I tried posting this (twice) in microsoft.public.windowsupdate, but no response.
I have a network of 50 servers and 400 users. The servers run Win2k and Win2k3 and sit behind a firewall. For obvious reasons, I limit outbound traffic from the servers to the internet. This includes HTTP. I don't want my servers to be accessible, and I don't want them accessing any unnecessary external resources.
For example, We've had a flood of trojans in the past few weeks. The trojans call a server (outbound traffic) via HTTP then download the virus back in to the network. If I allow all outbound HTTP, then this opens my servers to being vulnerable.
My problem: I need to update my servers with MS Critical Patches. This means that I must create outbound rules on my main firewall allowing HTTP access to specific URLS or SUBNETS. I've allowed the following based on the articles I've read in the groups and on MS, but there are other sites involved as well that are not documented, and the IP addresses are constantly changing.
activex.microsoft.com download.windowsupdates.com crl.microsoft.com v3stats.windowsupdates.microsoft.com v4.windowsupdates.microsoft.com v5.windowsupdates.microsoft.com
207.46.0.0/16 64.4.0.0/16 38.113.0.0/16 64.62.0.0/16 64.152.0.0/16Does anypne out there have a comprehensive listing of URLS and SUBNETS that need to be included as destination addresses in an outbound HTTP firewall policy to make sure that Windows Updates will work consistently?
My work around is to create an oubound policy to allow all HTTP traffic. I enable the policy while doing the updates, and disable it otherwise. This is not an elegant solution.
Also, I do use SUS in my environment, but not for the servers. I tried it with the servers and had problems with auto reboots even though I had de-selected this option in the group policy.
Thanks!
Your help is appreciated.