Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
checkgsingh
Participant

Restricting internet access to WSUS (Windows Update) Only

We are on R80.30 Take 227. We would like to restrict Internet access from server hosts to WSUS (Windows update) only. 

Windows update communicates on port 80 and 443 and as we want to restrict internet traffic from specific server hosts I found Microsoft has list of URLs published that needs to allowed in order to get windows update but they are either FQDN's or Wildcard FQDN's.

How can we achieve this on CP Gateway, a easier way I thought was by creating a network layer policy to only allow recommended URL's for windows update (refer below article) from the server hosts. But looks like R80.30 have limitation for having such objects. Also there is no updatable objects that is specified for WSUS we can use.

Also, I have read sk117432 which states that by default, WSUS 6.2 and later (at least Windows Server 2012) uses TCP port 8530 for HTTP traffic and TCP port 8531 for HTTPS traffic. Meaning, the predefined Check Point services 'http' and 'https' are not enough for this traffic to pass. So, I understand that we need to allow these ports aswell. I am looking for the best possible way we can achieve this.


Reference:
https://docs.microsoft.com/en-us/answers/questions/284387/windows-update-ports.html
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy...

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Have you tried the pre-defined application we have for this?

image.png

If you also need TCP port 8350 and 8351, you will have to create TCP services for these ports and add to add them to this configuration:

image.png

0 Kudos