Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Windows Update don't pass

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 4 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thomashawk
      last edited by

      Hi,

      I've a Virtual Pfsense which is connected to 2 ports : WAN and LAN. The Virtual Windows Server is so into the LAN
      I need to block all outgoing flows but the consequences are that the Windows Server can't reach Windows Update.

      I add a rules to get pass flows outside with Windows FQDN
      http://windowsupdate.microsoft.com
      http://download.windowsupdate.com
      http://download.microsoft.com
      http://test.stats.update.microsoft.com
      http://ntservicepack.microsoft.com

      But Pfsense refuse the generic domain name :
      http://.download.windowsupdate.com
      http://      .windowsupdate.microsoft.com
      http://.update.microsoft.com
      https://      .update.microsoft.com
      http://.windowsupdate.com
      https://      .windowsupdate.microsoft.com
      http://*.download.windowsupdate.com

      Is there a solution to join Windows Update with a rules or this need WSUS or squid proxy ?

      Thanks and sorry for my english ^^

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        @thomashawk:

        Is there a solution to join Windows Update with a rules or this need WSUS or squid proxy ?

        Change "windows update" for "facebook" or "google" or "youtube" and you find many, many messages on this forum that threat the same question : how to permit everything, except these, or, in your case : the other way around.

        An answer could be as easy as consulting the Internet index with a very simple question like how to find all windows update IP addresses.

        edit : I found out that you could lockup the windows firewall, and after that, you empty the firewall, leaving in place a rule for, the "windows update" related services. Bonus : this is maintenance free.

        Another solution : visit BIOS and lock screen/keyboard/mouse - remove remote access for unknown users. No more non-trusted users mean : no more issues.

        Or are you trying to take control of the devices used by your kids ? Because in that case, very easy solutions exists already.

        edit 2 : keep google installed : try this pfsense dns blackhole

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • T
          thomashawk
          last edited by

          Thanks for your answer !

          But it's more complicated with Windows Update that "facebook" or "youtube" because the IP change permanently.

          The server is used for application hosting so for security, i want limit the http and https output.

          1 Reply Last reply Reply Quote 0
          • H
            Harvy66
            last edited by

            I'd install a local WSUS and give that machine access to Microsoft.

            1 Reply Last reply Reply Quote 0
            • M
              michael_samer
              last edited by

              Hello Harvy66
              did the same for my net: WSUS and SCCM local, via GP distribute the addresses and get local full speed and offload the WAN line at daytime for user stuff. Afair: "one ring to bind them all"
              As alternative: you could use squid as transparent proxy and there's a manual esp. for the WSUS case to offload the WAN line (problem with the lot of IPs/subfolders).

              Cheers
              Michael

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.