12-16-2012 05:12 PM
I have a network that I want to allow MS product activation to work but web browsing and other internet activity to be denied.
I have two main security policies that apply just to this network although DNS and ntp is also allowed:
The first one is an application filter that allows all applications you get when you click on "software-updates". And the port set is "application default".
The second rule is a deny all.
As I see it this should allow ms-product-activation but it doesn't. Do I need a separate rule with just ms-product-activation. Do I need to add any other applications to the rule to make it work? For instance, say web-browsing and https and ports 80 and 443. This would unfortunately allow web-browsing which I want to deny.
12-17-2012 11:30 PM
In my experience, PA is not able to recognize MS product activation traffic reliably.
Sometimes it is recognized correctly, but most of the time PA recognizes it as ms-update or even web-browsing.
Doesn't help either that MS is secretive about the whole activation process, would be a lot easier if it were one type of traffic (for all MS products) and/or to fixed known destinations (subnets).
Maybe you're better of with a local KMS...
12-18-2012 01:33 AM
There is a list available at:
one url not mentioned there seems to be:
dunno if the above wpa url is still valid as part of the activation or not.
I guess the best would be if you could setup a local auth server for this and then just allow this particular server to reach microsoft's domains.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!