 server. Then I asked network team to enforce the network rules as they have enforced on the original server. Then I enabled "Update Rollups" classification and ran a WSUS sync. Second server gave the same error; EULA download pending.
Now it's clear that some firewall or a perimeter device is blocking the EULA download.
Then I checked with firewall team but there wasn't any issues. They have opened all HTTP/HTTPS traffic. Then I checked with security team and found the issue. Their McAfee IPS device had below alert and it blocked connectivity to SCCM/WSUS server. Because of that EULA download was in pending state all this time.
This event indicates that a web server has returned a response body that is UTF16 or UTF32 encoded. Under normal circumstances, a web server will not return such an encoded response body. This may indicated that someone may be trying to bypass an IDS/IPS.
A successful attack would allow an attacker to evade the IDS/IPS product that does not have the decoding support. However, the alert might also be for normal traffic when a web server or application is configured to send UTF16/UTF32 encoding.
Check the logged packet to see if an attack is taking place.
Protocols
•Hypertext Transfer Protocol
After security team temporarily white list 2 WSUS servers, in each one I ran "wsusutil reset" command gave it some time to complete. Afterwards ran a WSUS sync and EULA downloaded without issues.
No comments:
Post a Comment