Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 30 subscribers
  • Views 10646 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web exception for Microsoft Updates issues

tom greene

I want to create a network in which users can only use the internet after logging in through the captive portal. No internet traffic should pass with logging into the sophos captive portal first.

The problem i am having is that if the Microsoft Windows Update exception is on then even if the no user has signed into the captive portal the computer will still download windows updates. Is there any way to fix this. I only want the exception to work after the users have logged into the captive portal.

I cant open any other websites or surf the web without logging into the captive portal. but the updates will download. No traffic shaping rules apply because no user has logged in so all our internet bandwidth is used up.

So is there a firewall rule that i have failed to create?

Is there any fix for this?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Aditya Patel

    How does creating an exception for the url helped. the user isnt logged in so they shouldnt be able to get to the internet anyway. 

    So first question is, what is the reason that the computer can download windows update even if the user isnt logged into the captive portal?

    So would creating a generic deny any deny rule at the bottom of the firewall rules solve the problem.

    Basically i dont want windows to update itself even if the user isnt logged in. 

     

     

  • 0 in reply to tom greene

    Having same issue..Had reported it to local dealer many time, checked it but nobody found a solution.

    Even user is not loging to captive portal, there is huge amount of traffic is leaking through wan ports.

    We have two satellite wan, one of them is fast but very expensive, other is slow but unlimited/cheap line.

    Sophos technicians cannot answer us why without logged in to captive portal there is huge data leakage from high speed wan. Even they cannot answer why data leakage goes through fast WAN but not unlimited wan.

    We have been using around 29 PCS XG 115 with enterprice licence and we are about to change all devices with another brand firewall that can control all data.

    For info Sophos technicians checked;

    -Firewall settings

    -Web Policy settings (exceptions all set OFF)

    -Application Settings

    All is confirmed correct, but couldn't find out why there is huge data leakage.....

     

  • 0 in reply to Bekir Kopmaz

    Maybe using a WSUS Server combined with GPO inside your network helps. This could restrict the download to one time and your clients will get the update from the WSUS Server. You will need to update the computers one way or another. So either download it for each client or once on the WSUS (this might require a lot of space depending on your installed OS and Software).

  • 0 in reply to BeEf

    BeEf said:

    Maybe using a WSUS Server combined with GPO inside your network helps. This could restrict the download to one time and your clients will get the update from the WSUS Server.

    You will need to update the computers one way or another. So either download it for each client or once on the WSUS (this might require a lot of space depending on your installed OS and Software).

     

     
    Hi BeEf,
    The description WSUS is a bit tricky, cause Windows10 can use Branch Distribution Points (e.g. Based on a Windows10 Desktop) and do not need a expensive Server for small remote locations. A Windows10 Distribution Points handle up to 20 concurrent sessions and queued all above 20. If the Windows10 depot System is down/broken, normaly you have a backup device configured in the SCCM infrastructure (boundaries). It's a possibility to place a Windows10 desktop for Distribuition Point service and also for reinstall in the local network.