I've got a firewall policy that restricts access for access to windows updates for my SMS server. I've created a domain name set and added the domain, windowsupdates.com, but for some reason, I've also got to add a computer set with the domain server's IP address range otherwise with just the domain name set, access is denied. When monitor the traffic, I see that in the URL field, it's trying to go to the IP address (http://126.96.36.199-100) and I need to add that as a computer set before the rule allows access to the site.
I thought that the domain name set should be enough to access the site. Having to maintain the IP addresses (as they probably change periodically as servers are added/removed) is hassle.
Any idea on how I can fix this so that only having the domain name set should allow access?
Configure your clients to be web proxy or firewall clients to your ISA server. Also deny snat clients web browsing. You're experiencing that issues because snat clients resolve FQDNs to the particular IP addresses *before* their requests even reach the ISA server, so it is unaware of the requested FQDN and could not apply appropriate firewall policy.
the sites you have to allow access to are defined in MSKB article http://support.microsoft.com/kb/885819/. As Tom said, a domain name set should do the trick *if* the clients are configured as Web Proxy clients.
If you try Windows Update as a SecureNAT client it won't work that well because at some point an SSL connection is setted up. This request is obviously made by IP address. As a result, ISA must perform a reverse DNS lookup in order to match the request to a Domain Name or URL set. Yet, this will not succeed because *no* proper reverse DNS entries exists for the Windows Update sites.
If by web proxy you mean, configure IE via tools, internet options, connections, lan settings, use proxy server for LAN and point to ISA, I have done that. I have also installed the ISA client on each workstation, but for some websites I still need to grant access to the domain name as well as the IP address of the server. Without the IP address, users cannot get to the website because we've restricted all sites, but those that we give access to. I thought that ISA's capability should be that all I need to do is provide the domain name. There must be a config setting that I'm missing..
If you have to add IP addresses than that means to me that the client send the requests by IP address instead of by FQDN. This occures if the the destination is on the direct access list or if the destination is specified as an IP address instead of an FQDN (i.e. http://192.168.1.1).
Now, whenever ISA gets an IP address that must be matched to a Domain Name or an URL set than ISA has to perform a reverse DNS lookup. Thus the outcome of this reverse DNS lookup will determine if a match can be found or not. For more info, check out my article Understanding the ISA 2004 Access Rule Processing.