Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow windows update for DMZ machines

I have several windows machines in my DMZ, and for DMZ machines, the default is for all outbound access to be blocked, but I want to allow the machines to get windows updates. Any suggestions on how I can do this?


Re: Allow windows update for DMZ machines

I'm no Windows expert, but can't you point your Windows server to update from your internal WSUS servers?

New Member

Re: Allow windows update for DMZ machines

That would be easy if we had and internal WSUS server. We use ZEN. Since DMZ machines need patches on a more critical basis, and the testing to see if patches broke the machines is easier on the DMZ machines, we like to patch these machines more often and on a quicker cycle then the internal machines. We are also trying to avoid connecting our DMZ machines to any internal resources though any standard windows ports so that if they are compromised they won't infect internal machines.

Maybe we're too paranoid?

Re: Allow windows update for DMZ machines


I suggest creating an outbound access rule to be applied on your DMZ interface allowing HTTP traffic originating from the servers needed to be updated. You may remove the access rule once done.