We have a set of public web servers behind a firewall we would like to be able to perform Windows Updates on, without giving them more access than they need.
Besides www.update.microsoft.com:443, what other host names and ports would need to be unblocked for Windows Updates to work?
From http://technet.microsoft.com/en-us/library/cc708605(WS.10).aspx This is what's needed to get WSUS working through your firewall (which IMHO you should definitely think about if you have more than 10 clients). This should be the same for a regular client box to access the MS servers.
Configure the Firewall Between the WSUS Server and the Internet
If there is a corporate firewall between WSUS and the Internet, you might need to configure the firewall to ensure that WSUS can obtain updates.
To configure your firewall
If there is a corporate firewall between WSUS and the Internet, you might need to configure that firewall to ensure that WSUS can obtain updates. To obtain updates from Microsoft Update, the WSUS server uses port 80 for HTTP protocol and port 443 for HTTPS protocol. This is not configurable.
If your organization does not allow those ports and protocols open to all addresses, you can restrict access to only the following domains so that WSUS and Automatic Updates can communicate with Microsoft Update:
- http://windowsupdate.microsoft.com
- http://*.windowsupdate.microsoft.com
- https://*.windowsupdate.microsoft.com
- http://*.update.microsoft.com
- https://*.update.microsoft.com
- http://*.windowsupdate.com
- http://download.windowsupdate.com
- http://download.microsoft.com
- http://*.download.windowsupdate.com
- http://wustat.windows.com
- http://ntservicepack.microsoft.com
The steps for configuring the firewall above are meant for a corporate firewall positioned between WSUS and the Internet. Because WSUS initiates all its network traffic, there is no need to configure Windows Firewall on the WSUS server. Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port.
To configure the firewall for software updates
Configure the firewall to allow communication over HTTP and HTTPS ports (80 and 443).
Make sure you're allowing all of the Windows Update URLs. Here is a list of URLs you'll also want to make sure are allowed:
URLs:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://*.download.windowsupdate.com
As the URLs have changed a bit since the accepted answer, I'll post the latest info as of this time below.
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://ntservicepack.microsoft.com
http://dl.delivery.mp.microsoft.com
Done this today. Need to ad more URL:
fe2.update.microsoft.com*
( Couldnt add that to my firewall so i went with: fe2.update.microsoft.com.nsatc.net) and as far as it seems theres no more need for port 80
Found here: https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1903-non-enterprise-editions
We've had issues with our proxy and Windows update and they recommended:
download.windowsupdate.com
windowsupdate.com
c.microsoft.com
update.microsoft.com
windowsupdate.microsoft.com
Ports should just be 80 and 443 I think. You might need to open BITS if that uses a different port.
I would suggest adding *.microsoft.com as a hostname if the software supports it and with regards to ports you should only need port 80 and 443.
