What firewall ip addresses do I open to allow Microsoft updates?
GeneralThis forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What firewall ip addresses do I open to allow Microsoft updates?
Arrrrghhhh!
I HATE MICROSOFT! Why can't they be like linux, and have ONE ip address for their update servers?
We have publicly accessible windows pc's behind a proxy firewall (debian+shorewall+squid+dansguardian). Users MUST get a proxy account to access the Internet.
We use Mozilla Firefox as default browser for many reasons, works great with proxy, safer, etc. Microsoft Exploder works poorly with proxy's (gee what a suprise). The only way to get these Windoze pc's updated is directly through the firewall.
I've been watching my logs (tail -F /var/log/messages) to see what ip addresses a windoze machine needs to get updates. The list is LONG! So far, I've practically opened up half the damn Internet, and STILL can't get it working.
So far, I've opened up this:
(in my shorewall /etc/shorewall/rules)
Code:
# allow access to microsoft for windows updates
HTTP/ACCEPT loc net:207.46.0.0/16
HTTPS/ACCEPT loc net:207.46.0.0/16
HTTP/ACCEPT loc net:65.55.184.0/24
HTTPS/ACCEPT loc net:65.55.184.0/24
HTTP/ACCEPT loc net:207.68.160.0/24
This is taking forever. I've googled, and haven't found anyone who has a list of IP's to open. Has anyone done this? I need updates for both Windows 2000 and Windows XP (no Vista here yet).
Perhaps a similar but clearer (???) way of determining the necessary IPs and ports would be to run Wireshark on the firewall box if possible, and note what ports/IPs/ protocols are being used by the Windoze update software.
Atleast you may get a better idea of exactly what is going on?
I suspect the output would be similar to what you get from var/log/messages, but probably with less 'extra junk' mixed in..
I hear you re: why can't they use a lot less IPs to do the job-- it is a a hassle. I thankfully no longer use Windoze, but I do sympathize
Good luck!
Last edited by GrapefruiTgirl; 04-24-2008 at 11:57 AM.
Reason: typo
Haven't tried wireshark. I am using psad (port scan attack detector). It does a great job at sending me email alerts on attacks, does reverse dns lookup for me, etc. Very useful.
I'm still working on the list, it's up to 21 IP networks so far!!!! Microsoft, YOU SUCK!!!
I suggest you to setup a windows 2003 wsus server which have full permission to direct access internet.
All your windows client point to wsus server for update. It save back your bandwith and you no need to headache the security setting.
We don't own win2003 and never will. I'm trying to replace all windows with linux. I do have a 2000 server, and it looks like wsus will run on it. However, I would still have the same problem. I refuse to give the 2000 server unrestricted access to the Internet. Even though it's a hands-off machine, if it did get infected, it would have free run.
OK, I think I've got it!!!
I just updated an XP machine, and a 2000 machine. I had to open up ALL OF THIS on my firewall:
Code:
# allow access to microsoft for windows updates
HTTP/ACCEPT loc net:207.46.0.0/16
HTTPS/ACCEPT loc net:207.46.0.0/16
HTTP/ACCEPT loc net:65.55.184.0/24
HTTPS/ACCEPT loc net:65.55.184.0/24
HTTP/ACCEPT loc net:207.68.160.0/24
HTTP/ACCEPT loc net:69.147.114.0/24
HTTP/ACCEPT loc net:65.55.200.0/24
HTTPS/ACCEPT loc net:65.55.200.0/24
HTTP/ACCEPT loc net:68.142.118.0/24
HTTP/ACCEPT loc net:192.221.99.0/24
HTTP/ACCEPT loc net:209.73.188.0/24
HTTP/ACCEPT loc net:216.109.127.0/24
HTTP/ACCEPT loc net:4.23.40.0/24
HTTP/ACCEPT loc net:206.33.52.0/24
HTTP/ACCEPT loc net:204.160.126.0/24
HTTP/ACCEPT loc net:198.78.220.0/24
HTTP/ACCEPT loc net:209.18.38.0/24
HTTPS/ACCEPT loc net:65.55.192.0/24
HTTP/ACCEPT loc net:198.78.200.0/24
HTTP/ACCEPT loc net:131.107.115.0/24
HTTP/ACCEPT loc net:64.4.52.0/24
21 frikken networks! It would be more, but I made the first one 16-bit to cover all of the 207.46.*.* network.
