Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
rotto841
Explorer

Can't Connect To Windows Update

Hi everyone we've restricted our Windows domain controllers from accessing the internet and I've been a sked to allow Windows Update to function. I tried creating a rule with the windows update and update optimization applications with the source of our domain controllers to destination internet (DNS such is a different rule) but no dice. 

So I updated the rule and created a network group using this page from Microsoft and added http and https. Yet we still can't connect I just see random IP addresses from Microsoft dropping I know that checkpoints aren't great when it comes to resolving wildcard domain names.

Its unfortunate that more updateable objects are available for download in this situation but I'm kind of banging my head at this now and wanted to post something to see if anyone else had luck opening the  required URLs and such for Windows update to function. 

Thanks for reading.

wsus2.pngwsus.pngwsus3.png

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Hi, couple comments:

1. FQDN Domain Objects won't work here since you need to resolve for all *.download.microsoft.com instead of just .download.microsoft.com.
2. Updatable Objects are dependent on the underlying vendor (in this case Microsoft) providing the relevant information in a programmatically readable way so it can be consumed by our gateways.
3. "Windows Update" and the services http/https are redundant insofar as they both include http/https.

You can include the relevant domains in a Custom Application/Site object, which will be used as a service.
This requires: R80.40+, Categorize HTTPS Inspection enabled (it is by default), and App Control.

 

0 Kudos
the_rock
Legend
Legend

Easiest way I always found to fix this issue is add custom url filtering group with *microsoft* and *windowsupdate* in it and dont even bother with updatable objects. Push policy, problem solved.

Reap the benefits : - )

Andy

0 Kudos
momoo168
Explorer

Hi Rock,

I too have to disable an internet rule that will impact Windows updates. I need to find a solution to block all internet traffic and only allow Windows updates to continue.

When I tried to add the custom domain into the URL filtering, it kept saying the domain must start with a "."

Any pointers?

I'm new and learning.

Thanks,

0 Kudos
PhoneBoy
Admin
Admin

A Domain object does not work in the way you are attempting to use it.
What we're discussing is a Custom Application/Sites object where this IS allowed.
However, doing it in a wildcard fashion like this will allow stuff you probably do not want to allow.

There are a couple of Updatable Objects that might be useful here:

  • Microsoft Updates -- HTTPS Bypass
  • Microsoft Updates -- SmartAccel

See: https://support.checkpoint.com/results/sk/sk131852 

0 Kudos
the_rock
Legend
Legend

Forgot to say, this is important, you do need blades @PhoneBoy mentioned enabled on the gateway.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events