Re: Windows Update

This is a multi-part message in MIME format.
--------------090801030200090003070906
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Not tried transparent proxying and SSL. That may be an issue.

Tom

Rolando Morales wrote:

>I could use SUS, but it only fixes half my problem since half my users still
>use win98
>which isn't supported by SUS. Yes I'm using transparent proxying with Squid
>using
>the rdr command "rdr xl0 0/0 port 80 -> 127.0.0.1 port 3128 tcp"
> Rolando
>
>
>----- Original Message -----
>From: "David Spezialie" <dspezialie@netspace.net.au>
>To: "Rolando" <rolandomorales@torengineering.com>
>Cc: <ipfilter@coombs.anu.edu.au>
>Sent: Wednesday, October 01, 2003 12:59 AM
>Subject: RE: Windows Update
>
>
>
>
>>Dear Rolando,
>>
>>Are you running your proxy server in an transparent fashion?. If so you
>>
>>
>are right that you cannot proxy 443 (man in the middle attack situation) but
>if you are using a normal proxy configuration [ CLIENT -> PROXY:8080 ] then
>the request is still going to go through the proxy server so the acl's will
>still work.
>
>
>>I understand that the WUS changes ip's as it goes to SSL but you will have
>>
>>
>to watch your ipmon logs to see what is getting blocked going to WUS on port
>443.
>
>
>>I know this is a little 'hit and miss' but that's Micro$oft!.
>>
>>You might want to look at the Windows Update Services to update you
>>
>>
>windows boxes from a central location.
>
>
>><http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp>
>>
>>-david 8-)
>>
>>
>>
>>-----Original Message-----
>>From: Rolando [mailto:rolandomorales@torengineering.com]
>>Sent: Wednesday, 1 October 2003 17:19
>>Cc: ipfilter@coombs.anu.edu.au
>>Subject: Re: Windows Update
>>
>>
>>I do have squid running but it does not proxy port 443. I don't believe
>>
>>
>this
>
>
>>could be done, can it? My users can get to the windows update web site
>>(port 80) but when it searches for update's it fails due to the fact it is
>>now
>>using https (port 443) and not the same server. Then it tries to download
>>the updates and it fails again. It uses yet again, another server and now
>>
>>
>is
>
>
>>back to using port 80.
>> Rolando
>>
>>----- Original Message -----
>>From: "David Spezialie" <dspezialie@netspace.net.au>
>>To: "Rolando Morales" <RolandoMorales@torengineering.com>
>>Cc: <ipfilter@coombs.anu.edu.au>
>>Sent: Tuesday, September 30, 2003 6:27 PM
>>Subject: RE: Windows Update
>>
>>
>>Dear Rolando,
>>
>>The easiest way to implement would be via squid:
>>
>># squid.conf v2.5.STABLE3
>>#=============================================== =================
>># Allow windowsupdate.microsoft.com
>># and deny everything else
>>acl windowsupdate dstdomain windowsupdate.microsoft.com
>>http_access allow windowsupdate
>>http_access deny all
>>#=============================================== =================
>>
>>Other than that do lookup on windowsupdate.microsoft.com and add relevant
>>ip's to filter rules for port = '80' && port = '443'.
>>
>># /usr/bin/dig windowsupdate.microsoft.com
>>
>>a822.cd.akamai.net. 19 IN A 63.211.153.87
>>a822.cd.akamai.net. 19 IN A 63.211.153.89
>>a822.cd.akamai.net. 19 IN A 63.211.153.94
>>a822.cd.akamai.net. 19 IN A 63.211.153.95
>>a822.cd.akamai.net. 19 IN A 63.211.153.102
>>a822.cd.akamai.net. 19 IN A 63.211.153.111
>>a822.cd.akamai.net. 19 IN A 63.211.153.70
>>a822.cd.akamai.net. 19 IN A 63.211.153.79
>>a822.cd.akamai.net. 19 IN A 63.211.153.80
>>
>>Hope this helps you out ...
>>
>>--
>>
>>-david
>><dspezialie(at)netspace.net.au>
>>
>>"By the time they had diminished from 50 to 8, the other dwarves began to
>>suspect Hungry." -- a Larson cartoon
>>
>>
>>-----Original Message-----
>>From: Rolando Morales [mailto:RolandoMorales@torengineering.com]
>>Sent: Wednesday, 1 October 2003 09:24
>>To: ipfilter@coombs.anu.edu.au
>>Subject: Windows Update
>>
>>
>>I'm looking to allow my users (windows based) to use Windows Update
>>
>>
>anytime
>
>
>>of the day.
>>Even when they are not allowed to cruise the web. My problem is, I don't
>>know all the ip
>>address's that microsoft is using. Does anyone else have this problem? Is
>>there a way to
>>track this info down?
>> Rolando
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>

--------------090801030200090003070906
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body>
Not tried transparent proxying and SSL.&nbsp; That may be an issue.<br>
<br>
Tom<br>
<br>
Rolando Morales wrote:<br>
<blockquote type="cite" cite="mid009001c38844$8253a7a0$4500a8c0@tor069">
<pre wrap="">I could use SUS, but it only fixes half my problem since half my users still
use win98
which isn't supported by SUS. Yes I'm using transparent proxying with Squid
using
the rdr command "rdr xl0 0/0 port 80 -&gt; 127.0.0.1 port 3128 tcp"
Rolando


