I'm having some problems with firewall authorizations for Windows Update access in a DMZ. In general, I have had good luck getting access to Windows Update when you authorize passage of HTTP, HTTPS, and FTP to these networks:
131.107.0.0 / 16 207.46.0.0 / 16 64.4.0.0 / 18 65.52.0.0 / 14In addition, I normally authorize these URLs for both http: and https:
*.microsoft.com windowsupdate.microsoft.com *.windowsupdate.microsoft.com download.windowsupdate.comThe problem I am having is that occasionally the DNS name "download.windowsupdate.com" resolves to some IPs on a huge network from the Limelight load balancing farm. When the client behind the firewall resolves that DNS to an IP, it then connects to the IP and the IP does NOT reverse back to the DNS name download.windowsupdate.com. Instead it resolves to some arbitrary name at the Limelight Network. So the firewall has no way of knowing that the connection is authorized. Further complicating all of this, download.windowsupdate.com does not always resolve to the Limelight load balancers. Microsoft appears to have these IPs pointing to load balancers all over the world. Some of the IPs I saw the download.windowsupdate.com domain name resolve to:
208.111.148.50 8.12.217.124 192.78.223.126 209.84.2.124 etcMicrosoft provides a set of DNS names to use with the ISA firewall, and naturally that doesn't work for the IPs above because they don't reverse to Microsoft domain names.
No way do I want to authorize the entire Limelight load balancing network into my DMZ. There are a huge number of IPs, and those are probably associated with many hundreds of different organizations. When I do a whois on the IPs Microsoft is using, nothing in the huge range of IPs returned suggests which subset of the range is reserved for Microsoft use.
It would be really really nice for those of us who actually think about security if Microsoft would publish openly the range of IPs it is using for Windows Update. Failing that, I am open to ideas here about how can one set up a reasonable set of firewall rules to securely connect to this wideranging set of IPs.