Troubleshooting
Problem
Microsoft Root CA is not included in the CA-bundle (trusted issuer), which might cause Windows Update to fail when Outbound SSL inspection is enabled.
Cause
If you enable outbound SSL inspection and also enable the rule to ignore ANY-ANY-Microsoft Domain Certificate for Microsoft update servers, network clients might not be able to perform Windows Update. You might also see System log events that indicate clients are unable to get a local issuer certificate. This occurs because Microsoft Root CA is not listed in the IBM Security Network Protection appliance's Trusted Certificate Authorities when the appliance attempts to validate the Microsoft Update server certificate.
Resolving The Problem
Perform the steps below to add Microsoft's Root CA to the list of trusted certificate authorities.
- Click SSL Manage > SSL Inspection Settings.
- Select the Trusted Certificate Authorities tab, and click Upload.
- Locate the Microsoft Root CA certificate file, and click Open.
- Click Save Configuration.
[{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3.1;5.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"5.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
24 January 2021
UID
swg21903520