I am running a LEAF Bering firewall with a DMZ at one of my client''s
sites.
The client has a Windows IIS server set up in the DMZ. The DMZ rules block
all outgoing connections on all ports.
The client wants to be able to run Windows Update on the server, which uses
ports 80 and 443. However, opening all port 80 and 443 connections from the
server to the net zone is not an option, since we want to protect the server
from malicious "call home" trojans and viruses. What we would like to
do is
to open port 80 and 443 connections to specific Microsoft Windows Update
web sites. However, I understand that Windows Update uses a round-robin
load balancing technique for it''s Windows Update servers, so there are
multiple IP addresses/host names which could be called during different
Windows Update cycles.
I realize that I could use squid and it''s whitelists to deal with this,
but
installing squid is not an option. Also, temporarily opening ports 80 and 443
to the full net zone while Windows Update runs is not an option.
Has anybody found an elegant way to solve this problem? I am sure that I am
not the only one who has run into this.
I am not subscribed to the list, so I would appreciate being copied on your
responses to the list.