01-13-2009 10:41 AM - edited 03-11-2019 07:36 AM
I have several windows machines in my DMZ, and for DMZ machines, the default is for all outbound access to be blocked, but I want to allow the machines to get windows updates. Any suggestions on how I can do this?
01-13-2009 11:13 AM
I'm no Windows expert, but can't you point your Windows server to update from your internal WSUS servers?
01-13-2009 11:23 AM
That would be easy if we had and internal WSUS server. We use ZEN. Since DMZ machines need patches on a more critical basis, and the testing to see if patches broke the machines is easier on the DMZ machines, we like to patch these machines more often and on a quicker cycle then the internal machines. We are also trying to avoid connecting our DMZ machines to any internal resources though any standard windows ports so that if they are compromised they won't infect internal machines.
Maybe we're too paranoid?
01-14-2009 01:58 AM
Hi,
I suggest creating an outbound access rule to be applied on your DMZ interface allowing HTTP traffic originating from the servers needed to be updated. You may remove the access rule once done.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide