Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 40 subscribers
  • Views 6966 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows update on secondary / backup link

Trimble Network

We have 2 x WAN links, one as a primary the second as a backup.  we have found windows update killing our primary link of late so would like to send all windows update based traffic on the secondary/backup link.  

We are running a Sophos XG 16.05.8 MR-8

I have crated a traffic shaping Qos policy then applied this policy against the traffic shaping defaults for software updates so that i can ensure it won't kill the backup link should we ever have to fail the primary link over...

 

however i can't seem to work out how to create a firewall rule to send traffic to windows update - 

any suggestions appreciated or if you feel i've taken the wrong approach i'm open to suggestions.

 

Thanks in advance



This thread was automatically locked due to age.
  • 0

    My experience is without an AD, so this might be a guide only.

    Set a higher priority rule that points at the MS update sites and have its gateway your backup link.

    You might also consider upgrading to mr9 or v17.0 MR-5 if you do not use IPSEC?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thanks Ian,

    any suggestion on how to point the rule at ms update sites - should we create a host/host group for *.microsoft.com or is there something hidden within the sophos KB that points us in the direction of where to find this sort of info?

  • 0 in reply to Trimble Network

    Hi,

    there is *.microsoft.com host group in the XG. From my own experience with other software downloads the *.microsoft.com does not cover all the MS websites.

    You might care to build your own group using details from the logs.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    i was sure it was more than just *.microsoft.com

    I just found an article https://support.microsoft.com/en-au/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p

    which states the following addresses:

    update.microsoft.com
    *.update.microsoft.com
    download.windowsupdate.com
    *.download.windowsupdate.com
    download.microsoft.com
    *.download.microsoft.com
    windowsupdate.com
    *.windowsupdate.com
    ntservicepack.microsoft.com
    wustat.windows.com
    login.live.com (this is required if you have connected a Microsoft Account)
    mp.microsoft.com
    *.mp.microsoft.com

     

    I'll add these to a host group and see how we go from there... was hoping Sophos or Cyberoam may have a pre configuration that may assist with this but it would appear not.

    thanks for the assistance Ian.

Unfiltered HTML