locked
Microsoft Update server list RRS feed

  • Question

  • Hi All,

    As per our organization policy, we have to only the access from our WSUS server to Microsoft Update servers. I need a list of IP address/segment pool of Microsoft Update servers over Internet. Our firewall only supports IP addresses/ports as the criterion. Our firewall DO NOT support any FQDN/URL/wildcard. Could you help me please?

    Thanks,
    高麻雀




    • Edited by 高麻雀 Monday, March 23, 2015 1:11 PM
    Monday, March 23, 2015 1:08 PM

Answers

  • You will have a base system with known FQDN. If WSUS ask other servers,then you should catch the network traffic with network monitor. Wireshark will do the job. You may catch relevant data during initial sysnchronization.

    You can contact directly via mail a WSUS specialist that may have current IP addresses - jchornbe (a)microsoft dot com or at chip.hornbeck (a) outlook dot com ... or at least he will redirect you to another WSUS specialist.

    Ports are standard ones 80 for http and 443 for https.

    Your task is not very uncommon. People use standard firewall that can work with FQDN. You have one more task, namely to resolve IP on local network.

    HTH

    Milos

    (PS: There may be more risky business, namely open entire blocks of IP addresses in your firewall using database ARIN, RIPE,... In majority there is current list of update servers that is cnamed providers. This is why the list will be too broad and you do not know what harm may do unknown servers that are not in update family. It is possible, but I would not use this procdure.)

    Monday, March 23, 2015 5:30 PM
  • It is very hard task, as behind FQDN there may be a variety of servers that may change in time. Every server may have different IP address, or a group of addresses for round robin DNS configurations.

    Look at the list of update servers.

    https://technet.microsoft.com/cs-cz/library/bb693717.aspx

     There are wildcards in names. For known FQDN use function nslookup. For windowupdate.microsoft.com you will obtain:

    Name:    www.update.microsoft.com.nsatc.net
    Addresses:  191.232.80.55
                      134.170.58.222
    Aliases:  windowsupdate.microsoft.com
                 windowsupdate.microsoft.nsatc.net

    You have mentioned aliases that make the situation "harder" (for us, not for computer). Also from this follows that there are at least two servers and you obtain two relevant IP addresses.

    The major problem is that you should check this regularly to keep data consistent.You can use network monitor and do analysis yourself and find which servers is WSUS asking for updates.

    Reghards

    Milos

    Monday, March 23, 2015 1:32 PM

All replies

  • It is very hard task, as behind FQDN there may be a variety of servers that may change in time. Every server may have different IP address, or a group of addresses for round robin DNS configurations.

    Look at the list of update servers.

    https://technet.microsoft.com/cs-cz/library/bb693717.aspx

     There are wildcards in names. For known FQDN use function nslookup. For windowupdate.microsoft.com you will obtain:

    Name:    www.update.microsoft.com.nsatc.net
    Addresses:  191.232.80.55
                      134.170.58.222
    Aliases:  windowsupdate.microsoft.com
                 windowsupdate.microsoft.nsatc.net

    You have mentioned aliases that make the situation "harder" (for us, not for computer). Also from this follows that there are at least two servers and you obtain two relevant IP addresses.

    The major problem is that you should check this regularly to keep data consistent.You can use network monitor and do analysis yourself and find which servers is WSUS asking for updates.

    Reghards

    Milos

    Monday, March 23, 2015 1:32 PM
  • Hi Milos,

    Thanks for your quick reply. We can try my best to check the IP addresses of the FQDNs frequently. However, the prerequisite is I know the FQDNs. But from the information you shared to me, I can see there are wildcards in the URLs. In this case, how can I check the IP addresses of these FQDNs (I don't think network monitor is a good solution)? Or can I understand that package filtering based firewall (IP address/port based firewall) does not support Microsoft Update server list? And we also have to change our firewall to support URL with wildcards? But how to deal with the HTTPS URLs which are encrypted by SSL? Or we have to violate our policy to enable the full Internet access for our WSUS server?

    Thanks,
    高麻雀

    • http://windowsupdate.microsoft.com
    • http://*.windowsupdate.microsoft.com
    • https://*.windowsupdate.microsoft.com
    • http://*.update.microsoft.com
    • https://*.update.microsoft.com
    • http://*.windowsupdate.com
    • http://download.windowsupdate.com
    • http://download.microsoft.com
    • http://*.download.windowsupdate.com
    • http://test.stats.update.microsoft.com
    • http://ntservicepack.microsoft.com
    Monday, March 23, 2015 2:14 PM
  • You will have a base system with known FQDN. If WSUS ask other servers,then you should catch the network traffic with network monitor. Wireshark will do the job. You may catch relevant data during initial sysnchronization.

    You can contact directly via mail a WSUS specialist that may have current IP addresses - jchornbe (a)microsoft dot com or at chip.hornbeck (a) outlook dot com ... or at least he will redirect you to another WSUS specialist.

    Ports are standard ones 80 for http and 443 for https.

    Your task is not very uncommon. People use standard firewall that can work with FQDN. You have one more task, namely to resolve IP on local network.

    HTH

    Milos

    (PS: There may be more risky business, namely open entire blocks of IP addresses in your firewall using database ARIN, RIPE,... In majority there is current list of update servers that is cnamed providers. This is why the list will be too broad and you do not know what harm may do unknown servers that are not in update family. It is possible, but I would not use this procdure.)

    Monday, March 23, 2015 5:30 PM
  • Hi Milos,

    Thanks for your quick reply again. OK, even standard firewall can work with FQDN. I still have two concerns.

    1. I don't think common/standard firewalls (e.g. Cisco ASA) support wildcards (e.g. *.update.microsoft.com)
    2. How to deal with HTTPS? Common/standard firewalls (e.g. Cisco ASA) are not able to get the HTTP head as the HTTPS traffic is end-to-end encrypted by SSL.

    Thanks,
    高麻雀

    Wednesday, March 25, 2015 1:49 PM