• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Microsoft Update Whitelist?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Microsoft Update Whitelist? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Microsoft Update Whitelist? - 7.Dec.2006 3:29:09 AM   
onerod

 

Posts: 11
Joined: 11.Nov.2005
Status: offline
We try to only allow outbound HTTP(S) for "authenticated users". But then it is not possible for the computers to access Windows/Microsoft Update or activate Windows because the local system/administrator account is beeing used for such communication. Therefore, I would like to create a whitelist for the Windows/Microsoft Update addresses so that "all users" can be allowed to only access these addresses.

Anyone seen such a whitelist?
All I got is:
*.download.microsoft.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
update.microsoft.com
windowsupdate.microsoft.com
(I dont have an address for Windows activation)

Of course, it would be better to use the IP-adresses (instead of domain names) in case someone poisen the DNS-server we are using, but I guess such an IP-address whitelist would be quite difficult to maintain

< Message edited by onerod -- 7.Dec.2006 4:05:18 AM >
Post #: 1
RE: Microsoft Update Whitelist? - 7.Dec.2006 4:03:45 AM   
onerod

 

Posts: 11
Joined: 11.Nov.2005
Status: offline
So typical. I have had this problem for a long time, and half an hour after I post the question, I discover that ISA 2006 comes with a built in domain name set: "Microsoft Update Domain Name Set" which includes:
*.download.windowsupdate.com
*.update.microsoft.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
download.microsoft.com
download.windowsupdate.com
ntservicepack.microsoft.com
windowsupdate.microsoft.com
wustat.windows.com

Cool.

(in reply to onerod)
Post #: 2
RE: Microsoft Update Whitelist? - 7.Dec.2006 10:05:23 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
why u dont install WSUS in ur LAN ???

letting your user to update their machine one by one is a bandwidth nightmare !!!

if u dont want to install WSUS, then i recommend enable the Windows Update Cache rule.in this way, the first user will download the update will consume a badwidth, the rest of users downloading the same update will take it from the cache.

Go to Cache node, and on the right side, click Create the Microsoft Update Cache Rule

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to onerod)
Post #: 3
RE: Microsoft Update Whitelist? - 7.Dec.2006 12:07:20 PM   
onerod

 

Posts: 11
Joined: 11.Nov.2005
Status: offline
WSUS is on our todo-list, and we are already BITS-caching the updates,
but thanks anyway

(in reply to onerod)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Microsoft Update Whitelist? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts