Whitelisting Microsoft Update sites isn't working



  • A client has two 2008 R2 SP1 domain controllers behind a pfSense firewall. Outgoing access for the DCs is whitelisted by destination port and domain. I've added the usual Windows Update sites to an alias for whitelisting:

    DNS on the domains shows several possible forwards to other domains, including

    and others. I have also added those domains to the whitelist,, and I allow TCP out to those destinations on ports 80 and 443, but the firewall is still blocking the DCs from getting updates. However, if I change the rule to allow all destination domains (without changing the protocols or allowed port list), the DCs can get updates.

    Does anyone have any ideas about what I'm missing? I'll be grateful for any help.



  • It's different all over the world. You're going to play whack-a-mole forever. If it's that important to block your DCs from the Internet, perhaps a WSUS server is in order?



  • Yeah, that's what I'm afraid of. It's a small network and difficult to justify the expense, even if one of the DCs assumes the role. But domain controllers should always be blocked from general internet access, and it'll be easier to manually enable an "allow all destinations" rule for the DCs when we want updates and then disable it afterwards.

    I was just hoping there was some way to write a rule that would trigger allowing access to destinations that are chained from initially allowed destinations.



  • Expense? Add a disk with a TB or two and then use that for the store. A hundred bucks or so.



  • :) I already have to bring a gun with me whenever I ask the boss for more money for IT. But he's really a nice guy, and I don't like doing it. And WSUS management has gotten anything but easier. The additional labor required is a pain in the rear. It's gotten as buggy as Microsoft's updates are, and it's way overkill for this small network. It's a lot easier to click the "X" next to a firewall rule to disable it one or two nights a month and then play Spider Solitaire while the servers check for updates.


Log in to reply