IPSec and Windows Update - Network

This is a discussion on IPSec and Windows Update - Network ; I set up IPSec on a non-domain Windows 2000 Server. It blocks all traffic to the file server except traffice from those workstations that I allow. Now, the automatic Windows update is not working. I set up a filter list ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: IPSec and Windows Update

  1. IPSec and Windows Update

    I set up IPSec on a non-domain Windows 2000 Server. It blocks all traffic
    to the file server except traffice from those workstations that I allow.
    Now, the automatic Windows update is not working. I set up a filter list
    to allow traffic to and from windowsupdate.microsoft.com,
    update.microsoft.com, download.microsoft.com, download.windowsupdate.com,
    wustat.windows.com, and ntservicepack.microsoft.com. When I check the log
    file, I see that the Windows Update Agent is unable to connect to the
    automatic update service. When I attempt to go to the Windows update site
    manually, it cannot connect.
    The automatic Windows update worked before I block all network traffic
    except for the allowed workstations.



  2. Re: IPSec and Windows Update

    I have noticed that Windows Updates can use a lot of different IP addresses
    and most likely you do not have the IP address included that the server is
    trying to access. When you configure the ipsec policy and enter a website
    name it does not stay dynamic in that whatever IPs that your computer
    resolves to that website name in that point in time are added to the list.
    If you use nslookup to find the IP addresses for those websites you probably
    will see different IP addresses at different attempts to use nslookup. What
    you might try is to create a permit rule in your ipsec policy for outbound
    port 80 and enable it only when you manually want to check for and install
    Windows Updates. Using secedit /refeshpolicy may help to speed up the change
    in the ipsec policy to reflect enabling or disabling the outbound access to
    port 80 TCP. Otherwise a reboot may be needed. --- Steve


    "Michael W White" wrote in message
    news:u4U6qfe%23FHA.1248@TK2MSFTNGP14.phx.gbl...
    > I set up IPSec on a non-domain Windows 2000 Server. It blocks all traffic
    > to the file server except traffice from those workstations that I allow.
    > Now, the automatic Windows update is not working. I set up a filter list
    > to allow traffic to and from windowsupdate.microsoft.com,
    > update.microsoft.com, download.microsoft.com, download.windowsupdate.com,
    > wustat.windows.com, and ntservicepack.microsoft.com. When I check the log
    > file, I see that the Windows Update Agent is unable to connect to the
    > automatic update service. When I attempt to go to the Windows update site
    > manually, it cannot connect.
    > The automatic Windows update worked before I block all network traffic
    > except for the allowed workstations.
    >
    >




  3. Re: IPSec and Windows Update

    Steven L Umbach напиша во :

    >What
    >you might try is to create a permit rule in your ipsec policy for outbound
    >port 80 and enable it only when you manually want to check for and install
    >Windows Updates.


    How can it be done (automatically through at/schedule) without involving
    ipsecpol.exe?

    --
    Simplius

  4. Re: IPSec and Windows Update

    You might try stopping/starting the ipsec service on schedule but be sure to
    test it out to see if that works the way you want. --- Steve


    "Simplius" wrote in message
    news:1tpop1160pf4e1tapf8ev290ncbuh975fa@4ax.com...
    > Steven L Umbach напиша во :
    >
    >>What
    >>you might try is to create a permit rule in your ipsec policy for outbound
    >>port 80 and enable it only when you manually want to check for and install
    >>Windows Updates.

    >
    > How can it be done (automatically through at/schedule) without involving
    > ipsecpol.exe?
    >
    > --
    > Simplius




  5. Re: IPSec and Windows Update

    "Simplius" wrote in message
    news:1tpop1160pf4e1tapf8ev290ncbuh975fa@4ax.com...
    > Steven L Umbach напиша во :
    >
    >>What
    >>you might try is to create a permit rule in your ipsec policy for outbound
    >>port 80 and enable it only when you manually want to check for and install
    >>Windows Updates.

    >
    > How can it be done (automatically through at/schedule) without involving
    > ipsecpol.exe?


    Steve's method should work but you will likely NEED to use
    IPSecPol (depending on OS).

    I would prefer to see you just get the filter right however.

    Steve gave you some hints but you might need to (temporarily) run
    a netmon and figure out where the machine is seeking updates and
    then perhaps broaden the range to include all addesses in that
    network (subnet, class C or whatever works.)

    You can certainly make an exception for Windows Update sites
    but you may need to find them "all" to get it perfect.

    Is this what you allowed with your exception filter?

    nslookup windowsupdate.microsoft.com
    Name: windowsupdate.microsoft.nsatc.net
    Address: 207.46.18.94
    Aliases: windowsupdate.microsoft.com

    Did you use a different address? Did you allow for the
    returned (mirrored filter) response?

    You might also wish to "show your work" so we can figure
    out if you made a mistake.

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]



+ Reply to Thread