Windows Updates: Firewall setting for outbound traffic

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

bstover_at_norcalmutual.com
Date: 02/16/05 

Date: 16 Feb 2005 11:14:55 -0800

I've been hammering on this problem for a long time, and there does not
to be a real solution for me. Hopefully someone from this group, maybe
an employee from Microsoft can help out.

I have a network of 50 servers and 400 users. The servers run Win2k
and Win2k3 and sit behind a firewall. For obvious reasons, I limit
outbound traffic from the servers to the internet. This includes HTTP.
I don't want my servers to be accessible, and I don't want them
accessing any unnecessary external resources.

For example, We've had a flood of trojans in the past few weeks. The
trojans call a server (outbound traffic) via HTTP then download the
virus back in to the network. If I allow all outbound HTTP, then this
opens my servers to being vulnerable.

My problem: I need to update my servers with MS Critical Patches.
This means that I must create outbound rules on my firewall allowing
HTTP access to specific URLS or SUBNETS. I've allowed the following
based on the articles I've read in the groups and on MS, but there are
other sites involved as well that are not documented, and the IP
addresses are constantly changing.

activex.microsoft.com
download.windowsupdates.com
crl.microsoft.com
v3stats.windowsupdates.microsoft.com
v4.windowsupdates.microsoft.com
v5.windowsupdates.microsoft.com

207.46.0.0/16
64.4.0.0/16
38.113.0.0/16
64.62.0.0/16
64.152.0.0/16

Does anypne out there have a comprehensive listing of URLS and SUBNETS
that need to be included as destination addresses in an outbound HTTP
firewall policy to make sure that Windows Updates will work
consistently?

Thanks!

Your help is appreciated.

Relevant Pages

  • Firewall is blocking Updates
    ... outbound traffic from the servers to the internet. ... This includes HTTP. ... I don't want my servers to be accessible, ... This means that I must create outbound rules on my main firewall ...
    (microsoft.public.windowsupdate)
  • Re: Question about outbound rules and security
    ... What I meant was that if you have an access rule - say allowing http trafic from 'inside' to 'outside', only trafic initiated from the 'inside' network is allowed. ... Outbound means that clients (and servers acting as clients) can initiate ...
    (microsoft.public.isa.configuration)
  • Windows Updates: Firewall setting for outbound traffic
    ... outbound traffic from the servers to the internet. ... This includes HTTP. ... I don't want my servers to be accessible, ... This means that I must create outbound rules on my main firewall ...
    (comp.security.firewalls)
  • Re: Windows Updates: Firewall setting for outbound traffic
    ... > outbound traffic from the servers to the internet. ... This includes HTTP. ... I enable the policy while doing the updates, ...
    (comp.security.firewalls)
  • outgoing firewall rules
    ... we recently moved our servers to a different hosting provider. ... original provider's firewall allowed all outgoing traffic for the servers. ... We have begun seeing slower performance after moving and I am thinking ... HTTP, HTTPS, FTP, SMTP ...
    (microsoft.public.inetserver.iis)