Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
I'm having an issue with Windows update due to my firewall rules. Users can get out on 80,443, and a couple other application ports. Otherwise outgoing traffic is denied. I know there is a range of ports the the Windows update services uses so I attempted to add the FQDN of known update servers with any port allowed but that did not work. If I make an any out firewall rule for the affected workstation the updates flow.
Anyone have luck with this? Thanks in advance.
Ports should just be 80 and 443,
This KB lists the domains: https://technet.microsoft.com/en-au/library/bb693717.aspx
Bits may be using port 443, but it might not be valid HTTPS traffic, so you may need to disable packet inspection for it to allow traffic to pass through.
It's possible. I rather not shut it off if possible. How to I disable packet inspection to rule it out? I can't be the only one allowing 80/443 only and using Windows update.
Another forum user has had sucsess here: https://community.sophos.com/products/xg-firewall/f/network-and-routing/74183/sophos-xg-firewall-preventing-wsus-from-downloading-updates/285722#285722
Might help you out?
Welcome on board. What you can do is to allow the server to access 80/443 to download updates from Microsoft. You can create an object called "clientless" under Objects > Identity > Clientless Users and add your WSUS ip server. Now create a Policy (user policy) where only the clientless object you created can access 80/443 Microsoft website. Try to activate IPS rule and see if it breaks the connections (otherwise you need to create exception). If you want to be more specific, you can create a URL group under Objects > Content > URL Group where only Microsoft websites are allowed (technet.microsoft.com/.../cc708605(v=ws.10).aspx). Then create a Web Filter under Objects > Policies > Web Filter cloning from Deny all and add the URL group defined before. At the end create a Policy where user is clientless object going to WAN using 80/443 and as Web FIlter choose the filter you have created before. Note that this webfilter will allow the server to go only on specified url group created. All other traffic will be blocked (deny all except url specified).
Have you enabled the web -> exceptions -> microsoft?
We were having this exact issue with new Windows 10 Clients and enabling this setting fixed it! Thank you!!
Saleem NasserNetwork and Security Eng.