The dreaded Windows Update via transparent proxy

[Aaron McDonnell <aaronm@xxxxxx>]

Hi All

I've been hunting around and reading articles on this much of the day and 
seem to get a lot of mixed opinion that this is both possible and 
impossible, but given that my setup is rather unique, let me explain it first.

What I'm doing is building a Quarantine network server.  This single box, 
running Devil Linux, does a number of things.  First, it's handed down by 
the DHCP server as the user's new gateway and DNS.  The machine itself uses 
a trunk to connect it to our network.  Quarantine networks come in as vlans, 
it has a private vlan that houses BIND and Apache, and Squid running on 
another vlan interface that is public.  The BIND system is poisoned so that 
all attempts to go anywhere resolve to itself except for a few select places 
we want the user to get to, like Windows Update (and a few others).  For 
those, the zone file forwards them to the listening IP of the Squid server, 
which is set up as a transparent proxy.

Sounds like a mess eh?  It actually does work correctly for all pages and 
functions EXCEPT Microsoft's Windows Update.  From looking at the TCP-dumps 
I did, it briefly tries to start up an SSL connection (even though it 
doesn't retain that stat) thus breaking the way it works.

If I configure IE on a machine within a Quarantine network to use this 
server's squid as it's proxy, it works fine, so I know Squid and it's access 
lists and parameters are good, but trying it via the transparent mode just 
doesn't work.  Is there SOME way to get around this?

The reason I ask is that our hopes here are to make this as brainless for 
the user as humanly possible.  If they have to enter any sort of settings 
and move beyond the point-click world, the help desk will likely be 
overwhelmed with calls from the great unwashed masses. :)

--

Aaron