Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

What ACL to allow Windows Update without browsing

About 1/2 the PCs in my company should not have the ability to browse. I want them to be able to run windows update. Google gave me lots to look at. But, I can't find a list of IPs complete enought to work. I figure someone (many someones) must have done this before. What ACLs are necessary to get Windows Update to work?

5 REPLIES
New Member

Re: What ACL to allow Windows Update without browsing

I really doubt you will ever come across a complete list of those servers. Compiling and publishing such a list would undoubtedly invite nefarious activity.

Here are a couple of things you might want to look at alternatively.

1. Build a web proxy and use a combination of authentication and access control list to restrict outbound access.

2. Use N2H2 based URL filtering, your PIX/ASA should have built in support for it.

3. Build your own WSUS server that lives on a dmz network that all workstations can talk to.

New Member

Re: What ACL to allow Windows Update without browsing

Plan on setting up a WSUS server, but was hoping for a quick temporary fix. I guess quick and dirty and security don't mix.

Thanks for the info.

New Member

Re: What ACL to allow Windows Update without browsing

Although this is for WSUS you could try these sites:

http://technet2.microsoft.com/windowsserver/en/library/9d55bda5-9eb9-46d2-a204-62034936eb131033.mspx?mfr=true

Go to the link : Configure the Firewall Between the WSUS Server and the Internet

New Member

Re: What ACL to allow Windows Update without browsing

Looks like that should work. If not then WSUS is the only real answer.

Thanks.

New Member

Re: What ACL to allow Windows Update without browsing

I'm not quite sure how that helps. The link doesn't include a list of hosts that you could use to restrict TCP/80,443 access to.

1870
Views
0
Helpful
5
Replies
CreatePlease to create content