SSL Control enabled with "Detect Certificate signed by an Untrusted CA" causes Windows Update to fail.

Description

The following article describes how whitelisting the Windows update common names ensures that Windows updates will always run properly.

Image


Cause

Enabling "Detect Certificate signed by an Untrusted CA" in SSL control causes Windows Update get blocked due to untrusted CA which causes HTTPS access denial.

Image

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.


  1. Navigate to Network> Firewall>SSL Control
  2. Go to Custom list> Whitelist
  3. Under Custom Lists, configure the Whitelist by defining strings for matching common names in SSL certificates. Entries are case-sensitive and are used with pattern-matching. For example, “Sonicwall.com” matches “https://www.sonicwall.com” and “https://mysonicwall.com,” but not “https://www.sonicwall.de.  
  4. To add an entry to the Whitelist for Windows Update, type it into the White List field the following domains:
     dl.delivery.mp.microsoft.com
    download.microsoft.com.
    go.microsoft.com
    update.microsoft.com
    windowsupdate.microsoft.com
    windowsupdate.microsoft.com

    Image
  5. Click Add.
  6. After that enable- "Detect Certificate signed by an Untrusted CA"


Related Articles

  • TOTP based two-factor authentication for management by Admin user using SonicOS API
    Read More
  • Two-factor authentication using TOTP for Management by User with admin privileges
    Read More
  • How do I configure Two-factor authentication for the Admin login with TOTP?
    Read More

Categories

Firewalls
NSa Series
Firewalls
TZ Series
not finding your answers?
Ask the Community
was this article helpful?
YesNo