DMZ rule/out, allow windows update servers only
-
Hi,
Is there a way to make sure that servers in DMZ are only able to communicate with WindowsUpdate servers on 80+443?
(So no other sites 80/443 should be reachable)I've made aliases:
- windowsupdate.microsoft.com
- download.windowsupdate.com
- download.microsoft.com
But it seems the "wildcard-FQDN" are needed as well to get it function.
- http://*.download.windowsupdate.com
- http://*.windowsupdate.microsoft.com
- https://*.windowsupdate.microsoft.com
- http://*.update.microsoft.com
- https://*.update.microsoft.com
- http://*.windowsupdate.com
Server = Pfsense 2.0 RC3 on Dell PE T110
-
with proxy it would be doable
if you're having AD, then it can be determined to use only wsus servers and that is all different story and forum
-
It seems to work like this… forget the wildcards in FQDN's in aliases...
(Only proof is, did one succesfull update with DMZ/2k8R2, 3 updates of yesterday)Add Alias "WinUpdate":
- windowsupdate.microsoft.com
- update.microsoft.com
- windowsupdate.com
- download.windowsupdate.com
Add DMZ Firewall-rule:
Proto Source Port Destination Port Gateway Queue- DMZserver * WinUpdate * * none
Before I had protocol and ports specified, that seems have been too narrow... It seems to work now... But don't know why actually (compared with previous rule setup) Maybe some ICMP/ping is needed for startup of the updater?!?