I've been asked to deploy Microsoft updates to Windows workstations at a customer site. WSUS has been selected as the tool for the job. The problem is that the customer has a firewall with default-deny policy, and the firewall does not support FQDNs in the ruleset.
Microsoft lists the FQDNs below that need to be permitted through a firewall in order to download updates locally. They don't offer a list of IP addresses that I can find. I've been trying to think of the best way to do this and I can't believe it's this difficult. All I can think to do is throw together a script to run dig on each FQDN to get the IP address and add those to the firewall rules, but there are a few problems with this. First, each FQDN has multiple IP addresses but I don't have a way to get all of them. Even if I query multiple public DNS servers I still wouldn't get all of them. Second, the IPs will change in the future as Microsoft's CDNs shift around as they always do. Third, there's no easy way to enumerate all the subdomains of those wildcard addresses (*.update.microsoft.com, etc).
Am I missing something here? Is there an easier way to do this that I'm not seeing? I'm hoping that there's a good way to handle this and I just don't know about it due to my inexperience.
Thanks for any advice you can send my way! I'll probably post to /r/networking too as it seem like an appropriate question for that audience.
http://windowsupdate.microsoft.com http://.windowsupdate.microsoft.com https://.windowsupdate.microsoft.com http://.update.microsoft.com https://.update.microsoft.com http://.windowsupdate.com http://download.windowsupdate.com http://download.microsoft.com http://.download.windowsupdate.com http://test.stats.update.microsoft.com http://ntservicepack.microsoft.com http://wustat.windows.com http://go.microsoft.com
No comments:
Post a Comment