Windows Updates Only on Test LAN



  • I am setting up a windows test environment on a VMware ESXi server. I have pfsense installed with one nic on my corp LAN and a second nic on a private virtual switch. Everything seems to be working good so far. I would now like to make sure nothing can access my new private test LAN and I do not want it accessing anything on my corp LAN either. The only thing I want to allow is for the test servers on the private LAN to do windows updates.

    I have found this site list but I can not figure out how to just allow these through.

    http://windowsupdate.microsoft.com
    http://.windowsupdate.microsoft.com
    https://
    .windowsupdate.microsoft.com
    http://.update.microsoft.com
    https://
    .update.microsoft.com
    http://.windowsupdate.com
    http://download.windowsupdate.com
    http://download.microsoft.com
    http://
    .download.windowsupdate.com
    http://wustat.windows.com
    http://ntservicepack.microsoft.com
    http://stats.microsoft.com
    https://stats.microsoft.com

    Thanks for the help



  • You'll want to block all outbound access and install Squid and Squidguard. If you search the forum, or even just read the recent posts in the Packages forum, you'll find many threads on the subject ;)



  • Hi,

    if you are using squid and squidguard you it should be enough to allow the following DOMAINS in SquidGuard:

    If you are running squid in transparent mode than only port 80 (http) can get filterted. But windows uüdates are using https, too.
    I allowed the follwoing subnets for only port 443 (https) which all seems to be MS (update) servers.

    • 65.55.0.0/16

    • 207.46.0.0/16

    • 65.52.0.0/16

    • 65.53.0.0/16

    • 65.54.0.0/16

    This is working for me.

    I am using squid in transparent mode and using squidguard to filter http (80) traffic and deny everything else except DNS (53) and https (443) with the IPs above as destination. everything else gets blocked.


Locked