IPSec and WSUS

i am setting up a IPSec policy, and I want my server WSUS server to be able
to talk to the Microsoft domain. What subnets/dns/addresses do WSUS need to
talk to so it can talk to and download updates?

Forwarded to the WSUS NG for the poster's convenience:

Web-based link:
http://www.microsoft.com/technet/com... date_services

NNTP reader:
news://msnews.microsoft.com/microsof...pdate_services


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============



blankmonkey wrote:

> i am setting up a IPSec policy, and I want my server WSUS server to be able
> to talk to the Microsoft domain. What subnets/dns/addresses do WSUS need to
> talk to so it can talk to and download updates?

"MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message
news:urKelGypIHA.3456@TK2MSFTNGP05.phx.gbl...
> Forwarded to the WSUS NG for the poster's convenience:

> blankmonkey wrote:
>
>> i am setting up a IPSec policy, and I want my server WSUS server to be
>> able to talk to the Microsoft domain. What subnets/dns/addresses do WSUS
>> need to talk to so it can talk to and download updates?

These are documented in the WSUS Deployment Guide.

However, the external resources that WSUS needs to talk to should be
irrelevant to any IPSec (server) configuration, because in that scenario the
WSUS Server is the "IPSec client", and there's no purpose at all in
configuring it to initiate any IPSec negotiation.


--
Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Lawrance,
Thank you so much for your reply. I am a bit confused, but let me eloborate
my situation better.
The server has a GPO IPSec that is forcing it to talk only on special
subents (local ones) and deny all other traffic, it does not do anything to
the traffic, no tunneling or encrypting or anything. I wanted to add the
Microsoft tsubnet/ip's/dns to my allowed list, but can't seem to make it
work. When every I add the rule to allow all traffic from my ip to the any,
it fails ( i suspect it is because the deny rull is the mirror, from any to
my ip)

I did look over the documentation, but all I could find was a link to
general IPSec, and not the settigns I needed, could you be more specific
about the docuemnt location I need to read, and I will be happy to read up on
it.

thank you again,
Blankmonkey

"Lawrence Garvin [MVP]" wrote:

> "MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message
> news:urKelGypIHA.3456@TK2MSFTNGP05.phx.gbl...
> > Forwarded to the WSUS NG for the poster's convenience:
>
> > blankmonkey wrote:
> >
> >> i am setting up a IPSec policy, and I want my server WSUS server to be
> >> able to talk to the Microsoft domain. What subnets/dns/addresses do WSUS
> >> need to talk to so it can talk to and download updates?
>
> These are documented in the WSUS Deployment Guide.
>
> However, the external resources that WSUS needs to talk to should be
> irrelevant to any IPSec (server) configuration, because in that scenario the
> WSUS Server is the "IPSec client", and there's no purpose at all in
> configuring it to initiate any IPSec negotiation.
>
>
> --
> Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
> Senior Data Architect, APQC, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2008)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

"blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
news:BFC83315-4A67-4776-81FE-D360E0DB87C0@microsoft.com...

> Lawrance,
> Thank you so much for your reply. I am a bit confused, but let me
> eloborate
> my situation better.
> The server has a GPO IPSec that is forcing it to talk only on special
> subents (local ones) and deny all other traffic, it does not do anything
> to
> the traffic, no tunneling or encrypting or anything.

Perhaps, then, the issue here is the understanding of the term "IPSec".

http://en.wikipedia.org/wiki/Ipsec

> I wanted to add the
> Microsoft tsubnet/ip's/dns to my allowed list, but can't seem to make it
> work. When every I add the rule to allow all traffic from my ip to the
> any,
> it fails ( i suspect it is because the deny rull is the mirror, from any
> to
> my ip)

If not, then I'll simply repeat with a bit more specificity.. you should not
be using IPSec to determine when/if/how a machine connects to an
Internet-based resource.

What you describe in the above paragraph sounds much more like a =firewall=
than it does an appropriate use of IPSec.

Should I assume from your comment here that you're using IPSec as a
firewall?

--
Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

If we are defining a firewall as "A system to determine what machines it is
ok to talk to." then yes, I am using IPSec as a firewall. I am not able to
use the software firewall because I do not know the ports that need to be
opened, there are to many ports (hundreds), and they can be randomly assigned
(WSUS is not the only thing running on the server). There is no hardware
firewall at my remote location, and an ACL has not been placed there yet
either, so I am left with IPSec.

I am open to using other methods, but this seemed the logical one. This
server has on it;
DHCP
ITAssist
WSUS
Routing and Remote Access (gateway between a public and private network)
File and Print shareing

All the others are taken care of with the IPSec, I just need to punch one
whole for WSUS to download updates. I figured there must be a limited number
of dns entrys/IPs that I could add.

"Lawrence Garvin [MVP]" wrote:

> "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
> news:BFC83315-4A67-4776-81FE-D360E0DB87C0@microsoft.com...
>
> > Lawrance,
> > Thank you so much for your reply. I am a bit confused, but let me
> > eloborate
> > my situation better.
> > The server has a GPO IPSec that is forcing it to talk only on special
> > subents (local ones) and deny all other traffic, it does not do anything
> > to
> > the traffic, no tunneling or encrypting or anything.
>
> Perhaps, then, the issue here is the understanding of the term "IPSec".
>
> http://en.wikipedia.org/wiki/Ipsec
>
> > I wanted to add the
> > Microsoft tsubnet/ip's/dns to my allowed list, but can't seem to make it
> > work. When every I add the rule to allow all traffic from my ip to the
> > any,
> > it fails ( i suspect it is because the deny rull is the mirror, from any
> > to
> > my ip)
>
> If not, then I'll simply repeat with a bit more specificity.. you should not
> be using IPSec to determine when/if/how a machine connects to an
> Internet-based resource.
>
> What you describe in the above paragraph sounds much more like a =firewall=
> than it does an appropriate use of IPSec.
>
> Should I assume from your comment here that you're using IPSec as a
> firewall?
>
> --
> Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
> Senior Data Architect, APQC, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2008)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

"blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
news:3F558CA6-50C4-4177-BE8B-013AD5C39D5A@microsoft.com...

> If we are defining a firewall as "A system to determine what machines it
> is
> ok to talk to." then yes, I am using IPSec as a firewall. I am not able
> to
> use the software firewall because I do not know the ports that need to be
> opened, there are to many ports (hundreds), and they can be randomly
> assigned
> (WSUS is not the only thing running on the server). There is no hardware
> firewall at my remote location, and an ACL has not been placed there yet
> either, so I am left with IPSec.

You've got:
[a] Windows Firewall
[b] Routing and Remote Access Service

in addition to IPSec.

Why choose IPSec instead of one of those two more traditional means for
providing port security?

> I am open to using other methods, but this seemed the logical one. This
> server has on it;
> DHCP
> ITAssist
> WSUS
> Routing and Remote Access (gateway between a public and private network)
> File and Print shareing

Is this your *only* server? Running DHCP and F&P on a gateway machine is a
risky proposition!


> All the others are taken care of with the IPSec, I just need to punch one
> whole for WSUS to download updates. I figured there must be a limited
> number
> of dns entrys/IPs that I could add.

As noted in my first reply, the DNS =names= are documented in the WSUS
Deployment Guide.

If it helps... they're on page 32 in the "Configuring the Firewall" section.

If you need the IP Addresses (which are always subject to change), you can
obtain them by using 'nslookup'.

--
Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Execlent!! I found it!! But it opens one more question, how do I do a
nslookup on a * name. OK, I found update.microsoft.com, but they have listed
*.update.microsoft.com. Is this all one ip with multiple sites? I tried,
and IPSec will not take the *;

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com



"Lawrence Garvin [MVP]" wrote:

> "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
> news:3F558CA6-50C4-4177-BE8B-013AD5C39D5A@microsoft.com...
>
> > If we are defining a firewall as "A system to determine what machines it
> > is
> > ok to talk to." then yes, I am using IPSec as a firewall. I am not able
> > to
> > use the software firewall because I do not know the ports that need to be
> > opened, there are to many ports (hundreds), and they can be randomly
> > assigned
> > (WSUS is not the only thing running on the server). There is no hardware
> > firewall at my remote location, and an ACL has not been placed there yet
> > either, so I am left with IPSec.
>
> You've got:
> [a] Windows Firewall
> [b] Routing and Remote Access Service
>
> in addition to IPSec.
>
> Why choose IPSec instead of one of those two more traditional means for
> providing port security?
>
> > I am open to using other methods, but this seemed the logical one. This
> > server has on it;
> > DHCP
> > ITAssist
> > WSUS
> > Routing and Remote Access (gateway between a public and private network)
> > File and Print shareing
>
> Is this your *only* server? Running DHCP and F&P on a gateway machine is a
> risky proposition!
>
>
> > All the others are taken care of with the IPSec, I just need to punch one
> > whole for WSUS to download updates. I figured there must be a limited
> > number
> > of dns entrys/IPs that I could add.
>
> As noted in my first reply, the DNS =names= are documented in the WSUS
> Deployment Guide.
>
> If it helps... they're on page 32 in the "Configuring the Firewall" section.
>
> If you need the IP Addresses (which are always subject to change), you can
> obtain them by using 'nslookup'.
>
> --
> Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
> Senior Data Architect, APQC, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2008)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

"blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
news:424AA62E-2CBE-4790-AC73-0F38E5CE108E@microsoft.com...

> Execlent!! I found it!! But it opens one more question, how do I do a
> nslookup on a * name.

You don't. :-)

OK, I found update.microsoft.com, but they have listed
> *.update.microsoft.com. Is this all one ip with multiple sites?

No.. this would be multiple possible hostnames with different IP Addresses.
Typically those are regional sites, so they'll be on unique IP Addresses.

> I tried, and IPSec will not take the *;

No, your best option here is to identify the IP =networks= that you'll need
to access, and grant access to the entire network.


--
Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

"Lawrence Garvin [MVP]" wrote:

> "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message
> news:BFC83315-4A67-4776-81FE-D360E0DB87C0@microsoft.com...
>
> > Lawrance,
> > Thank you so much for your reply. I am a bit confused, but let me
> > eloborate
> > my situation better.
> > The server has a GPO IPSec that is forcing it to talk only on special
> > subents (local ones) and deny all other traffic, it does not do anything
> > to
> > the traffic, no tunneling or encrypting or anything.
>
> Perhaps, then, the issue here is the understanding of the term "IPSec".
>
> http://en.wikipedia.org/wiki/Ipsec
>
> > I wanted to add the
> > Microsoft tsubnet/ip's/dns to my allowed list, but can't seem to make it
> > work. When every I add the rule to allow all traffic from my ip to the
> > any,
> > it fails ( i suspect it is because the deny rull is the mirror, from any
> > to
> > my ip)
>
> If not, then I'll simply repeat with a bit more specificity.. you should not
> be using IPSec to determine when/if/how a machine connects to an
> Internet-based resource.
>
> What you describe in the above paragraph sounds much more like a =firewall=
> than it does an appropriate use of IPSec.
>
> Should I assume from your comment here that you're using IPSec as a
> firewall?
>
> --
> Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
> Senior Data Architect, APQC, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2008)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>