Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure Bypass Rules for Windows Update Traffic

  1. Last updated
  2. Save as PDF

NOTE: Skyhigh strongly recommends using this workaround to ensure that Windows update traffic bypasses the appropriate network layers and does not reach the Cloud Proxy.

Organizations often initiate Windows updates either automatically or manually across thousands of endpoints simultaneously. When this high-volume update traffic routes through your Skyhigh Proxy for security inspection, it can overload both the proxy and your network infrastructure, leading to service degradation or even outages. Bypassing Windows update traffic only at the Skyhigh Cloud Proxy does not fully resolve the issue. Even if the proxy bypasses the traffic, it still traverses your network on its way to the cloud, consuming bandwidth and causing network congestion.

Workaround

To prevent congestion, configure your network to route Windows update traffic away from the Cloud Proxy. You can apply this routing at various points in your environment, such as the Skyhigh Client Proxy (SCP), SWG On-prem, your edge firewall, or your endpoint firewall. The required configuration depends on how traffic flows in your environment.

The following use cases describe the typical paths user traffic takes toward the Cloud Proxy: 

Use Case 1: Remote traffic routed to the Cloud Proxy through SCP

If the SCP on the endpoint routes user traffic to the Cloud Proxy, configure the Windows update bypass rules directly in SCP. Use both process-based and domain-based bypass rules.

If the endpoint firewall allows only traffic that egresses through SCP, it will block the bypassed Windows update domains. To prevent this, whitelist the required domains in the endpoint firewall so the traffic can go directly to the Internet.

Use Case 2: On-prem traffic routed to the Cloud Proxy through SWG On-prem or SCP

SWG On-prem directs Internet-bound traffic straight to the Internet. If SWG On-prem or SCP forwards traffic to the Cloud Proxy for DLP or RBI, ensure Windows update domains are bypassed before reaching the cloud.

Configure the following bypass rules:

► Domain-based bypass rules in SWG On-prem

Use the Skyhigh Security-provided Windows Update Hosts list under Update Server Lists to create a bypass rule for all Windows update–related domains. To view the Domains to be bypassed, see Domain Bypass List

2025-11-18_20-15-03.png

►  Domain-based bypass rules in Skyhigh Client (5.0 or later)

Use the Windows Update Hosts list from the List Catalog to configure the bypass policy. To view the Domains and Processes to be bypassed, see Domain Bypass List

2025-11-18_20-12-21.png

► Process-based bypass rules in Skyhigh Client Proxy 4.x 

You can import a CSV file containing all required domains into the SSE UI or ePO, depending on where you manage SCP policies. In the SSE UI, use the Import CSV option to automatically create domain-based bypass entries for Windows update servers. To view the Domains and Processes to be bypassed, see Process Bypass List

2025-11-18_20-10-29.png

Additionally, ensure your edge and endpoint firewalls whitelist the Windows update domains so traffic egresses directly to the Internet without passing through the proxy.

Use Case 3: On-prem traffic routed to the Cloud Proxy over an IPSec/GRE tunnel

If your on-prem network routes traffic to the Cloud Proxy through an IPSec or GRE tunnel, bypass requirements depend on where routing decisions occur:

  • If SCP handles routing, follow the configuration in Use Case 1.
  • If a firewall or another network device handles routing, add bypass or whitelist rules on that device to ensure Windows update traffic does not enter the tunnel.
Use Case 4: Traffic routed to the Cloud Proxy through ICAP (under development)

If your network sends traffic to the Cloud Proxy over ICAP, configure bypass rules on the originating network device. Add domain-based bypass rules to ensure Windows update traffic is not forwarded to the Cloud Proxy through ICAP.

Process and Domain Bypass List
Process-based Bypass

Bypass the following processes running on Windows:

NOTE: Ensure users do not have elevated privileges that allow them to rename or replace processes.

 

  • C:\Windows\System32\sihclient.exe
  • C:\Windows\System32\usoclient.exe
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.