https://live.paloaltonetworks.com/t5/general-topics/allowing-ms-product-activation-and-denying-web-access/m-p/16396#M11966 <HTML><HEAD></HEAD><BODY><P>In my experience, PA is not able to recognize MS product activation traffic reliably.</P><P></P><P>Sometimes it is recognized correctly, but most of the time PA recognizes it as ms-update or even web-browsing.</P><P>Doesn't help either that MS is secretive about the whole activation process, would be a lot easier if it were one type of traffic (for all MS products) and/or to fixed known destinations (subnets).</P><P></P><P>Maybe you're better of with a local KMS...</P></BODY></HTML> Tue, 18 Dec 2012 07:30:21 GMT dieter_b 2012-12-18T07:30:21Z https://live.paloaltonetworks.com/t5/general-topics/allowing-ms-product-activation-and-denying-web-access/m-p/16395#M11965 <HTML><HEAD></HEAD><BODY><P>I have a network that I want to allow MS product activation to work but web browsing and other internet activity to be denied.</P><P></P><P>I have two main security policies that apply just to this network although DNS and ntp is also allowed:</P><P>The first one is an application filter that allows all applications you get when you click on "software-updates".&nbsp; And the port set is "application default".</P><P>The second rule is a deny all.</P><P></P><P>As I see it this should allow ms-product-activation but it doesn't.&nbsp; Do I need a separate rule with just ms-product-activation.&nbsp; Do I need to add any other applications to the rule to make it work?&nbsp; For instance, say web-browsing and https and ports 80 and 443.&nbsp; This would unfortunately allow web-browsing which I want to deny.&nbsp; </P></BODY></HTML> Mon, 17 Dec 2012 01:12:53 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-ms-product-activation-and-denying-web-access/m-p/16395#M11965 kjh 2012-12-17T01:12:53Z https://live.paloaltonetworks.com/t5/general-topics/allowing-ms-product-activation-and-denying-web-access/m-p/16396#M11966 <HTML><HEAD></HEAD><BODY><P>In my experience, PA is not able to recognize MS product activation traffic reliably.</P><P></P><P>Sometimes it is recognized correctly, but most of the time PA recognizes it as ms-update or even web-browsing.</P><P>Doesn't help either that MS is secretive about the whole activation process, would be a lot easier if it were one type of traffic (for all MS products) and/or to fixed known destinations (subnets).</P><P></P><P>Maybe you're better of with a local KMS...</P></BODY></HTML> Tue, 18 Dec 2012 07:30:21 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-ms-product-activation-and-denying-web-access/m-p/16396#M11966 dieter_b 2012-12-18T07:30:21Z https://live.paloaltonetworks.com/t5/general-topics/allowing-ms-product-activation-and-denying-web-access/m-p/16397#M11967 <HTML><HEAD></HEAD><BODY><P>There is a list available at:</P><P></P><P><A class="jive-link-external-small" href="http://support.microsoft.com/kb/921471">http://support.microsoft.com/kb/921471</A></P><P></P><P>one url not mentioned there seems to be:</P><P></P><P>wpa.one.microsoft.com:80</P><P></P><P>dunno if the above wpa url is still valid as part of the activation or not.</P><P></P><P>I guess the best would be if you could setup a local auth server for this and then just allow this particular server to reach microsoft's domains.</P></BODY></HTML> Tue, 18 Dec 2012 09:33:49 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-ms-product-activation-and-denying-web-access/m-p/16397#M11967 mikand 2012-12-18T09:33:49Z https://live.paloaltonetworks.com/t5/general-topics/allowing-ms-product-activation-and-denying-web-access/m-p/578355#M116007 <P>Hi. We used the application&nbsp; ms-product-activation with good results. ( so no ssl only&nbsp;ms-product-activation )</P> Mon, 26 Feb 2024 14:46:35 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-ms-product-activation-and-denying-web-access/m-p/578355#M116007 GoranBerglund 2024-02-26T14:46:35Z