none
Windows update IP addresses range and subnet mask for Windows Server 2008. RRS feed

  • Question

  • Windows update IP address ranges and subnet mask for Windows Server 2008.

    This question almost same posted by Peter Lorenzen at Thursday, August 05, 2010 8:37 AM.

    Quote:
    We have a couple of Windows 2008 servers. They live behind a firewall and all outgoing communication is must be off.
    I wanted to just use online Windows update. To do this I need to open access to some servers at Microsoft like the below. In our firewall you cannot input DNS names but only IPs. The IPs to these servers changes. If I do a nslookup one day I get one IP and when I try it the day after another. So I cannot get this to work.
    · windowsupdate.microsoft.com
    · update.microsoft.com
    · windowsupdate.com
    · download.microsoft.com
    · ntservicepack.microsoft.com

    New question:
    How we able to now fix IP address range for above URL and including sub-net mask?
    If we going to enable WSUS, we also need to know what is the IP range and sub-net mask for windows update.
    Thursday, January 13, 2011 6:02 AM

Answers

  • Hi,

     

    For security purposes, the IP address for the Windows Update web site constantly changes and it is not a fixed address. Also, there is no official publication of the IP addresses. We normally advise against defining IP addresses on the firewall for this purpose. Instead, we suggest either allowing all outbound connections to http & https ports or defining the DNS addresses as permitted destinations for traffic via the firewall.

     

    For up-to-date information about the IP's being used by Windows Update, use the DNS system, as this is the only reliable up to date source of information. If you use DNS, make sure the following destination hosts are specified:

     

    http://windowsupdate.microsoft.com

    http://*.windowsupdate.microsoft.com

    https://*.windowsupdate.microsoft.com

    http://*.update.microsoft.com

    https://*.update.microsoft.com

    http://*.windowsupdate.com

    http://download.windowsupdate.com

    http://download.microsoft.com

    http://*.download.windowsupdate.com

    http://wustat.windows.com

    http://ntservicepack.microsoft.com

    http://stats.microsoft.com

    https://stats.microsoft.com

     

    Thanks for your understanding.

     

    Best Regards,

    Nina


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, January 17, 2011 6:02 AM
    Moderator

All replies

  • Hi,

     

    For security purposes, the IP address for the Windows Update web site constantly changes and it is not a fixed address. Also, there is no official publication of the IP addresses. We normally advise against defining IP addresses on the firewall for this purpose. Instead, we suggest either allowing all outbound connections to http & https ports or defining the DNS addresses as permitted destinations for traffic via the firewall.

     

    For up-to-date information about the IP's being used by Windows Update, use the DNS system, as this is the only reliable up to date source of information. If you use DNS, make sure the following destination hosts are specified:

     

    http://windowsupdate.microsoft.com

    http://*.windowsupdate.microsoft.com

    https://*.windowsupdate.microsoft.com

    http://*.update.microsoft.com

    https://*.update.microsoft.com

    http://*.windowsupdate.com

    http://download.windowsupdate.com

    http://download.microsoft.com

    http://*.download.windowsupdate.com

    http://wustat.windows.com

    http://ntservicepack.microsoft.com

    http://stats.microsoft.com

    https://stats.microsoft.com

     

    Thanks for your understanding.

     

    Best Regards,

    Nina


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, January 17, 2011 6:02 AM
    Moderator
  • Nina,

    Do these dynamically change to anything within the Microsoft CIDR block? If they do then it's possible to permit the entire CIDR block for Microsoft, if the security analysts at that particular site with the firewall will permit such a rule.

    -Austin

    Thursday, February 10, 2011 6:24 AM
  • Everyone else seemed a little off topic here.  Hope this can help someone out.

    Reference:  http://support.microsoft.com/kb/929851 and http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh373144.aspx

    Windows Update requires TCP port 80, 443, and 49152-65535.

    I configured windows firewall by doing the following.

    Changed windows firewall properties to Outbound/Inbound connections that do no match a rule are blocked.

    Windows update uses %systemroot%\system32\svchost.exe.

    I created a new outbound rule, selected custom, next, entered "%systemroot%\system32\svchost.exe" in this program path, protocol type set to TCP, Set local and remote ports to specific ports {80, 443, 49152-65535}, next,  set local IP to local DHCP range, set remote IP as {65.0.0.1/8, 70.0.0.1/8, 94.0.0.1/8, 111.0.0.1/8, 132.0.0.1/8, 157.0.0.1/8, 207.0.0.1/8, 213.0.0.1/8}, next, allow the connection, next, next, name the rule, finish.

    Then create an inbound rule for port 80 and 443.

    This was the best I could do in 3 hours.  If someone has spent more time locking this rule down any further please let me know if I missed anything.  Thanks.


    • Edited by SHORTMONGER Monday, April 14, 2014 9:29 PM
    • Proposed as answer by Taylor_Script Tuesday, June 24, 2014 2:01 PM
    Monday, April 14, 2014 9:00 PM