none
Firewall and Windows 10 Delivery Optimization RRS feed

  • Question

  • Currently our Symantec AV firewall at Windows 10 (v1703) workstations doesn't allow any inbound connections except from few trusted management IP addresses. Windows 10 updates use delivery optimization and our current fw configuration doesn't allow clients to download updates from other peers on the network. Am I right? What ports should be open so that clients can use DO correctly?
    Sunday, November 12, 2017 5:50 PM

Answers

  • Delivery Optimization contacts a cloud service for a list of peers. This service uses HTTPS to *.do.dsp.mp.microsoft.com (communication to this service has to be allowed outbound to the Internet even if only local sharing is enabled).

    It then leverages port 7680 to listen for incoming connections from peers. Port 3544 is a Teredo port that Delivery Optimization is using for NAT traversal to connect to Internet peers. 

    Some network people really don’t like Teredo, and you don't have to use it, so long as you open port 7680 (TCP & UDP) and then Teredo can be disabled. Delivery Optimization always tries to use Teredo, on IPv4 too, but only when Delivery Optimization tries to connect to Internet peers. But if it’s not available it will still try 7680. For LAN peers Delivery Optimization won’t try Teredo.

    As far as payloads go - you need to allow access to these locations..

    *.download.windowsupdate.com 
    *.windowsupdate.com
    *.dl.delivery.mp.microsoft.com
    *.emdl.ws.microsoft.com

    thanks

    Phil


    Phil Wilcock http://2pintsoftware.com @2pintsoftware

    • Marked as answer by jqx12 Monday, November 13, 2017 5:00 PM
    Monday, November 13, 2017 2:25 PM

All replies

  • Hi,

    When there is a firewall between the Windows Update agent and the Internet, the firewall might need to be configured to allow communication for the HTTP and HTTPS ports used for Windows Update. Windows Update agent uses port 80 for HTTP and port 443 for HTTPS to obtain updates.

    For more information, please read this article:

    How to solve connection problems concerning Windows Update or Microsoft Update

    https://support.microsoft.com/en-sg/help/818018/how-to-solve-connection-problems-concerning-windows-update-or-microsof


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 13, 2017 1:59 AM
    Moderator
  • Thanks but I'm talking about delivery optimization and firewall rules that are needed to allow it to work. Of course the normal Windows Update features work because it's an outbound connection from client to internet and we are not blocking that.
    Monday, November 13, 2017 6:24 AM
  • Delivery Optimization contacts a cloud service for a list of peers. This service uses HTTPS to *.do.dsp.mp.microsoft.com (communication to this service has to be allowed outbound to the Internet even if only local sharing is enabled).

    It then leverages port 7680 to listen for incoming connections from peers. Port 3544 is a Teredo port that Delivery Optimization is using for NAT traversal to connect to Internet peers. 

    Some network people really don’t like Teredo, and you don't have to use it, so long as you open port 7680 (TCP & UDP) and then Teredo can be disabled. Delivery Optimization always tries to use Teredo, on IPv4 too, but only when Delivery Optimization tries to connect to Internet peers. But if it’s not available it will still try 7680. For LAN peers Delivery Optimization won’t try Teredo.

    As far as payloads go - you need to allow access to these locations..

    *.download.windowsupdate.com 
    *.windowsupdate.com
    *.dl.delivery.mp.microsoft.com
    *.emdl.ws.microsoft.com

    thanks

    Phil


    Phil Wilcock http://2pintsoftware.com @2pintsoftware

    • Marked as answer by jqx12 Monday, November 13, 2017 5:00 PM
    Monday, November 13, 2017 2:25 PM
  • Thanks Phil! Very detailed answer. 

    Just noticed that I could have checked Windows 10 FW rules because there are two rules for delivery optimization (TCP & UDP 7680)

    Monday, November 13, 2017 5:00 PM