----- Original Message -----
From: "David Spezialie" <a class="moz-txt-link-rfc2396E" href="mailto:dspezialie@netspace.net.au">&lt;dspez ialie@netspace.net.au&gt;</a>
To: "Rolando" <a class="moz-txt-link-rfc2396E" href="mailto:rolandomorales@torengineering.com">&l t;rolandomorales@torengineering.com&gt;</a>
Cc: <a class="moz-txt-link-rfc2396E" href="mailto:ipfilter@coombs.anu.edu.au">&lt;ipfil ter@coombs.anu.edu.au&gt;</a>
Sent: Wednesday, October 01, 2003 12:59 AM
Subject: RE: Windows Update


</pre>
<blockquote type="cite">
<pre wrap="">Dear Rolando,

Are you running your proxy server in an transparent fashion?. If so you
</pre>
</blockquote>
<pre wrap=""><!---->are right that you cannot proxy 443 (man in the middle attack situation) but
if you are using a normal proxy configuration [ CLIENT -&gt; <a class="moz-txt-link-freetext" href="PROXY:8080">PROXY:8080</a> ] then
the request is still going to go through the proxy server so the acl's will
still work.
</pre>
<blockquote type="cite">
<pre wrap="">I understand that the WUS changes ip's as it goes to SSL but you will have
</pre>
</blockquote>
<pre wrap=""><!---->to watch your ipmon logs to see what is getting blocked going to WUS on port
443.
</pre>
<blockquote type="cite">
<pre wrap="">I know this is a little 'hit and miss' but that's Micro$oft!.

You might want to look at the Windows Update Services to update you
</pre>
</blockquote>
<pre wrap=""><!---->windows boxes from a central location.
</pre>
<blockquote type="cite">
<pre wrap=""><a class="moz-txt-link-rfc2396E" href="http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp">&lt;http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp&gt;</a>

-david 8-)



-----Original Message-----
From: Rolando [<a class="moz-txt-link-freetext" href="mailto:rolandomorales@torengineering.com">ma ilto:rolandomorales@torengineering.com</a>]
Sent: Wednesday, 1 October 2003 17:19
Cc: <a class="moz-txt-link-abbreviated" href="mailto:ipfilter@coombs.anu.edu.au">ipfilter@ coombs.anu.edu.au</a>
Subject: Re: Windows Update


I do have squid running but it does not proxy port 443. I don't believe
</pre>
</blockquote>
<pre wrap=""><!---->this
</pre>
<blockquote type="cite">
<pre wrap="">could be done, can it? My users can get to the windows update web site
(port 80) but when it searches for update's it fails due to the fact it is
now
using https (port 443) and not the same server. Then it tries to download
the updates and it fails again. It uses yet again, another server and now
</pre>
</blockquote>
<pre wrap=""><!---->is
</pre>
<blockquote type="cite">
<pre wrap="">back to using port 80.
Rolando

----- Original Message -----
From: "David Spezialie" <a class="moz-txt-link-rfc2396E" href="mailto:dspezialie@netspace.net.au">&lt;dspez ialie@netspace.net.au&gt;</a>
To: "Rolando Morales" <a class="moz-txt-link-rfc2396E" href="mailto:RolandoMorales@torengineering.com">&l t;RolandoMorales@torengineering.com&gt;</a>
Cc: <a class="moz-txt-link-rfc2396E" href="mailto:ipfilter@coombs.anu.edu.au">&lt;ipfil ter@coombs.anu.edu.au&gt;</a>
Sent: Tuesday, September 30, 2003 6:27 PM
Subject: RE: Windows Update


Dear Rolando,

The easiest way to implement would be via squid:

# squid.conf v2.5.STABLE3
#================================================= ===============
# Allow windowsupdate.microsoft.com
# and deny everything else
acl windowsupdate dstdomain windowsupdate.microsoft.com
http_access allow windowsupdate
http_access deny all
#================================================= ===============

Other than that do lookup on windowsupdate.microsoft.com and add relevant
ip's to filter rules for port = '80' &amp;&amp; port = '443'.

# /usr/bin/dig windowsupdate.microsoft.com

a822.cd.akamai.net. 19 IN A 63.211.153.87
a822.cd.akamai.net. 19 IN A 63.211.153.89
a822.cd.akamai.net. 19 IN A 63.211.153.94
a822.cd.akamai.net. 19 IN A 63.211.153.95
a822.cd.akamai.net. 19 IN A 63.211.153.102
a822.cd.akamai.net. 19 IN A 63.211.153.111
a822.cd.akamai.net. 19 IN A 63.211.153.70
a822.cd.akamai.net. 19 IN A 63.211.153.79
a822.cd.akamai.net. 19 IN A 63.211.153.80

Hope this helps you out ...

--

-david
&lt;dspezialie(at)netspace.net.au&gt;

"By the time they had diminished from 50 to 8, the other dwarves began to
suspect Hungry." -- a Larson cartoon


-----Original Message-----
From: Rolando Morales [<a class="moz-txt-link-freetext" href="mailto:RolandoMorales@torengineering.com">ma ilto:RolandoMorales@torengineering.com</a>]
Sent: Wednesday, 1 October 2003 09:24
To: <a class="moz-txt-link-abbreviated" href="mailto:ipfilter@coombs.anu.edu.au">ipfilter@ coombs.anu.edu.au</a>
Subject: Windows Update


I'm looking to allow my users (windows based) to use Windows Update
</pre>
</blockquote>
<pre wrap=""><!---->anytime
</pre>
<blockquote type="cite">
<pre wrap="">of the day.
Even when they are not allowed to cruise the web. My problem is, I don't
know all the ip
address's that microsoft is using. Does anyone else have this problem? Is
there a way to
track this info down?
Rolando




</pre>
</blockquote>
<pre wrap=""><!---->



</pre>
</blockquote>
</body>
</html>

--------------090801030200090003070906--