Windows update....

Discussion in 'NZ Computing' started by Biggles, Dec 10, 2003.

  1. Biggles

    Biggles Guest

    I telehouse a win2000 server box and with the tight local security policy
    (aka firewall) in place, I have trouble with windows update.....in fact, I
    disable the firewall whenever I CHECK for updates....this also means the
    auto update feature will not work.

    Anyone have any ideas of the ports that need to be opened (By default I have
    incoming and outgoing ports blocked) in order to operate windows update?

    Thanks
    John
    Email: @ihug.co.nz with 'file-it' in front
     
    Biggles, Dec 10, 2003
    #1
    1. Advertising

  2. Biggles

    Enkidu Guest

    On Thu, 11 Dec 2003 10:56:28 +1300, "Biggles" <>
    wrote:

    >I telehouse a win2000 server box and with the tight local security policy
    >(aka firewall) in place, I have trouble with windows update.....in fact, I
    >disable the firewall whenever I CHECK for updates....this also means the
    >auto update feature will not work.
    >
    >Anyone have any ideas of the ports that need to be opened (By default I have
    >incoming and outgoing ports blocked) in order to operate windows update?
    >

    Why are you blocking outgoing ports? WindowsUpdate will work fine
    through a firewall if it can get out. I don't think that it uses
    anything other than port 80, but I'm not sure.

    Cheers,

    Cliff
    --

    The complete lack of evidence is the surest sign
    that the conspiracy is working.
     
    Enkidu, Dec 10, 2003
    #2
    1. Advertising

  3. Biggles

    Biggles Guest

    "Enkidu" <> wrote in message
    > Why are you blocking outgoing ports?

    Being windows and taking their history into account, I prefer to block all
    ports, this way, *should* something infect it, it will have difficulty
    infecting other machines on the internet.

    I would guess it is also good practice to do this, and I can sleep at night
    knowing that the only ports open (as far as I know anyway) are the ones I
    chose to have open.
     
    Biggles, Dec 10, 2003
    #3
  4. Biggles

    Biggles Guest

    Found the problem........
    Windows update seems to need the HTTPS port (TCP port 443) for incoming
    traffic.

    -John
     
    Biggles, Dec 11, 2003
    #4
  5. Biggles

    Enkidu Guest

    On Thu, 11 Dec 2003 13:05:11 +1300, "Biggles" <>
    wrote:
    >
    >Found the problem........
    >Windows update seems to need the HTTPS port (TCP port 443) for incoming
    >traffic.
    >

    ?? What do you mean? When a connection is made *from* your machine it
    goes out TO a machine which is listening on port 443 FROM a random
    high numbered port on your machine. The reply should come FROM a
    machine on port 443 TO your high numbered port.

    I can understand that you might need to allow an outgoing request TO a
    listener on port 443, but you should not be listening on port 443.

    Cheers,

    Cliff
    --

    The complete lack of evidence is the surest sign
    that the conspiracy is working.
     
    Enkidu, Dec 11, 2003
    #5
  6. Biggles

    Biggles Guest

    "Enkidu" <> wrote in message
    news:...
    > On Thu, 11 Dec 2003 13:05:11 +1300, "Biggles" <>
    > wrote:
    > >
    > >Found the problem........
    > >Windows update seems to need the HTTPS port (TCP port 443) for incoming
    > >traffic.
    > >

    > ?? What do you mean? When a connection is made *from* your machine it
    > goes out TO a machine which is listening on port 443 FROM a random
    > high numbered port on your machine. The reply should come FROM a
    > machine on port 443 TO your high numbered port.
    >
    > I can understand that you might need to allow an outgoing request TO a
    > listener on port 443, but you should not be listening on port 443.
    >
    > Cheers,
    >
    > Cliff
    > --
    >
    > The complete lack of evidence is the surest sign
    > that the conspiracy is working.


    I think I have it set up right.
    It allows a connection from port 443 on any IP to any Port on my IP.
    It is not a mirrored connection
     
    Biggles, Dec 11, 2003
    #6
  7. Biggles

    SNOman Guest

    Biggles wrote:

    > I telehouse a win2000 server box and with the tight local security policy
    > (aka firewall) in place, I have trouble with windows update.....in fact, I
    > disable the firewall whenever I CHECK for updates....this also means the
    > auto update feature will not work.
    >
    > Anyone have any ideas of the ports that need to be opened (By default I have
    > incoming and outgoing ports blocked) in order to operate windows update?
    >
    > Thanks
    > John
    > Email: @ihug.co.nz with 'file-it' in front
    >
    >

    Windows update is a pain.

