Microsoft Update Whitelist? (Full Version)

All Forums >> [ISA 2006 Firewall] >> Access Policies



Message

onerod -> Microsoft Update Whitelist? (7.Dec.2006 3:29:09 AM)

We try to only allow outbound HTTP(S) for "authenticated users". But then it is not possible for the computers to access Windows/Microsoft Update or activate Windows because the local system/administrator account is beeing used for such communication. Therefore, I would like to create a whitelist for the Windows/Microsoft Update addresses so that "all users" can be allowed to only access these addresses.

Anyone seen such a whitelist?
All I got is:
*.download.microsoft.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
update.microsoft.com
windowsupdate.microsoft.com
(I dont have an address for Windows activation)

Of course, it would be better to use the IP-adresses (instead of domain names) in case someone poisen the DNS-server we are using, but I guess such an IP-address whitelist would be quite difficult to maintain [&o]



onerod -> RE: Microsoft Update Whitelist? (7.Dec.2006 4:03:45 AM)

So typical. I have had this problem for a long time, and half an hour after I post the question, I discover that ISA 2006 comes with a built in domain name set: "Microsoft Update Domain Name Set" which includes:
*.download.windowsupdate.com
*.update.microsoft.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
download.microsoft.com
download.windowsupdate.com
ntservicepack.microsoft.com
windowsupdate.microsoft.com
wustat.windows.com

Cool.



elmajdal -> RE: Microsoft Update Whitelist? (7.Dec.2006 10:05:23 AM)

why u dont install WSUS in ur LAN ???

letting your user to update their machine one by one is a bandwidth nightmare !!!

if u dont want to install WSUS, then i recommend enable the Windows Update Cache rule.in this way, the first user will download the update will consume a badwidth, the rest of users downloading the same update will take it from the cache.

Go to Cache node, and on the right side, click Create the Microsoft Update Cache Rule



onerod -> RE: Microsoft Update Whitelist? (7.Dec.2006 12:07:20 PM)

WSUS is on our todo-list, and we are already BITS-caching the updates,
but thanks anyway [;)]



Page: [1]