Apparently Microsoft has done some shifting around of its IP infrastructure related to the Windows Update facility, and rules that worked automatically before now break. I wanted to find out if the range 64.4.0.0 - 64.4.63.255 which is owned by Microsoft is all dedicated to Windows Update. If not, does anyone happen to know what range of Microsoft IPs I can safely clear through firewall rules for access to Windows Update?
Speak after me: PROXY FIREWALL
infrastructure
automatically
We have 20+ network segments and three levels of firewalls. Probably I don't need that advice. :)
I still have the question I originally asked.
*cough* You need a proxy firewall to do that in a reliable way.
I've never seen any firewall implementation that resolves DNS hostnames at runtime and registers for receiving DNS updates or reissues requests after TTL timeout.
And even if you had such an implementation, Microsoft does DNS round-robin and various other kinds of load-balancing so your apporach would be pretty fruitless.
(And you need to fix your quoting. Probably it might be better to not abuse OE as a newsreader.)
I don't have any requirement to resolve DNS. Maybe you read something additional into my original question that I didn't intend to be there.
I am asking what block of IP addresses in the 64.4.0.0 Class C does Microsoft use for Windows update. I'm doing this so that the firewall rule will allow access to a certain class of machines on any of those IPs. On machines that live on one of our DMZs, no outbound IP is allowed by default, on any port. For Windows Update, we want to authorize outbound http/https to a limited number of IPs, and I'm just trying to identify the IPs in this range, whose reverse DNS don't appear to all point to Microsoft.
It doesn't matter that Microsoft round robins to different IPs in this block. I just want to know what the block is.
Unfortunately, too many posts up already, archived in the evil Microsoft newsreader, so I'm anchored to it, reluctantly.
Sorry, I implied that you had at least understand that the set of IPs on the load-balancer is shared with other services, not just Windows Update.
As if no real newsreader could import the OE garbage files...
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.