This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block all, but allow WindowsUpdate & Antivirus-Update - possible without Proxy

Hello,

is there a possibility to allow a client, that does not have any internet access (all outgoing traffic blocked via packet filter, except NTP/SMTP/IMAP) to use windows update and antivirus-update-servers ?
for different reasons i do not want to use the http-proxy feature of astaro. Is there any possibility to do this via packetfilter ?

thanks

This thread was automatically locked due to age.

0 trollvottel over 15 years ago

I can think of creating Network Object Groups containing the IP-Networks the Microsoft-Servers use and create PacketFilter rules. But AFAIK Microsoft uses Content Distribution Providers like Akamai that have large networks and capacity and may host other services as well as for other companies, so your filter wouldn' t be very strict.

Or you could try to play around with the 'DNS-Host' object which resolves eg. 'download.microsoft.com' to the corresponding IP addresses which then can be used by the PacketFilter.

Anyway, we would like to know why you try to avoid the proxy. Are there any negative experiences?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 15 years ago

Chris, I don't think there's a specific range of IPs you can allow. Even if you allowed the entire range of Microsoft IPs, they probably use third-parties too, like Akamai. If you don't want to use the HTTP/S Proxy, then your only real solution is to configure WSUS on a machine that's allowed external access, and have internal users get their updates from it.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel