Comment for planned access rule for WSUS server (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Access Policies



Message


Mekong River -> Comment for planned access rule for WSUS server (10.Sep.2009 4:09:57 AM)

Hi, I plan to setup WSUS server behind my ISA server. I Plan to configure the following access rule for my WSUS server to access only Microsoft Windows Update website only, any other web resource are not allow to traffic from this WSUS server. The setting is listed below:

General: <Rule name: any name that I prefer>
Action: Deny
Protocol: All outbound traffic
From: WSUS (computer object)
To: External (Exceptions: WSUS Domain Name Set)
Content type: All content type
Schedule: Always
User: All Users

With the above plan rule, please advice me whether I have correctly plan for access rule for my WSUS server.

Thank in advance!!!




elmajdal -> RE: Comment for planned access rule for WSUS server (10.Sep.2009 6:10:17 AM)

Where is the Allow rule ?




Mekong River -> RE: Comment for planned access rule for WSUS server (10.Sep.2009 6:29:00 AM)

The action of allow is in the Exception of To: External. This rule mean block everything from WSUS server to an internet except to the Microsoft Windows Update website.

Am I correct?




DEVLAVI -> RE: Comment for planned access rule for WSUS server (10.Sep.2009 11:52:39 AM)

quote:

The action of allow is in the Exception of To: External. This rule mean block everything from WSUS server to an internet except to the Microsoft Windows Update website.


Naa that's not good enough & it'll never work. Post back if you ever managed to get it to work

You need a allow rule before your deny rule as mentioned by Tarek

And i suggest you use the built in "Microsoft Update Domain Name Set" & "System Policy Allowed Sites" in your allow rule

Thanks,
Dev




Mekong River -> RE: Comment for planned access rule for WSUS server (11.Sep.2009 4:01:15 AM)

Dear Dev,

Regarding to your above suggestion is this below configure would be correct:

General: Allow WSUS to access Microsoft Update website
Action: Allow
Protocol: Selected Protocol (HTTP, HTTPS)
From: WSUS (computer object)
To: Domain Set of Microsoft Windows Update website
Content type: All content type
Schedule: Always
User: All Users


General: Block WSUS to access internet
Action: Deny
Protocol: All outbound traffic
From: WSUS (computer object)
To: External
Content type: All content type
Schedule: Always
User: All Users

Thank in advance,
Kanel




paulo.oliveira -> RE: Comment for planned access rule for WSUS server (11.Sep.2009 2:44:07 PM)

Hi Kanel,

this will help you: http://support.microsoft.com/default.aspx?scid=kb;en-us;885819

Regards,
Paulo Oliveira.




DEVLAVI -> RE: Comment for planned access rule for WSUS server (12.Sep.2009 11:08:09 AM)

Hi Kanel,

quote:


General: Allow WSUS to access Microsoft Update website
Action: Allow
Protocol: Selected Protocol (HTTP, HTTPS)
From: WSUS (computer object)
To: Domain Set of Microsoft Windows Update website
Content type: All content type
Schedule: Always
User: All Users


Yes that should work. Just make sure you use the built in Domain name sets "Microsoft Update Domain Name Set" & "System Policy Allowed Sites" in your access rule

Also refer the link posted by Paulo for more info on the same

Thanks,
Dev




Mekong River -> RE: Comment for planned access rule for WSUS server (12.Sep.2009 10:21:17 PM)

Dear Dev,

Thank you very much for your reply and I also found that document and I already print it out and read it. But I still wonder with my original rule which is block everything except to the Microsoft Update Domain set (my original post).

Could you please let me know what is the cause the of this problem that do not make this rule work?

Thank,
Kanel




DEVLAVI -> RE: Comment for planned access rule for WSUS server (12.Sep.2009 11:32:00 PM)

Hi Kanel

AFAIK
ISA is designed to Block Anything & Everything unless its allowed purposely
The only way to allow it is with the Access rules & publishing rules

In your case you have a rule to deny all traffic but where is the allow rule?
Allowed Access Rule & Exception are totally different things

I am sure other people here have better ways to explain this

HTH.
Dev




Mekong River -> RE: Comment for planned access rule for WSUS server (13.Sep.2009 9:30:01 PM)

Dear Dev,

Thank you very much for your reply. I will check my book for further reference about this difference.

Thank,
Kanel




aliyanisabrey -> RE: Comment for planned access rule for WSUS server (2.Mar.2010 8:14:35 PM)

hi,

I am a bit confused here...I thought in "System Policy Allowed site" is already set. that means, the windows update is already allowed. am i correct?

Please correct me if i am wrong.




Mekong River -> RE: Comment for planned access rule for WSUS server (3.Mar.2010 8:35:02 PM)

Hello, as far as I know, the system policy allow site is work only on the ISA computer. But in this case I have a separate server that plan to setup as WSUS server. So it has to create the rule for it.

Kanel [:)]




aliyanisabrey -> RE: Comment for planned access rule for WSUS server (4.Mar.2010 12:41:53 AM)

okay. thanks for your info.




Page: [1]