OMG Microsoft sucks. All of the above, just to update the OS. I'd have to open more to update each software package. Another fine example how linux is superior to windoze...
If anyone is interested, here is what you need to use Bitdefender, the free online virus scan/clean (requires explorer, will not work with firefox).
Code:
# allow access to bitdefender.com for free online virus scan
HTTP/ACCEPT loc net:66.223.50.0/24
HTTP/ACCEPT loc net:193.164.155.0/24
HTTP/ACCEPT loc net:66.40.145.0/24
HTTP/ACCEPT loc net:216.207.68.0/24
HTTP/ACCEPT loc net:168.215.74.0/24
HTTP/ACCEPT loc net:209.170.75.0/24
HTTP/ACCEPT loc net:209.51.185.0/24
HTTP/ACCEPT loc net:8.17.64.0/24
HTTP/ACCEPT loc net:199.7.51.0/24
HTTP/ACCEPT loc net:199.7.54.0/24
I always make an icon on the (windows) desktop that points to:
We don't own win2003 and never will. I'm trying to replace all windows with linux. I do have a 2000 server, and it looks like wsus will run on it. However, I would still have the same problem. I refuse to give the 2000 server unrestricted access to the Internet. Even though it's a hands-off machine, if it did get infected, it would have free run.
OK, I think I've got it!!!
{snip}
21 frikken networks! It would be more, but I made the first one 16-bit to cover all of the 207.46.*.* network.
OMG Microsoft sucks. All of the above, just to update the OS. I'd have to open more to update each software package. Another fine example how linux is superior to windoze...
Are you serious? You'd rather expose all of your internal systems to all those ranges rather than a single (controlled) WSUS server to all HTTP/HTTPS (that it, WSUS, initiates across a stateful FW)? Dude, you've got some serious bias getting in the way of good judgement. I pity your user base.
If there is a corporate firewall between WSUS and the Internet, you might need to configure the firewall to ensure that WSUS can obtain updates.
To configure your firewall
If there is a corporate firewall between WSUS and the Internet, you might need to configure that firewall to ensure that WSUS can obtain updates. To obtain updates from Microsoft Update, the WSUS server uses port 80 for HTTP protocol and port 443 for HTTPS protocol. This is not configurable.
If your organization does not allow those ports and protocols open to all addresses, you can restrict access to only the following domains so that WSUS and Automatic Updates can communicate with Microsoft Update:
21 frikken networks! It would be more, but I made the first one 16-bit to cover all of the 207.46.*.* network.
OMG Microsoft sucks. All of the above, just to update the OS. I'd have to open more to update each software package. Another fine example how linux is superior to windoze...
21 update servers has nothing to do with windows vs linux. If you are deploying update server for millions of hosts then you certainly want DR and HA. The same thing is achived in linux by having multiple mirrors. If you have ever run gentoo when you set it up you pick the mirrors you want from a list of hundreds of mirrors.
server 2003 or 2008 running as a WSUS not only improves the client network security but also saves exponential amounts of bandwidth.
We all understand that this is a linux forums website but we need to try stay away from posting just to bash windows. The information is useful but it seems like there was alot of extra information put in just to bash windows.
here is the list of sites from microsofts website.
If there is a corporate firewall between WSUS and the Internet, you might need to configure the firewall to ensure that WSUS can obtain updates.
To configure your firewall
If there is a corporate firewall between WSUS and the Internet, you might need to configure that firewall to ensure that WSUS can obtain updates. To obtain updates from Microsoft Update, the WSUS server uses port 80 for HTTP protocol and port 443 for HTTPS protocol. This is not configurable.
If your organization does not allow those ports and protocols open to all addresses, you can restrict access to only the following domains so that WSUS and Automatic Updates can communicate with Microsoft Update:
Looks like we found the same info at the same time. LOL
Great minds...
Would it make sense from a security perspective for the OP to close port 80 for this machine except for the times he's going for an update? Port 80 seems to be the superhighway for all kinds of attacks, and Windows 2000 isn't even patched anymore, so it makes sense to only open that door when you need to.
Normally I shut the cemetery gates on zombie threads, but you guys seem to be having a good time here and I don't wanna get in the way. I will, however, move this to General (given that the topic isn't really GNU/Linux security).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
