windows update ACL

chuck007 · ‎08-16-2006

Has anyone found a solution to creating a working outbound ACL to limit HTTP access to: http://windowsupdate.microsoft.com? It seems like this site changes IP so often, my ACL is no good after a few days. Our policy requires we implement outbound connection limitations, like ACLs. Any solutions around this? Thanks.

Fernando_Meza · ‎08-16-2006

Hi .. if you require more granularity for Internet access then I suugest to use a proxy server such as Microsoft ISA. You can then specify access based on URL .. etc

I hope it help .. please rate it if it does !!!

chuck007 · ‎08-16-2006

Actually I already have an ISA server. It's possible, but very slow. I was hoping to find an alternate solution on a router or PIX platform. Thanks though.

Tim Smith · ‎08-19-2006

Hi,

If you have a router in between you can use NBAR and a service policy to match the URL and then set the action to drop.

int XXX

ip nbar protocol-discovery

!

class-map match-any windowsupdate

match protocol http url "windowsupdate.microsoft.com"

!

policy-map internet-out

class windowsupdate

drop

!

int XXX

service-policy output internet-out

You can use * as a wildcard in the URL. Bear in mind NBAR has performance impact.

I think you may be able to match URL's in service policy's in Pix 7.X as well? (havent looked into that one as yet though)

Cheers,

Tim.

chuck007 · ‎08-19-2006

This looks promising, I'll try it out. Our PIX is still on 6.x not exactly ready for an upgrade yet. I'll see what I can do with NBAR. Thanks.