- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-21-2023 07:40 AM
I've read through a dozen questions and the scores of answers to those questions, and I'm finding a mix of outdated information, bad information or just unrelated options... I suspect this is going to send down a rabbit hole, so I'll try to compartmentalize based on my testing. I never progressed far enough to get close to a resolution.
So, the end-goal -- I have some systems that we want to have extremely limited Internet access: Chrome updates, Microsoft updates, a single specific website (not pertinent to this conversation). I haven't looked at Chrome updates yet. But I've spent a considerable amount of time looking at Microsoft.
The issue likes in the fact that MS needs several domains open, some with wildcards, to access MS Updates. That removes a simple FQDN object (in the destination field) as an option. I tried suggestions for Custom URL Category objects. I tried this (for testing):
Custom URL Object Test-FQDN-01
*.microsoft.com/
I then put that in a policy that BLOCKS my computer from being able to ping that custom url object (ie placing the custom url object in the Service/URL Category tab config). Commit and ... pings still work (allowed by the next policy). I never see it hit this test policy, so something isn't matching. BTW, www.microsoft.com resolves to an akamai address (that never changed during my testing). I then tried to add that akamai FQDN to the custom url object and ... still able to ping.
I did play around with creating a dedicated profile .. allowing the microsoft urls and blocking everything else. That works, but then I lose the ability to use this same definition to track systems going to ms update. It's also odd to have both an allow and a deny in the same policy (ie explicitly allow access to ms update while explicitly denying access to all other websites).
Another thing that crossed my mind - a simple rule that allows any internal to any external with application ms-update. EXCEPT ms-update requires ssl, so because the policies are "ands" in the application field, I've just opened up any https website.
This shouldn't be so difficult.