Windows Update don't pass
-
Hi,
I've a Virtual Pfsense which is connected to 2 ports : WAN and LAN. The Virtual Windows Server is so into the LAN
I need to block all outgoing flows but the consequences are that the Windows Server can't reach Windows Update.I add a rules to get pass flows outside with Windows FQDN
http://windowsupdate.microsoft.com
http://download.windowsupdate.com
http://download.microsoft.com
http://test.stats.update.microsoft.com
http://ntservicepack.microsoft.comBut Pfsense refuse the generic domain name :
http://.download.windowsupdate.com
http://.windowsupdate.microsoft.com
http://.update.microsoft.com
https://.update.microsoft.com
http://.windowsupdate.com
https://.windowsupdate.microsoft.com
http://*.download.windowsupdate.comIs there a solution to join Windows Update with a rules or this need WSUS or squid proxy ?
Thanks and sorry for my english ^^
-
Is there a solution to join Windows Update with a rules or this need WSUS or squid proxy ?
Change "windows update" for "facebook" or "google" or "youtube" and you find many, many messages on this forum that threat the same question : how to permit everything, except these, or, in your case : the other way around.
An answer could be as easy as consulting the Internet index with a very simple question like how to find all windows update IP addresses.
edit : I found out that you could lockup the windows firewall, and after that, you empty the firewall, leaving in place a rule for, the "windows update" related services. Bonus : this is maintenance free.
Another solution : visit BIOS and lock screen/keyboard/mouse - remove remote access for unknown users. No more non-trusted users mean : no more issues.
Or are you trying to take control of the devices used by your kids ? Because in that case, very easy solutions exists already.
edit 2 : keep google installed : try this pfsense dns blackhole
-
Thanks for your answer !
But it's more complicated with Windows Update that "facebook" or "youtube" because the IP change permanently.
The server is used for application hosting so for security, i want limit the http and https output.
-
I'd install a local WSUS and give that machine access to Microsoft.
-
Hello Harvy66
did the same for my net: WSUS and SCCM local, via GP distribute the addresses and get local full speed and offload the WAN line at daytime for user stuff. Afair: "one ring to bind them all"
As alternative: you could use squid as transparent proxy and there's a manual esp. for the WSUS case to offload the WAN line (problem with the lot of IPs/subfolders).Cheers
Michael