Allow windows update for DMZ machines

Unanswered Question
Jan 13th, 2009
User Badges:

I have several windows machines in my DMZ, and for DMZ machines, the default is for all outbound access to be blocked, but I want to allow the machines to get windows updates. Any suggestions on how I can do this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Tue, 01/13/2009 - 11:13
User Badges:
  • Purple, 4500 points or more

I'm no Windows expert, but can't you point your Windows server to update from your internal WSUS servers?

Dan Mullendore Tue, 01/13/2009 - 11:23
User Badges:

That would be easy if we had and internal WSUS server. We use ZEN. Since DMZ machines need patches on a more critical basis, and the testing to see if patches broke the machines is easier on the DMZ machines, we like to patch these machines more often and on a quicker cycle then the internal machines. We are also trying to avoid connecting our DMZ machines to any internal resources though any standard windows ports so that if they are compromised they won't infect internal machines.

Maybe we're too paranoid?

Mo'ath Al Rawashdeh Wed, 01/14/2009 - 01:58
User Badges:
  • Bronze, 100 points or more


I suggest creating an outbound access rule to be applied on your DMZ interface allowing HTTP traffic originating from the servers needed to be updated. You may remove the access rule once done.


This Discussion