This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows update on secondary / backup link

We have 2 x WAN links, one as a primary the second as a backup. we have found windows update killing our primary link of late so would like to send all windows update based traffic on the secondary/backup link.

We are running a Sophos XG 16.05.8 MR-8

I have crated a traffic shaping Qos policy then applied this policy against the traffic shaping defaults for software updates so that i can ensure it won't kill the backup link should we ever have to fail the primary link over...

however i can't seem to work out how to create a firewall rule to send traffic to windows update -

any suggestions appreciated or if you feel i've taken the wrong approach i'm open to suggestions.

Thanks in advance

This thread was automatically locked due to age.

0 rfcat_vk over 7 years ago

My experience is without an AD, so this might be a guide only.

Set a higher priority rule that points at the MS update sites and have its gateway your backup link.

You might also consider upgrading to mr9 or v17.0 MR-5 if you do not use IPSEC?

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Trimble Network over 7 years ago in reply to rfcat_vk

Thanks Ian,

any suggestion on how to point the rule at ms update sites - should we create a host/host group for *.microsoft.com or is there something hidden within the sophos KB that points us in the direction of where to find this sort of info?
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 7 years ago in reply to Trimble Network

Hi,

there is *.microsoft.com host group in the XG. From my own experience with other software downloads the *.microsoft.com does not cover all the MS websites.

You might care to build your own group using details from the logs.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Trimble Network over 7 years ago in reply to rfcat_vk

i was sure it was more than just *.microsoft.com

I just found an article https://support.microsoft.com/en-au/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p

which states the following addresses:

update.microsoft.com
*.update.microsoft.com
download.windowsupdate.com
*.download.windowsupdate.com
download.microsoft.com
*.download.microsoft.com
windowsupdate.com
*.windowsupdate.com
ntservicepack.microsoft.com
wustat.windows.com
login.live.com (this is required if you have connected a Microsoft Account)
mp.microsoft.com
*.mp.microsoft.com

I'll add these to a host group and see how we go from there... was hoping Sophos or Cyberoam may have a pre configuration that may assist with this but it would appear not.

thanks for the assistance Ian.
Cancel
Vote Up 0 Vote Down

Cancel