DMZ rule/out, allow windows update servers only



  • Hi,

    Is there a way to make sure that servers in DMZ are only able to communicate with WindowsUpdate servers on 80+443?
    (So no other sites 80/443 should be reachable)

    I've made aliases:

    But it seems the "wildcard-FQDN" are needed as well to get it function.

    • http://*.download.windowsupdate.com
    • http://*.windowsupdate.microsoft.com
    • https://*.windowsupdate.microsoft.com
    • http://*.update.microsoft.com
    • https://*.update.microsoft.com
    • http://*.windowsupdate.com

    Server = Pfsense 2.0 RC3 on Dell PE T110



  • with proxy it would be doable

    if you're having AD, then it can be determined to use only wsus servers and that is all different story and forum



  • It seems to work like this… forget the wildcards in FQDN's in aliases...
    (Only proof is, did one succesfull update with DMZ/2k8R2, 3 updates of yesterday)

    Add Alias "WinUpdate":

    Add DMZ Firewall-rule:
    Proto Source Port Destination Port Gateway Queue

    • DMZserver * WinUpdate * * none

    Before I had protocol and ports specified, that seems have been too narrow... It seems to work now... But don't know why actually (compared with previous rule setup) Maybe some ICMP/ping is needed for startup of the updater?!?


Log in to reply