Success with Access-List for Microsoft Updates?

jaesposito · ‎03-14-2010

All,

Since one cannot create an access-list with a domain (microsoft.com), I've been struggling with the task of creating an ACL to cover all ip addresses (CIDR networks) involved when a user wants to perform a Windows/Microsoft update from their desktop. Does anybody have a firm grasp on the ip ranges that I need to add to my access-list?

Running a Windows SUS/WUS box or a patch management server is not an option as this is a small network of only two PCs. They need to get their updates from Microsoft directly.

I'd appreciate any help with this as I'm really struggling to finish off my ACL and this is the last task. For those that want to know, I'm using a Cisco 837 running IOS 12.3.14.T7.

Thanks for the help!

James

Federico Coto Fajardo · ‎03-14-2010

Hi,

You can go ahead and create the filters based on ACLs, but that's not a recommended solution for blocking web access.
You can succesfully block ranges of IPs, but the moment they change, you need to update your list.

There's an IOS FPM feature or IPS features in order to try to match the content instead than just the destination IP.
The problem is that FPM is not supported on your model.
IPS software is only on security-based IOS.

You can go ahead and implement this solution, but keep in mind that is a temporary workaround only, until you filter the sites
using other methods.

Federico.