Update Firewall requirements

I have a server in a dmz. Our firewalls do not allow the initiation of any
requests from the server to the internet or the intranet. If I open https to
update.microsoft.com, the update fails when it trys to determine the version
of my update software. Exactly what ports and sites do I need to have open
to allow windows update.

Hello Chuck,

Try ports 80 and 443

Port 80 is the web server port.

Port 443 is the secure connection port for a web server when using a
digital security certificate for https connections.


I hope this post is helpful.

Let us know how it works ºut.
- -- ---

"Chuck P" wrote:

> I have a server in a dmz. Our firewalls do not allow the initiation of any
> requests from the server to the internet or the intranet. If I open https to
> update.microsoft.com, the update fails when it trys to determine the version
> of my update software. Exactly what ports and sites do I need to have open
> to allow windows update.

I would be publicly humiliated and then shot for opening port 80 and 443 to
all sites. Seriously I would be fired.


"Engel" wrote:

> Hello Chuck,
>
> Try ports 80 and 443
>
> Port 80 is the web server port.
>
> Port 443 is the secure connection port for a web server when using a
> digital security certificate for https connections.
>
>
> I hope this post is helpful.
>
> Let us know how it works ºut.
> - -- ---
>
> "Chuck P" wrote:
>
> > I have a server in a dmz. Our firewalls do not allow the initiation of any
> > requests from the server to the internet or the intranet. If I open https to
> > update.microsoft.com, the update fails when it trys to determine the version
> > of my update software. Exactly what ports and sites do I need to have open
> > to allow windows update.

Hi Chuck,

I am out of answers. Sorry I couldn't help

Let us know maybe someone else can conjure up something else to try.

Good luck
- -- ---

"Chuck P" wrote:

> I would be publicly humiliated and then shot for opening port 80 and 443 to
> all sites. Seriously I would be fired.
>
>
> "Engel" wrote:
>
> > Hello Chuck,
> >
> > Try ports 80 and 443
> >
> > Port 80 is the web server port.
> >
> > Port 443 is the secure connection port for a web server when using a
> > digital security certificate for https connections.
> >
> >
> > I hope this post is helpful.
> >
> > Let us know how it works ºut.
> > - -- ---
> >
> > "Chuck P" wrote:
> >
> > > I have a server in a dmz. Our firewalls do not allow the initiation of any
> > > requests from the server to the internet or the intranet. If I open https to
> > > update.microsoft.com, the update fails when it trys to determine the version
> > > of my update software. Exactly what ports and sites do I need to have open
> > > to allow windows update.

Use WSUS instead (and get fired for the expense involved instead).

Chuck P wrote:
> I would be publicly humiliated and then shot for opening port 80 and 443
> to
> all sites. Seriously I would be fired.
>
>
> "Engel" wrote:
>
>> Hello Chuck,
>>
>> Try ports 80 and 443
>>
>> Port 80 is the web server port.
>>
>> Port 443 is the secure connection port for a web server when using a
>> digital security certificate for https connections.
>>
>>
>> I hope this post is helpful.
>>
>> Let us know how it works ºut.
>> - -- ---
>>
>> "Chuck P" wrote:
>>
>>> I have a server in a dmz. Our firewalls do not allow the initiation of
>>> any requests from the server to the internet or the intranet. If I open
>>> https to update.microsoft.com, the update fails when it trys to
>>> determine
>>> the version of my update software. Exactly what ports and sites do I
>>> need to have open to allow windows update.

Chuck P wrote:

> I have a server in a dmz. Our firewalls do not allow the initiation of any
> requests from the server to the internet or the intranet. If I open https to
> update.microsoft.com,

This is a request from the server to the internet, btw. :-)

> the update fails when it trys to determine the version
> of my update software. Exactly what ports and sites do I need to have open
> to allow windows update.

This is (I believe) the list to allow a WSUS server to work, with luck this or
some subset of it will allow Windows Update to work:

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com

(This is second-hand, the original is supposed to be in the WSUS deployment
guide, page 32 if you want to double-check it.)

Alternately you could use netstat, network monitoring tools, or a proxy server
to explicitly discover where the server is trying to connect to, assuming your
firewall can't tell you itself.

Or you could download all the updates you need from the download center and
transport them to the server via removable media.

Harry.

I think clients to wsus still pull from the server. I would need something
inside the firewall to push to the dmz.

"PA Bear [MS MVP]" wrote:

> Use WSUS instead (and get fired for the expense involved instead).
>
> Chuck P wrote:
> > I would be publicly humiliated and then shot for opening port 80 and 443
> > to
> > all sites. Seriously I would be fired.
> >
> >
> > "Engel" wrote:
> >
> >> Hello Chuck,
> >>
> >> Try ports 80 and 443
> >>
> >> Port 80 is the web server port.
> >>
> >> Port 443 is the secure connection port for a web server when using a
> >> digital security certificate for https connections.
> >>
> >>
> >> I hope this post is helpful.
> >>
> >> Let us know how it works ºut.
> >> - -- ---
> >>
> >> "Chuck P" wrote:
> >>
> >>> I have a server in a dmz. Our firewalls do not allow the initiation of
> >>> any requests from the server to the internet or the intranet. If I open
> >>> https to update.microsoft.com, the update fails when it trys to
> >>> determine
> >>> the version of my update software. Exactly what ports and sites do I
> >>> need to have open to allow windows update.
>
>

Thanks for the list; I don't think the firewall guys will let me do anything
other than https.

If I was to use the sneaker net route. How would I determine the updates I
need?