Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Enyi_Ajoku
Collaborator
Jump to solution

Outbound Connection (WSUS)

My server team has a Repo Server set up and would like it to get updates from WSUS. Using sk117432 i created a rule with the destination as "ANY" for test purposes with the ports set to what was documented on the sk, i also included http and https. When they try to run the process it fails, with the error below. I've also tried creating an any rule accept for destination, services&applications with the same error

 

Would appreciate your help. Thank You

1 Solution

Accepted Solutions
Vladimir
Champion
Champion

1. Create a rule permitting DNS lookup from internal network object or from your dedicated internal DNS server

2. In your Internal Network object, define NAT Hide behind Gateway parameter

   

3. Install policy.

4. Test DNS from WSUS

5. If DNS is not working on WSUS, try it from Check Point Gateway's CLI

View solution in original post

8 Replies
Vladimir
Champion
Champion

As the error starts with Name Resolution message, I suggest looking at DNS settings for your WSUS.

try performing nslookup for the fe2.update.microsoft.com in this host's CMD and see if it works.

If not, change your DNS settings on that server until it does.

If you have specified public DNS servers such as 8.8.8.8, 9.9.9.9, 1.1.1.1 or one provided by your ISP, include DNS as one of the protocols in the rule permitting egress traffic from WSUS and make sure that either its object, or the subnet it resides in have NAT configured to Hide behind Gateway's IP.

Cheers,

Vladimir

0 Kudos
Enyi_Ajoku
Collaborator

As the error starts with Name Resolution message, I suggest looking at DNS settings for your WSUS.

try performing nslookup for the fe2.update.microsoft.com in this host's CMD and see if it works.

When i do an nslookup to the Microsoft URL, its times out

If not, change your DNS settings on that server until it does.

If you have specified public DNS servers such as 8.8.8.8, 9.9.9.9, 1.1.1.1 or one provided by your ISP, include DNS as one of the protocols in the rule permitting egress traffic from WSUS

i also did this with google's DNS (8.8.8.8 and 8.8.4.4) and also my ISP's DNS on an accept any rule.

and make sure that either its object, or the subnet it resides in have NAT configured to Hide behind Gateway's IP.

Please could you provide more information on how i can do this.

I also wanted to add that i have a test any rule from source to destination for ICMP but my Repo Server cant ping any of the public DNS i stated above  

0 Kudos
Vladimir
Champion
Champion

1. Create a rule permitting DNS lookup from internal network object or from your dedicated internal DNS server

2. In your Internal Network object, define NAT Hide behind Gateway parameter

   

3. Install policy.

4. Test DNS from WSUS

5. If DNS is not working on WSUS, try it from Check Point Gateway's CLI

Enyi_Ajoku
Collaborator

This seems to be getting me a step ahead. I also wanted to add that in the host object i created. I checked DNS Server in Server Configuration and included all the public DNS IPs in the Authorization Domain List.

0 Kudos
Vladimir
Champion
Champion

DO NOT DO THIS IN THE PROPERTIES OF YOUR WSUS OBJECT:

This setting is for DNS servers only.

0 Kudos
Enyi_Ajoku
Collaborator

Everything seems to be working fine with my earlier setup but i will observe our infrastructure to see if all is well in other segments. Thank You

0 Kudos
Enyi_Ajoku
Collaborator

Just curious but what does this do 

0 Kudos
Vladimir
Champion
Champion

It hides your internal network or host behind external interface of the gateway performing port NAT, so that replies to the host initiating traffic will reach the gateway and will be routed back to the host that originated the traffic.

I'd suggest using the "?" mark when you are trying to figure out what things are for:

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events