locked
Configure WSUS access to the Microsoft updates sites RRS feed

  • Question

  • Hi there,

    We have a WSUS that does not have access to the Internet. We asked our firewall team to open Internet access for the WSUS server to only the URLs specified by Microsoft (such as http://windowsupdate.microsoft.com, https://*.windowsupdate.microsoft.com, https://windowsupdate.microsoft.com, and the likes). However, the firewall team indicated that they can't filter Internet access to URLs, they need to be given specific IP addresses or a range of IP addresses, and then they can restrict access to those IP addresses.

    Knowing that the IP addresses change often and are subject to masking and such, is there a range of IP addresses that Microsoft can provide which would cover all the possible IP addresses used by the updates URLs?

    I would appreciate a quick answer on this please.

    Thank you

    


    SF

    Friday, May 23, 2014 3:31 PM

Answers

  • I don't think it's your firewall blocking the connection, URL blocking is more with Proxy servers, so if you have a proxy server in the environment, you need to have them allow the above URLs and allow your WSUS server to access the proxy, then input the proxy info into WSUS so it knows where to go

    using IPs will not work here

    • Proposed as answer by Daniel JiSun Monday, May 26, 2014 2:01 AM
    • Marked as answer by Abouzayneb Tuesday, May 27, 2014 1:09 PM
    Friday, May 23, 2014 8:32 PM

All replies

  • I don't think it's your firewall blocking the connection, URL blocking is more with Proxy servers, so if you have a proxy server in the environment, you need to have them allow the above URLs and allow your WSUS server to access the proxy, then input the proxy info into WSUS so it knows where to go

    using IPs will not work here

    • Proposed as answer by Daniel JiSun Monday, May 26, 2014 2:01 AM
    • Marked as answer by Abouzayneb Tuesday, May 27, 2014 1:09 PM
    Friday, May 23, 2014 8:32 PM
  • Hello,

    How is everything going? I'm here to verify if the issue has been resolved.

    If you have any further questions please feel free to let us know.

    Thank you.

    Monday, May 26, 2014 2:02 AM
  • is there a range of IP addresses that Microsoft can provide which would cover all the possible IP addresses used by the updates URLs?

    No. In fact, Microsoft doesn't even control those IP Address ranges!

    That's why a list of URLs is provided.

    The question for your firewall team would be:

    • Is the firewall in use INCAPABLE of doing this?
    • Is the organizational policy designed to PROHIBIT this?
    • Does the firewall team simply not know how to do this?

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.


    Tuesday, June 3, 2014 1:33 AM