squid to only allow office activation and not windows updates

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

squid to only allow office activation and not windows updates

robert k Wild
hi all,

i have added all these lines to my squid config as it wasnt allowing office activation


but now its allowing office activation and now windows updates but i dont want it to do windows updates as this is managed by our WSUS server

what are the corect lines to just do the office activation

as when i comment out all the lines i get this


thanks,
rob

--
Regards,

Robert K Wild.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid to only allow office activation and not windows updates

Amos Jeffries
Administrator
On 11/01/20 11:46 am, robert k Wild wrote:

> hi all,
>
> i have added all these lines to my squid config as it wasnt allowing
> office activation
>
> https://wiki.squid-cache.org/SquidFaq/WindowsUpdate
>
> but now its allowing office activation and now windows updates but i
> dont want it to do windows updates as this is managed by our WSUS server
>

That would be right then. As the wiki page name indicates that config is
all about allowing WindowsUpdate.


> what are the corect lines to just do the office activation
>

This is a strong indication you still do not understand how ACLs work.

So your reference points are:
 <https://wiki.squid-cache.org/SquidFaq/SquidAcl>
and
 <http://www.squid-cache.org/Doc/config/acl/>


> as when i comment out all the lines i get this
>
> 0 - TCP_DENIED/403 3810 GET
> http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt
>

That then is the first URL you need to let clients access.

Once that is accessible the activation process will get further and
there may be others. When you know the whole set there may be some
optimizations your rules can use to simplify the final config.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid to only allow office activation and not windows updates

robert k Wild
Hi Amos,

ok, i have found the rule for it

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name .microsoft.com
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

but the thing is both windows updates and office activation use the exact same cert file

.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt

im stuck

or if i can get squid to block windows updates altogether?

Thanks, 

Rob


On Sat, 11 Jan 2020, 01:40 Amos Jeffries, <[hidden email]> wrote:
On 11/01/20 11:46 am, robert k Wild wrote:
> hi all,
>
> i have added all these lines to my squid config as it wasnt allowing
> office activation
>
> https://wiki.squid-cache.org/SquidFaq/WindowsUpdate
>
> but now its allowing office activation and now windows updates but i
> dont want it to do windows updates as this is managed by our WSUS server
>

That would be right then. As the wiki page name indicates that config is
all about allowing WindowsUpdate.


> what are the corect lines to just do the office activation
>

This is a strong indication you still do not understand how ACLs work.

So your reference points are:
 <https://wiki.squid-cache.org/SquidFaq/SquidAcl>
and
 <http://www.squid-cache.org/Doc/config/acl/>


> as when i comment out all the lines i get this
>
> 0 - TCP_DENIED/403 3810 GET
> http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt
>

That then is the first URL you need to let clients access.

Once that is accessible the activation process will get further and
there may be others. When you know the whole set there may be some
optimizations your rules can use to simplify the final config.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid to only allow office activation and not windows updates

robert k Wild

ok think i have done it

#
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i .microsoft.com
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
#
#URL deny MIME types
acl mimetype rep_mime_type application/octet-stream
http_reply_access deny mimetype
#

as now windows can check for updates but it cant download as i have denied the octet-stream ie cab/exe files


On Sat, 11 Jan 2020 at 12:15, robert k Wild <[hidden email]> wrote:
Hi Amos,

ok, i have found the rule for it

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name .microsoft.com
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

but the thing is both windows updates and office activation use the exact same cert file

.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt

im stuck

or if i can get squid to block windows updates altogether?

Thanks, 

Rob


On Sat, 11 Jan 2020, 01:40 Amos Jeffries, <[hidden email]> wrote:
On 11/01/20 11:46 am, robert k Wild wrote:
> hi all,
>
> i have added all these lines to my squid config as it wasnt allowing
> office activation
>
> https://wiki.squid-cache.org/SquidFaq/WindowsUpdate
>
> but now its allowing office activation and now windows updates but i
> dont want it to do windows updates as this is managed by our WSUS server
>

That would be right then. As the wiki page name indicates that config is
all about allowing WindowsUpdate.


> what are the corect lines to just do the office activation
>

This is a strong indication you still do not understand how ACLs work.

So your reference points are:
 <https://wiki.squid-cache.org/SquidFaq/SquidAcl>
and
 <http://www.squid-cache.org/Doc/config/acl/>


> as when i comment out all the lines i get this
>
> 0 - TCP_DENIED/403 3810 GET
> http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt
>

That then is the first URL you need to let clients access.

Once that is accessible the activation process will get further and
there may be others. When you know the whole set there may be some
optimizations your rules can use to simplify the final config.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


--
Regards,

Robert K Wild.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users