We try to only allow outbound HTTP(S) for "authenticated users". But then it is not possible for the computers to access Windows/Microsoft Update or activate Windows because the local system/administrator account is beeing used for such communication. Therefore, I would like to create a whitelist for the Windows/Microsoft Update addresses so that "all users" can be allowed to only access these addresses.
Anyone seen such a whitelist? All I got is: *.download.microsoft.com *.windowsupdate.com *.windowsupdate.microsoft.com update.microsoft.com windowsupdate.microsoft.com (I dont have an address for Windows activation)
Of course, it would be better to use the IP-adresses (instead of domain names) in case someone poisen the DNS-server we are using, but I guess such an IP-address whitelist would be quite difficult to maintain
< Message edited by onerod -- 7.Dec.2006 4:05:18 AM >
So typical. I have had this problem for a long time, and half an hour after I post the question, I discover that ISA 2006 comes with a built in domain name set: "Microsoft Update Domain Name Set" which includes: *.download.windowsupdate.com *.update.microsoft.com *.windowsupdate.com *.windowsupdate.microsoft.com download.microsoft.com download.windowsupdate.com ntservicepack.microsoft.com windowsupdate.microsoft.com wustat.windows.com
Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
why u dont install WSUS in ur LAN ???
letting your user to update their machine one by one is a bandwidth nightmare !!!
if u dont want to install WSUS, then i recommend enable the Windows Update Cache rule.in this way, the first user will download the update will consume a badwidth, the rest of users downloading the same update will take it from the cache.
Go to Cache node, and on the right side, click Create the Microsoft Update Cache Rule