Whitelisting Microsoft Update sites isn't working
-
A client has two 2008 R2 SP1 domain controllers behind a pfSense firewall. Outgoing access for the DCs is whitelisted by destination port and domain. I've added the usual Windows Update sites to an alias for whitelisting:
- download.windowsupdate.com
- download.microsoft.com
- download.windowsupdate.com
- wustat.windows.com
- ntservicepack.microsoft.com
- go.microsoft.com
DNS on the domains shows several possible forwards to other domains, including
- sls.row.update.microsoft.com.akadns.net
- fe2.update.microsoft.com.nsatc.net
- www.update.microsoft.com.nsatc.net
- a23-209-176-51.deploy.static.akamaitechnologies.com
and others. I have also added those domains to the whitelist,, and I allow TCP out to those destinations on ports 80 and 443, but the firewall is still blocking the DCs from getting updates. However, if I change the rule to allow all destination domains (without changing the protocols or allowed port list), the DCs can get updates.
Does anyone have any ideas about what I'm missing? I'll be grateful for any help.
-
It's different all over the world. You're going to play whack-a-mole forever. If it's that important to block your DCs from the Internet, perhaps a WSUS server is in order?
-
Yeah, that's what I'm afraid of. It's a small network and difficult to justify the expense, even if one of the DCs assumes the role. But domain controllers should always be blocked from general internet access, and it'll be easier to manually enable an "allow all destinations" rule for the DCs when we want updates and then disable it afterwards.
I was just hoping there was some way to write a rule that would trigger allowing access to destinations that are chained from initially allowed destinations.
-
Expense? Add a disk with a TB or two and then use that for the store. A hundred bucks or so.
-
:) I already have to bring a gun with me whenever I ask the boss for more money for IT. But he's really a nice guy, and I don't like doing it. And WSUS management has gotten anything but easier. The additional labor required is a pain in the rear. It's gotten as buggy as Microsoft's updates are, and it's way overkill for this small network. It's a lot easier to click the "X" next to a firewall rule to disable it one or two nights a month and then play Spider Solitaire while the servers check for updates.
-
@eveningstarnm I agree with you. Managing WSUS has been too expensive for my customers, in terms of time required and skills. WSUS is buggy and needs periodic cleanup/reindexing to the database and files. I'm removing WSUS from all my small customers. But... how could I allow traffic to microsoft update sites only for some clients with pfSense?
-
@giox969 said in Whitelisting Microsoft Update sites isn't working:
how could I allow traffic to microsoft update sites only for some clients with pfSense?
By not blocking it for no one ?!
People, the users, are not 'visiting' these sites or servers. The OS is.
So, what about granting the access to everybody ? Why would you block access to such update (security ?) services ?
facebook : ok - Istagram : Yeah, sure, Twitter : I understand.Another solution / answer :
Trusted users use your LAN - A.
Untrusted users use another LAN, LAN B. On this LAN B you can (try to) block whatever you want. -
@gertjan security: we have some PC that we don't want to be used to surf the internet, because they are embedded inside special machinery. These windows PC needs windows updates, but we don't want that users or applications surf the internet from these PCs.
So we usually allow access to windows updates and teamviewer/anydesk tools for remote assistance on that PCs.
With other firewall brands, like watchguard, I can use a list of windows updates sites, but I need to use wildcards like "*.windowsupdates.com". The watchguard firewall will take care to intercept DNS resolutions to convert them into IP addresses for dynamic firewall rules. Or, if you are paying extra services to watchguard, filtering can be also done in the SNI hostname field of the TLS handshaking.
I hoped that similar solution existed for pfSense. -
@giox969 said in Whitelisting Microsoft Update sites isn't working:
but I need to use wildcards like "*.windowsupdates.com"
As far as I know, Microsoft never published a list with domain names it uses 'to call home'.
There could even be a list with IP addresses, IPv4 and IPv6of course, just in case all DNS resolving fails.
On the other hand, some are known, so, if these are a 'pass' on your DNSBL/firewall, it would most probably use these and be happy about it.@giox969 said in Whitelisting Microsoft Update sites isn't working:
because they are embedded inside special machinery
You also embedded real people in these machines that could try to use the devices for their own needs ?
-
As far as I know, Microsoft never published a list with domain names it uses 'to call home'.
Here is the DNS list from microsoft itself, for windows 10 and 11:
https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting#device-cannot-access-update-filesbut my personal list has some (one or two?) extra hosts, collected sniffing traffic from windows7, 8, 8.1, 10
*.prod.do.dsp.mp.microsoft.com windowsupdate.microsoft.com *.windowsupdate.microsoft.com update.microsoft.com *.update.microsoft.com windowsupdate.com *.windowsupdate.com wustat.windows.com ntservicepack.microsoft.com go.microsoft.com dl.delivery.mp.microsoft.com slscr.update.microsoft.com *.delivery.mp.microsoft.com *.wsn.windows.com