My solutions:- allow direct connections at your firewall/default_gateway to M$ WindowsUpdate servers (there are many, maybe due to load sharing). I did this, it is not nice, but it works.
- implement transparent proxy at your firewall/default_gateway.