cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Explicit allow to Microsoft Update services

L2 Linker

I've read through a dozen questions and the scores of answers to those questions, and I'm finding a mix of outdated information, bad information or just unrelated options...  I suspect this is going to send down a rabbit hole, so I'll try to compartmentalize based on my testing.  I never progressed far enough to get close to a resolution.

 

So, the end-goal -- I have some systems that we want to have extremely limited Internet access: Chrome updates, Microsoft updates, a single specific website (not pertinent to this conversation).  I haven't looked at Chrome updates yet.  But I've spent a considerable amount of time looking at Microsoft.

 

The issue likes in the fact that MS needs several domains open, some with wildcards, to access MS Updates.  That removes a simple FQDN object (in the destination field) as an option.  I tried suggestions for Custom URL Category objects.  I tried this (for testing):

Custom URL Object Test-FQDN-01

*.microsoft.com/

www.microsoft.com/

 

I then put that in a policy that BLOCKS my computer from being able to ping that custom url object (ie placing the custom url object in the Service/URL Category tab config).  Commit and ... pings still work (allowed by the next policy).  I never see it hit this test policy, so something isn't matching.  BTW, www.microsoft.com resolves to an akamai address (that never changed during my testing).  I then tried to add that akamai FQDN to the custom url object and ... still able to ping.

 

I did play around with creating a dedicated profile .. allowing the microsoft urls and blocking everything else.  That works, but then I lose the ability to use this same definition to track systems going to ms update.  It's also odd to have both an allow and a deny in the same policy (ie explicitly allow access to ms update while explicitly denying access to all other websites).

 

Another thing that crossed my mind - a simple rule that allows any internal to any external with application ms-update.  EXCEPT ms-update requires ssl, so because the policies are "ands" in the application field, I've just opened up any https website.

 

This shouldn't be so difficult. 

 

Who Me Too'd this topic