General discussion

Locked

Cisco PIX to allow Windows update

By trainer4063 ·
Have a WAN. Use Cisco routers with Cisco PIX firewall. Have blocked all general internet traffic. Would like to allow WindowsUpdate for the desktops in the network without having to interface with the PIX and allow all internet traffic. Microsoft does not have static IPs for their servers so cannot create static access list to allow access to Microsoft. Any ideas.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by lee.newman In reply to Cisco PIX to allow Window ...

Why are you blocking all outbound traffic to the internet? I would suggest opening up access to Microsoft periodically so you can do updates on your PC's, then turn it off if you can't leave it open. You might give Microsoft a call and find out if there is a range of addresses you can temp. open up while you update your PC's. Other than that maby Microsoft can send you CD's with the lates updates, which of course require you to touch all your PC's. Good Luck..

Collapse -

by trainer4063 In reply to

I take it there is now way to have the cisco pix firewall use a domain name like windows.com or microsoft.com instead of using fixed IP addresses? Poster rated this answer.

Collapse -

by mshavrov In reply to Cisco PIX to allow Window ...

How many clients do you have? Microsoft has an product, which allows you to download all required updates to one server, and then all PCs connect to that server using standard windows mechanism to get updates.

Michael Shavrov
MCSE W2K, MCSE+I, Security+, CCNP, CCDP, CCSP, Cisco Voice, etc...

Collapse -

by trainer4063 In reply to

I have up to 200 computers on the WAN running everything from windows98, 2000 pro, 2000 server, 2003 server, windows xp. Poster rated this answer.

Collapse -

by CG IT In reply to Cisco PIX to allow Window ...

This isnt a suggestion but some general comments to some suggestions: Cisco access routers use access lists and they are a pain in the butt to reconfigure on a periodic basis. Just not worth the grief and aggrivation.

My suggestion is to use Software Update Service [or the beta soon to be release copy Windows Update Service]. Works just like Windows Update, you schedule sync with MS servers and you can create an allow all port entry for it on the PIX and it doesn't leave an application open port after sync.

Collapse -

by CG IT In reply to Cisco PIX to allow Window ...

heres my 2 cent. Use Software Update Service if you have that many clients with that kind of mix [or try the beta of Windows Update Service].

Windows Update Service runs just like Windows Update except clients pull [or you push] hotfixes, service packs, blah blah off your server rather than theirs. You can configure your PIX to allow all <specified port> without having to use route and set your schedule for WUS server to sync with MS's servers.

Collapse -

by CG IT In reply to

Simplistic answer but its a heck of a lot better than 200+ clients staggered over a period of time to go out on the internet looking for Windows Updates.

Collapse -

by deyev In reply to Cisco PIX to allow Window ...

If you speak about PIX, you have to study filter java and filter activex commands. You can except ip address for filter.

PIX works with ip address only.

Collapse -

by trainer4063 In reply to Cisco PIX to allow Window ...

This question was closed by the author

Back to Networks Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums