Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

IPSec and WSUS

microsoft.public.microsoft_update_catalog






Speedup My PC
Reply
  #1 (permalink)  
Old 04-25-2008
blankmonkey
 

Posts: n/a
IPSec and WSUS
i am setting up a IPSec policy, and I want my server WSUS server to be able
to talk to the Microsoft domain. What subnets/dns/addresses do WSUS need to
talk to so it can talk to and download updates?
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 04-25-2008
MowGreen [MVP]
 

Posts: n/a
Re: IPSec and WSUS
Forwarded to the WSUS NG for the poster's convenience:

Web-based link:
http://www.microsoft.com/technet/com... date_services

NNTP reader:
news://msnews.microsoft.com/microsof...pdate_services


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============



blankmonkey wrote:

> i am setting up a IPSec policy, and I want my server WSUS server to be able
> to talk to the Microsoft domain. What subnets/dns/addresses do WSUS need to
> talk to so it can talk to and download updates?

Reply With Quote
  #3 (permalink)  
Old 04-28-2008
Lawrence Garvin [MVP]
 

Posts: n/a
Re: IPSec and WSUS
"MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message
news:urKelGypIHA.3456@TK2MSFTNGP05.phx.gbl...
> Forwarded to the WSUS NG for the poster's convenience:


> blankmonkey wrote:
>
>> i am setting up a IPSec policy, and I want my server WSUS server to be
>> able to talk to the Microsoft domain. What subnets/dns/addresses do WSUS
>> need to talk to so it can talk to and download updates?


These are documented in the WSUS Deployment Guide.

However, the external resources that WSUS needs to talk to should be
irrelevant to any IPSec (server) configuration, because in that scenario the
WSUS Server is the "IPSec client", and there's no purpose at all in
configuring it to initiate any IPSec negotiation.


--
Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Reply With Quote
  #4 (permalink)  
Old 04-28-2008
blankmonkey
 

Posts: n/a
Re: IPSec and WSUS

Lawrance,
Thank you so much for your reply. I am a bit confused, but let me eloborate
my situation better.
The server has a GPO IPSec that is forcing it to talk only on special
subents (local ones) and deny all other traffic, it does not do anything to
the traffic, no tunneling or encrypting or anything. I wanted to add the
Microsoft tsubnet/ip's/dns to my allowed list, but can't seem to make it
work. When every I add the rule to allow all traffic from my ip to the any,
it fails ( i suspect it is because the deny rull is the mirror, from any to
my ip)

I did look over the documentation, but all I could find was a link to
general IPSec, and not the settigns I needed, could you be more specific
about the docuemnt location I need to read, and I will be happy to read up on
it.

thank you again,
Blankmonkey

"Lawrence Garvin [MVP]" wrote:

> "MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message
> news:urKelGypIHA.3456@TK2MSFTNGP05.phx.gbl...
> > Forwarded to the WSUS NG for the poster's convenience:

>
> > blankmonkey wrote:
> >
> >> i am setting up a IPSec policy, and I want my server WSUS server to be
> >> able to talk to the Microsoft domain. What subnets/dns/addresses do WSUS
> >> need to talk to so it can talk to and download updates?

>
> These are documented in the WSUS Deployment Guide.
>
> However, the external resources that WSUS needs to talk to should be
> irrelevant to any IPSec (server) configuration, because in that scenario the
> WSUS Server is the "IPSec client", and there's no purpose at all in
> configuring it to initiate any IPSec negotiation.
>
>
> --
> Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
> Senior Data Architect, APQC, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2008)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

Reply With Quote
  #5 (permalink)  
Old 04-29-2008
Lawrence Garvin [MVP]
 

Posts: n/a
Re: IPSec and WSUS
"blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
news:BFC83315-4A67-4776-81FE-D360E0DB87C0@microsoft.com...

> Lawrance,
> Thank you so much for your reply. I am a bit confused, but let me
> eloborate
> my situation better.
> The server has a GPO IPSec that is forcing it to talk only on special
> subents (local ones) and deny all other traffic, it does not do anything
> to
> the traffic, no tunneling or encrypting or anything.


Perhaps, then, the issue here is the understanding of the term "IPSec".

http://en.wikipedia.org/wiki/Ipsec

> I wanted to add the
> Microsoft tsubnet/ip's/dns to my allowed list, but can't seem to make it
> work. When every I add the rule to allow all traffic from my ip to the
> any,
> it fails ( i suspect it is because the deny rull is the mirror, from any
> to
> my ip)


If not, then I'll simply repeat with a bit more specificity.. you should not
be using IPSec to determine when/if/how a machine connects to an
Internet-based resource.

What you describe in the above paragraph sounds much more like a =firewall=
than it does an appropriate use of IPSec.

Should I assume from your comment here that you're using IPSec as a
firewall?

--
Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Reply With Quote
  #6 (permalink)  
Old 04-29-2008
blankmonkey
 

Posts: n/a
Re: IPSec and WSUS
If we are defining a firewall as "A system to determine what machines it is
ok to talk to." then yes, I am using IPSec as a firewall. I am not able to
use the software firewall because I do not know the ports that need to be
opened, there are to many ports (hundreds), and they can be randomly assigned
(WSUS is not the only thing running on the server). There is no hardware
firewall at my remote location, and an ACL has not been placed there yet
either, so I am left with IPSec.

I am open to using other methods, but this seemed the logical one. This
server has on it;
DHCP
ITAssist
WSUS
Routing and Remote Access (gateway between a public and private network)
File and Print shareing

All the others are taken care of with the IPSec, I just need to punch one
whole for WSUS to download updates. I figured there must be a limited number
of dns entrys/IPs that I could add.

"Lawrence Garvin [MVP]" wrote:

> "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
> news:BFC83315-4A67-4776-81FE-D360E0DB87C0@microsoft.com...
>
> > Lawrance,
> > Thank you so much for your reply. I am a bit confused, but let me
> > eloborate
> > my situation better.
> > The server has a GPO IPSec that is forcing it to talk only on special
> > subents (local ones) and deny all other traffic, it does not do anything
> > to
> > the traffic, no tunneling or encrypting or anything.

>
> Perhaps, then, the issue here is the understanding of the term "IPSec".
>
> http://en.wikipedia.org/wiki/Ipsec
>
> > I wanted to add the
> > Microsoft tsubnet/ip's/dns to my allowed list, but can't seem to make it
> > work. When every I add the rule to allow all traffic from my ip to the
> > any,
> > it fails ( i suspect it is because the deny rull is the mirror, from any
> > to
> > my ip)

>
> If not, then I'll simply repeat with a bit more specificity.. you should not
> be using IPSec to determine when/if/how a machine connects to an
> Internet-based resource.
>
> What you describe in the above paragraph sounds much more like a =firewall=
> than it does an appropriate use of IPSec.
>
> Should I assume from your comment here that you're using IPSec as a
> firewall?
>
> --
> Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
> Senior Data Architect, APQC, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2008)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

Reply With Quote
  #7 (permalink)  
Old 05-01-2008
Lawrence Garvin [MVP]
 

Posts: n/a
Re: IPSec and WSUS
"blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
news:3F558CA6-50C4-4177-BE8B-013AD5C39D5A@microsoft.com...

> If we are defining a firewall as "A system to determine what machines it
> is
> ok to talk to." then yes, I am using IPSec as a firewall. I am not able
> to
> use the software firewall because I do not know the ports that need to be
> opened, there are to many ports (hundreds), and they can be randomly
> assigned
> (WSUS is not the only thing running on the server). There is no hardware
> firewall at my remote location, and an ACL has not been placed there yet
> either, so I am left with IPSec.


You've got:
[a] Windows Firewall
[b] Routing and Remote Access Service

in addition to IPSec.

Why choose IPSec instead of one of those two more traditional means for
providing port security?

> I am open to using other methods, but this seemed the logical one. This
> server has on it;
> DHCP
> ITAssist
> WSUS
> Routing and Remote Access (gateway between a public and private network)
> File and Print shareing


Is this your *only* server? Running DHCP and F&P on a gateway machine is a
risky proposition!


> All the others are taken care of with the IPSec, I just need to punch one
> whole for WSUS to download updates. I figured there must be a limited
> number
> of dns entrys/IPs that I could add.


As noted in my first reply, the DNS =names= are documented in the WSUS
Deployment Guide.

If it helps... they're on page 32 in the "Configuring the Firewall" section.

If you need the IP Addresses (which are always subject to change), you can
obtain them by using 'nslookup'.

--
Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Reply With Quote
  #8 (permalink)  
Old 05-01-2008
blankmonkey
 

Posts: n/a
Re: IPSec and WSUS
Execlent!! I found it!! But it opens one more question, how do I do a
nslookup on a * name. OK, I found update.microsoft.com, but they have listed
*.update.microsoft.com. Is this all one ip with multiple sites? I tried,
and IPSec will not take the *;

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com



"Lawrence Garvin [MVP]" wrote:

> "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
> news:3F558CA6-50C4-4177-BE8B-013AD5C39D5A@microsoft.com...
>
> > If we are defining a firewall as "A system to determine what machines it
> > is
> > ok to talk to." then yes, I am using IPSec as a firewall. I am not able
> > to
> > use the software firewall because I do not know the ports that need to be
> > opened, there are to many ports (hundreds), and they can be randomly
> > assigned
> > (WSUS is not the only thing running on the server). There is no hardware
> > firewall at my remote location, and an ACL has not been placed there yet
> > either, so I am left with IPSec.

>
> You've got:
> [a] Windows Firewall
> [b] Routing and Remote Access Service
>
> in addition to IPSec.
>
> Why choose IPSec instead of one of those two more traditional means for
> providing port security?
>
> > I am open to using other methods, but this seemed the logical one. This
> > server has on it;
> > DHCP
> > ITAssist
> > WSUS
> > Routing and Remote Access (gateway between a public and private network)
> > File and Print shareing

>
> Is this your *only* server? Running DHCP and F&P on a gateway machine is a
> risky proposition!
>
>
> > All the others are taken care of with the IPSec, I just need to punch one
> > whole for WSUS to download updates. I figured there must be a limited
> > number
> > of dns entrys/IPs that I could add.

>
> As noted in my first reply, the DNS =names= are documented in the WSUS
> Deployment Guide.
>
> If it helps... they're on page 32 in the "Configuring the Firewall" section.
>
> If you need the IP Addresses (which are always subject to change), you can
> obtain them by using 'nslookup'.
>
> --
> Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
> Senior Data Architect, APQC, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2008)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

Reply With Quote
  #9 (permalink)  
Old 05-02-2008
Lawrence Garvin [MVP]
 

Posts: n/a
Re: IPSec and WSUS
"blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
news:424AA62E-2CBE-4790-AC73-0F38E5CE108E@microsoft.com...

> Execlent!! I found it!! But it opens one more question, how do I do a
> nslookup on a * name.


You don't. :-)

OK, I found update.microsoft.com, but they have listed
> *.update.microsoft.com. Is this all one ip with multiple sites?


No.. this would be multiple possible hostnames with different IP Addresses.
Typically those are regional sites, so they'll be on unique IP Addresses.

> I tried, and IPSec will not take the *;


No, your best option here is to identify the IP =networks= that you'll need
to access, and grant access to the entire network.


--
Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Reply With Quote
  #10 (permalink)  
Old 06-23-2009
richard brown
 

Posts: n/a
Re: IPSec and WSUS


"Lawrence Garvin [MVP]" wrote:

> "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
> news:BFC83315-4A67-4776-81FE-D360E0DB87C0@microsoft.com...
>
> > Lawrance,
> > Thank you so much for your reply. I am a bit confused, but let me
> > eloborate
> > my situation better.
> > The server has a GPO IPSec that is forcing it to talk only on special
> > subents (local ones) and deny all other traffic, it does not do anything
> > to
> > the traffic, no tunneling or encrypting or anything.

>
> Perhaps, then, the issue here is the understanding of the term "IPSec".
>
> http://en.wikipedia.org/wiki/Ipsec
>
> > I wanted to add the
> > Microsoft tsubnet/ip's/dns to my allowed list, but can't seem to make it
> > work. When every I add the rule to allow all traffic from my ip to the
> > any,
> > it fails ( i suspect it is because the deny rull is the mirror, from any
> > to
> > my ip)

>
> If not, then I'll simply repeat with a bit more specificity.. you should not
> be using IPSec to determine when/if/how a machine connects to an
> Internet-based resource.
>
> What you describe in the above paragraph sounds much more like a =firewall=
> than it does an appropriate use of IPSec.
>
> Should I assume from your comment here that you're using IPSec as a
> firewall?
>
> --
> Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
> Senior Data Architect, APQC, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2008)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
WSUS 3 synching with WSUS 2 Rob microsoft.public.windowsupdate 1 03-19-2008 17:50
WSUS clients are not appearing in WSUS console RAV microsoft.public.windowsupdate 2 03-13-2008 20:08
WSUS 2.0 SP1 master WSUS on W2K3 SP1 -- will it sync with WSUS 2.0 Bob microsoft.public.windowsupdate 1 11-21-2007 07:59
Re: Problems after upgrading from WSUS 2.0 to WSUS 3.0 R.liderman microsoft.public.windowsupdate 1 11-01-2007 20:38
IPSec Teo microsoft.public.es.windowsvista 1 07-11-2007 17:00




All times are GMT +1. The time now is 23:26.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120