none
Which IP adresses should I allow at HQ's Firewall(not a Windows firewall) for have an access to activate and update Windows Server 2008 R2

    Question

  • Hello. I have an issue with activate and update Windows servers from local environment. The HQ has blocked an Internet access from our local environment. And I have to send to HQ an IP list for open at their firewall. There is no other way I can activate and update Windows servers in our local environment. There is many of servers, most are VMs. 

    I don't have a Software Assurance, so, does a Technet is the best way to get IP adresses for your Windows Update sites? 

    Can you give it to me? 

    Or there is some other way to activate and update Windows servers behind HQ firewall?

    Thank you!

    Tuesday, April 29, 2014 11:55 AM

Answers

  • Are you looking for the Windows Update IP addresses so you can set these in the firewall, or are you wondering which internal machines you should allow through the firewall?

    For the first scenario (allowing you internal clients to connect to Windows update), check out Configure the Firewall Between the WSUS Server and the Internet. There you will see a number of DNS names which Windows Update (in this case WSUS) needs to be able to reach:

    • http://windowsupdate.microsoft.com 
    • http://*.windowsupdate.microsoft.com 
    • https://*.windowsupdate.microsoft.com 
    • http://*.update.microsoft.com 
    • https://*.update.microsoft.com 
    • http://*.windowsupdate.com 
    • http://download.windowsupdate.com
    • http://download.microsoft.com 
    • http://*.download.windowsupdate.com 
    • http://wustat.windows.com 
    • http://ntservicepack.microsoft.com

    The trouble you'll have is the IP addresses could change in the future (without warning) and that there are a lot. The wildcard DNS names suggest to me that there are possibly many DNS names that could be used with any number of IP addresses.

    Another approach would be to set up a local WSUS server and grant it access through the firewall using a method were you do not need to identify specific IP addresses. With Group Policy you would instruct your Windows machines to update using your WSUS server which also allows you to approve and release updates.

    Using a WSUS server also allows for the second scenario I asked about above -- instead of knowing which internal servers need to access Windows Update, setup WSUS and have all hosts use this. Again, in the firewall you would have the one exception for this server and you can add or remove servers internally with no additional firewall administration.



    Tuesday, April 29, 2014 2:35 PM