https://community.cisco.com/t5/network-security/what-acl-to-allow-windows-update-without-browsing/m-p/745128#M1005337 <HTML><HEAD></HEAD><BODY><P>Although this is for WSUS you could try these sites:</P><P></P><P><A class="jive-link-custom" href="http://technet2.microsoft.com/windowsserver/en/library/9d55bda5-9eb9-46d2-a204-62034936eb131033.mspx?mfr=true" target="_blank">http://technet2.microsoft.com/windowsserver/en/library/9d55bda5-9eb9-46d2-a204-62034936eb131033.mspx?mfr=true</A> </P><P></P><P>Go to the link : Configure the Firewall Between the WSUS Server and the Internet </P></BODY></HTML> Fri, 11 May 2007 10:58:14 GMT h.parsons 2007-05-11T10:58:14Z https://community.cisco.com/t5/network-security/what-acl-to-allow-windows-update-without-browsing/m-p/745125#M1005334 <P>About 1/2 the PCs in my company should not have the ability to browse. I want them to be able to run windows update. Google gave me lots to look at. But, I can't find a list of IPs complete enought to work. I figure someone (many someones) must have done this before. What ACLs are necessary to get Windows Update to work?</P> Mon, 11 Mar 2019 10:08:50 GMT https://community.cisco.com/t5/network-security/what-acl-to-allow-windows-update-without-browsing/m-p/745125#M1005334 hetteldorf 2019-03-11T10:08:50Z https://community.cisco.com/t5/network-security/what-acl-to-allow-windows-update-without-browsing/m-p/745126#M1005335 <HTML><HEAD></HEAD><BODY><P>I really doubt you will ever come across a complete list of those servers. Compiling and publishing such a list would undoubtedly invite nefarious activity.</P><P></P><P>Here are a couple of things you might want to look at alternatively.</P><P></P><P>1. Build a web proxy and use a combination of authentication and access control list to restrict outbound access.</P><P></P><P>2. Use N2H2 based URL filtering, your PIX/ASA should have built in support for it.</P><P></P><P>3. Build your own WSUS server that lives on a dmz network that all workstations can talk to.</P><P></P><P></P></BODY></HTML> Tue, 08 May 2007 22:13:39 GMT https://community.cisco.com/t5/network-security/what-acl-to-allow-windows-update-without-browsing/m-p/745126#M1005335 laurent.geyer 2007-05-08T22:13:39Z https://community.cisco.com/t5/network-security/what-acl-to-allow-windows-update-without-browsing/m-p/745127#M1005336 <HTML><HEAD></HEAD><BODY><P>Plan on setting up a WSUS server, but was hoping for a quick temporary fix. I guess quick and dirty and security don't mix.</P><P>Thanks for the info.</P></BODY></HTML> Wed, 09 May 2007 11:47:44 GMT https://community.cisco.com/t5/network-security/what-acl-to-allow-windows-update-without-browsing/m-p/745127#M1005336 hetteldorf 2007-05-09T11:47:44Z https://community.cisco.com/t5/network-security/what-acl-to-allow-windows-update-without-browsing/m-p/745128#M1005337 <HTML><HEAD></HEAD><BODY><P>Although this is for WSUS you could try these sites:</P><P></P><P><A class="jive-link-custom" href="http://technet2.microsoft.com/windowsserver/en/library/9d55bda5-9eb9-46d2-a204-62034936eb131033.mspx?mfr=true" target="_blank">http://technet2.microsoft.com/windowsserver/en/library/9d55bda5-9eb9-46d2-a204-62034936eb131033.mspx?mfr=true</A> </P><P></P><P>Go to the link : Configure the Firewall Between the WSUS Server and the Internet </P></BODY></HTML> Fri, 11 May 2007 10:58:14 GMT https://community.cisco.com/t5/network-security/what-acl-to-allow-windows-update-without-browsing/m-p/745128#M1005337 h.parsons 2007-05-11T10:58:14Z https://community.cisco.com/t5/network-security/what-acl-to-allow-windows-update-without-browsing/m-p/745129#M1005338 <HTML><HEAD></HEAD><BODY><P>Looks like that should work. If not then WSUS is the only real answer.</P><P></P><P>Thanks.</P></BODY></HTML> Mon, 14 May 2007 15:00:22 GMT https://community.cisco.com/t5/network-security/what-acl-to-allow-windows-update-without-browsing/m-p/745129#M1005338 hetteldorf 2007-05-14T15:00:22Z https://community.cisco.com/t5/network-security/what-acl-to-allow-windows-update-without-browsing/m-p/745130#M1005339 <HTML><HEAD></HEAD><BODY><P>I'm not quite sure how that helps. The link doesn't include a list of hosts that you could use to restrict TCP/80,443 access to.</P></BODY></HTML> Mon, 14 May 2007 15:05:17 GMT https://community.cisco.com/t5/network-security/what-acl-to-allow-windows-update-without-browsing/m-p/745130#M1005339 laurent.geyer 2007-05-14T15:05:17Z