Windows Update don't pass

  • Hi,

    I've a Virtual Pfsense which is connected to 2 ports : WAN and LAN. The Virtual Windows Server is so into the LAN
    I need to block all outgoing flows but the consequences are that the Windows Server can't reach Windows Update.

    I add a rules to get pass flows outside with Windows FQDN

    But Pfsense refuse the generic domain name :

    Is there a solution to join Windows Update with a rules or this need WSUS or squid proxy ?

    Thanks and sorry for my english ^^

  • @thomashawk:

    Is there a solution to join Windows Update with a rules or this need WSUS or squid proxy ?

    Change "windows update" for "facebook" or "google" or "youtube" and you find many, many messages on this forum that threat the same question : how to permit everything, except these, or, in your case : the other way around.

    An answer could be as easy as consulting the Internet index with a very simple question like how to find all windows update IP addresses.

    edit : I found out that you could lockup the windows firewall, and after that, you empty the firewall, leaving in place a rule for, the "windows update" related services. Bonus : this is maintenance free.

    Another solution : visit BIOS and lock screen/keyboard/mouse - remove remote access for unknown users. No more non-trusted users mean : no more issues.

    Or are you trying to take control of the devices used by your kids ? Because in that case, very easy solutions exists already.

    edit 2 : keep google installed : try this pfsense dns blackhole

  • Thanks for your answer !

    But it's more complicated with Windows Update that "facebook" or "youtube" because the IP change permanently.

    The server is used for application hosting so for security, i want limit the http and https output.

  • I'd install a local WSUS and give that machine access to Microsoft.

  • Hello Harvy66
    did the same for my net: WSUS and SCCM local, via GP distribute the addresses and get local full speed and offload the WAN line at daytime for user stuff. Afair: "one ring to bind them all"
    As alternative: you could use squid as transparent proxy and there's a manual esp. for the WSUS case to offload the WAN line (problem with the lot of IPs/subfolders).


Log in to reply