Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
How to minimize external connections by the clients

Answered How to minimize external connections by the clients

  • Monday, December 01, 2008 11:57 AM
     
     
    Sign In to Vote
    0
    I have WSUS 3.0 installed on a single Forefront client security server.
    Everything is ok, but clients are going to update.microsoft.com and to download.windowsupdate.com either independently from policy settings (i can see them aiming directly at those sites from our ISA server).

    Clients connects correctly to our WSUS either and i can see them in the console correctly updated (100% OK).

    Every client has ForeFront Client installed that either updates itself from WSUS, WITHOUT the fallback options for updates when WSUS is unavailable.

    I don't Know wich software component is aiming directly external, but i need to minimize that connections because my boss is strongly worried about security and we have a very high secure environment (at firewall and proxy level).


    So the question is: how can i identify wich components are aiming directly external (absolutely WITHOUT sniffers)?
    how can i set those to aim at our WSUS, minimizing external connections for updates?

    I know that without sniffers is very hard to find a resolution, but my boss complains a lot.
    Diego Castelli
     

All Replies

  • Tuesday, December 02, 2008 3:29 PM
    Moderator
     
     Answered
    Sign In to Vote
    0

    No need for sniffers at all...!

    Here are the possibilities:

    1. You installed the WSUS Server and opted to *not* maintain a local content store. This would cause *every* PC to go offsite (to download.microsoft.com) to get the content to download.

    2. You've not properly configured/applied policies, and your clients aren't actually using WSUS, but still using Automatic Updates (via update.microsoft.com), and thus downloading from download.microsoft.com.

    3. You've not disabled access to Windows Update or Microsoft Update, and *users* are browing to those resources via Internet Explorer.

    4. And, since Forefront is part of the equation - you also have the question of Forefront configurations included in that.

    Now, as to the basic question of "How can I identify which components are connecting externally?". You already have the answer to that question -- it's in the ISA Server logs. You don't need to know which *components*, you only need to know which *machines*. Once you know which machines, the simple answer is: They're not configured correctly; repair the configurations.

    To figure out which "configurations" need to be repaired, start by reviewing the WindowsUpdate.log on the machines that are connecting to the external addresses.

    Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)