• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Comment for planned access rule for WSUS server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Comment for planned access rule for WSUS server Page: [1]
Login
Message << Older Topic   Newer Topic >>
Comment for planned access rule for WSUS server - 10.Sep.2009 4:09:57 AM   
Mekong River

 

Posts: 78
Joined: 9.Aug.2009
Status: offline
Hi, I plan to setup WSUS server behind my ISA server. I Plan to configure the following access rule for my WSUS server to access only Microsoft Windows Update website only, any other web resource are not allow to traffic from this WSUS server. The setting is listed below:

General: <Rule name: any name that I prefer>
Action: Deny
Protocol: All outbound traffic
From: WSUS (computer object)
To: External (Exceptions: WSUS Domain Name Set)
Content type: All content type
Schedule: Always
User: All Users

With the above plan rule, please advice me whether I have correctly plan for access rule for my WSUS server.

Thank in advance!!!
Post #: 1
RE: Comment for planned access rule for WSUS server - 10.Sep.2009 6:10:17 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Where is the Allow rule ?

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to Mekong River)
Post #: 2
RE: Comment for planned access rule for WSUS server - 10.Sep.2009 6:29:00 AM   
Mekong River

 

Posts: 78
Joined: 9.Aug.2009
Status: offline
The action of allow is in the Exception of To: External. This rule mean block everything from WSUS server to an internet except to the Microsoft Windows Update website.

Am I correct?

(in reply to elmajdal)
Post #: 3
RE: Comment for planned access rule for WSUS server - 10.Sep.2009 11:52:39 AM   
DEVLAVI

 

Posts: 115
Joined: 16.Jul.2009
From: Bangalore, India
Status: offline
quote:

The action of allow is in the Exception of To: External. This rule mean block everything from WSUS server to an internet except to the Microsoft Windows Update website.


Naa that's not good enough & it'll never work. Post back if you ever managed to get it to work

You need a allow rule before your deny rule as mentioned by Tarek

And i suggest you use the built in "Microsoft Update Domain Name Set" & "System Policy Allowed Sites" in your allow rule

Thanks,
Dev

< Message edited by DEVLAVI -- 10.Sep.2009 12:14:46 PM >


_____________________________

Vasu Dev,
Network Administrator

"Abnormal is so common, it's practically normal."

(in reply to Mekong River)
Post #: 4
RE: Comment for planned access rule for WSUS server - 11.Sep.2009 4:01:15 AM   
Mekong River

 

Posts: 78
Joined: 9.Aug.2009
Status: offline
Dear Dev,

Regarding to your above suggestion is this below configure would be correct:

General: Allow WSUS to access Microsoft Update website
Action: Allow
Protocol: Selected Protocol (HTTP, HTTPS)
From: WSUS (computer object)
To: Domain Set of Microsoft Windows Update website
Content type: All content type
Schedule: Always
User: All Users


General: Block WSUS to access internet
Action: Deny
Protocol: All outbound traffic
From: WSUS (computer object)
To: External
Content type: All content type
Schedule: Always
User: All Users

Thank in advance,
Kanel

(in reply to DEVLAVI)
Post #: 5
RE: Comment for planned access rule for WSUS server - 11.Sep.2009 2:44:07 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Kanel,

this will help you: http://support.microsoft.com/default.aspx?scid=kb;en-us;885819

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Mekong River)
Post #: 6
RE: Comment for planned access rule for WSUS server - 12.Sep.2009 11:08:09 AM   
DEVLAVI

 

Posts: 115
Joined: 16.Jul.2009
From: Bangalore, India
Status: offline
Hi Kanel,

quote:


General: Allow WSUS to access Microsoft Update website
Action: Allow
Protocol: Selected Protocol (HTTP, HTTPS)
From: WSUS (computer object)
To: Domain Set of Microsoft Windows Update website
Content type: All content type
Schedule: Always
User: All Users


Yes that should work. Just make sure you use the built in Domain name sets "Microsoft Update Domain Name Set" & "System Policy Allowed Sites" in your access rule

Also refer the link posted by Paulo for more info on the same

Thanks,
Dev

_____________________________

Vasu Dev,
Network Administrator

"Abnormal is so common, it's practically normal."

(in reply to Mekong River)
Post #: 7
RE: Comment for planned access rule for WSUS server - 12.Sep.2009 10:21:17 PM   
Mekong River

 

Posts: 78
Joined: 9.Aug.2009
Status: offline
Dear Dev,

Thank you very much for your reply and I also found that document and I already print it out and read it. But I still wonder with my original rule which is block everything except to the Microsoft Update Domain set (my original post).

Could you please let me know what is the cause the of this problem that do not make this rule work?

Thank,
Kanel

(in reply to DEVLAVI)
Post #: 8
RE: Comment for planned access rule for WSUS server - 12.Sep.2009 11:32:00 PM   
DEVLAVI

 

Posts: 115
Joined: 16.Jul.2009
From: Bangalore, India
Status: offline
Hi Kanel

AFAIK
ISA is designed to Block Anything & Everything unless its allowed purposely
The only way to allow it is with the Access rules & publishing rules

In your case you have a rule to deny all traffic but where is the allow rule?
Allowed Access Rule & Exception are totally different things

I am sure other people here have better ways to explain this

HTH.
Dev

_____________________________

Vasu Dev,
Network Administrator

"Abnormal is so common, it's practically normal."

(in reply to Mekong River)
Post #: 9
RE: Comment for planned access rule for WSUS server - 13.Sep.2009 9:30:01 PM   
Mekong River

 

Posts: 78
Joined: 9.Aug.2009
Status: offline
Dear Dev,

Thank you very much for your reply. I will check my book for further reference about this difference.

Thank,
Kanel

(in reply to DEVLAVI)
Post #: 10
RE: Comment for planned access rule for WSUS server - 2.Mar.2010 8:14:35 PM   
aliyanisabrey

 

Posts: 99
Joined: 12.Feb.2009
Status: offline
hi,

I am a bit confused here...I thought in "System Policy Allowed site" is already set. that means, the windows update is already allowed. am i correct?

Please correct me if i am wrong.

(in reply to Mekong River)
Post #: 11
RE: Comment for planned access rule for WSUS server - 3.Mar.2010 8:35:02 PM   
Mekong River

 

Posts: 78
Joined: 9.Aug.2009
Status: offline
Hello, as far as I know, the system policy allow site is work only on the ISA computer. But in this case I have a separate server that plan to setup as WSUS server. So it has to create the rule for it.

Kanel

(in reply to aliyanisabrey)
Post #: 12
RE: Comment for planned access rule for WSUS server - 4.Mar.2010 12:41:53 AM   
aliyanisabrey

 

Posts: 99
Joined: 12.Feb.2009
Status: offline
okay. thanks for your info.

(in reply to Mekong River)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Comment for planned access rule for WSUS server Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts