Exclude Windows Update from Data Transfer Limits

Hi David,

Are you able to create a separate user firewall rule specifically for Windows Update destined traffic, that bypasses data accounting?

Matching URLs for destination network (taken from the Web Exceptions):

• ^([A-Za-z0-9.-]*\.)?microsoft\.com/
• ^([A-Za-z0-9.-]*\.)?windowsupdate\.com/
• ^([A-Za-z0-9.-]*\.)?live\.com\.?/

Refer to this KBA - Sophos Firewall: How to allow destination hosts after exhausting network data quotas

Network traffic quota KBA for reference aswell.

Regards,

Thanks FloSupport and M8ey for the suggestions. Sorry it has taken a while to respond. It has taken a while to try things and see if they work. 

The idea of bypassing the data accounting looked really promising as the updates could still download while the children use the computers without me needing to go in separately and do the updates. Unfortunately, this did not work. While some of the Windows Update requests go to the URLs specified by FloSupport, Windows Update also makes use of many other URLs.

Looking at firewall reports, I can see a lot of data that Sophos classifies with Application Category of Software Update and Application of Windows Update coming from other places that look like servers operated by telcos and web hosting providers in South Africa (where I am located) and even Europe. This accounts for most of the Windows Update traffic so it still gets counted towards children's data use. Even when I add some of the addresses being used, others pop up and I cannot hope to manage all the possible locations Windows Update may use.

However, seeing how the Sophos reports show the Application Category of Software Update and Application of Windows Update, this gave me another idea. What I have done is update the firewall rule used to control the children's access, to add the Application of Windows Update to the Application Filter Policy that blocks access to certain applications. This seems to be working.

While this is not as good an outcome as just excluding Windows Updates from data accounting, it does prevent Windows Updates from downloading while the children are using the computers.

Is there a way to set up a rule so that data transfers for the Application of Windows Update are allowed but excluded from data accounting, while still having Web and Application Filter Policies that blocks other activity? I am not sure how Sophos knows that these data transfers are for the Application of Windows Update.

Hi DJ Hay 

Unfortunately like you experienced, this won't be possible without configuring the bypass rule to match to all possible Windows Update IP's.

However if you are inclined enough, you could setup a WSUS server in your home network? That way, only this server would go out to grab Windows Update files and your clients would get their updates locally (bypass LAN-LAN traffic from data accounting).

Regards,

Hi David Hay,

I thought you should know about the option within Windows 10 to download windows updates from local sources.

just google it, and there are loads of site which can let you know how to.

As suggested WSUS would be your best way to control this traffic, plus it would lower overall WAN usage in theory as it would be this server downloading from the WAN and everything else is local traffic if configured correctly.

As suggested WSUS would be your best way to control this traffic, plus it would lower overall WAN usage in theory as it would be this server downloading from the WAN and everything else is local traffic if configured correctly.