    Why don't you go to http://www.shavlik.com and checkout their HFNetChk
    Lite. You will be able to use this with 1 server and 10 workstations for
    free. I use the fully purchased product and it is great. In fact
    Microsoft licenses their update technology from Shavlik :)
     
    SNOman, Dec 11, 2003
    #7
  8. Biggles

    Biggles Guest

    "SNOman" <> wrote in message
    news:br8hri$32s$...
    > Biggles wrote:
    >
    > > I telehouse a win2000 server box and with the tight local security

    policy
    > > (aka firewall) in place, I have trouble with windows update.....in fact,

    I
    > > disable the firewall whenever I CHECK for updates....this also means the
    > > auto update feature will not work.
    > >
    > > Anyone have any ideas of the ports that need to be opened (By default I

    have
    > > incoming and outgoing ports blocked) in order to operate windows update?
    > >
    > > Thanks
    > > John
    > > Email: @ihug.co.nz with 'file-it' in front
    > >
    > >

    > Windows update is a pain.
    >
    > Why don't you go to http://www.shavlik.com and checkout their HFNetChk
    > Lite. You will be able to use this with 1 server and 10 workstations for
    > free. I use the fully purchased product and it is great. In fact
    > Microsoft licenses their update technology from Shavlik :)
    >


    It is the server itself I am trying to update.
    This is a telehoused web/mail/other app server
     
    Biggles, Dec 11, 2003
    #8
  9. Biggles

    T-Boy Guest

    In article <br8hri$32s$>,
    says...
    > Biggles wrote:
    >
    > > I telehouse a win2000 server box and with the tight local security policy
    > > (aka firewall) in place, I have trouble with windows update.....in fact, I
    > > disable the firewall whenever I CHECK for updates....this also means the
    > > auto update feature will not work.
    > >
    > > Anyone have any ideas of the ports that need to be opened (By default I have
    > > incoming and outgoing ports blocked) in order to operate windows update?
    > >
    > > Thanks
    > > John
    > > Email: @ihug.co.nz with 'file-it' in front
    > >
    > >

    > Windows update is a pain.
    >
    > Why don't you go to http://www.shavlik.com and checkout their HFNetChk
    > Lite. You will be able to use this with 1 server and 10 workstations for
    > free. I use the fully purchased product and it is great. In fact
    > Microsoft licenses their update technology from Shavlik :)


    Chit when's the last time you used it :) It's called HfNetChk Pro V4
    now. (They've changed the limitations and the name - the 'lite' version
    is still 'Pro' - and requires an activation key (done if you put a real
    email addy in the 'sign up n' download it' form).

    'tis indeed an excellent product - more suited to networks - but still
    indeed very valuble IMO for the more clued up home users.

    More 'simpler' windows users should probably stick to checking for
    Windows updates every 2nd Wed of the month (yep, that's yesterday) - (no
    updates issued by MS for December, BTW)...
    http://www.microsoft.com/technet/security/news/morenews.asp


    --
    Duncan
     
    T-Boy, Dec 11, 2003
    #9
  10. Biggles

    T-Boy Guest

    In article <br8i5n$3ds$>, says...
    > "SNOman" <> wrote in message
    > news:br8hri$32s$...
    > > Biggles wrote:
    > >
    > > > I telehouse a win2000 server box and with the tight local security

    > policy
    > > > (aka firewall) in place, I have trouble with windows update.....in fact,

    > I
    > > > disable the firewall whenever I CHECK for updates....this also means the
    > > > auto update feature will not work.
    > > >
    > > > Anyone have any ideas of the ports that need to be opened (By default I

    > have
    > > > incoming and outgoing ports blocked) in order to operate windows update?
    > > >
    > > > Thanks
    > > > John
    > > > Email: @ihug.co.nz with 'file-it' in front
    > > >
    > > >

    > > Windows update is a pain.
    > >
    > > Why don't you go to http://www.shavlik.com and checkout their HFNetChk
    > > Lite. You will be able to use this with 1 server and 10 workstations for
    > > free. I use the fully purchased product and it is great. In fact
    > > Microsoft licenses their update technology from Shavlik :)
    > >

    >
    > It is the server itself I am trying to update.
    > This is a telehoused web/mail/other app server


    Shavlik's HfNetChk Pro is ideally suited to patching Servers. I use it
    like thus:
    * get HfNetChk to id the patches required.
    * get HfNetChk to dl them
    * manually apply them to the Server (rather than getting HfNetChk to do
    it (although I do use the HfNetChk auto-deployment functionality to
    update wk.stations).

    HfNetChk can reside on any PC on the network (if yer worried about
    installing it on the Server)

    --
    Duncan
     
    T-Boy, Dec 11, 2003
    #10
  11. Biggles

    SNOman Guest

    T-Boy wrote:
    > In article <br8hri$32s$>,
    > says...
    >
    >>Biggles wrote:
    >>
    >>
    >>>I telehouse a win2000 server box and with the tight local security policy
    >>>(aka firewall) in place, I have trouble with windows update.....in fact, I
    >>>disable the firewall whenever I CHECK for updates....this also means the
    >>>auto update feature will not work.
    >>>
    >>>Anyone have any ideas of the ports that need to be opened (By default I have
    >>>incoming and outgoing ports blocked) in order to operate windows update?
    >>>
    >>>Thanks
    >>>John
    >>>Email: @ihug.co.nz with 'file-it' in front
    >>>
    >>>

    >>
    >>Windows update is a pain.
    >>
    >>Why don't you go to http://www.shavlik.com and checkout their HFNetChk
    >>Lite. You will be able to use this with 1 server and 10 workstations for
    >>free. I use the fully purchased product and it is great. In fact
    >>Microsoft licenses their update technology from Shavlik :)

    >
    >
    > Chit when's the last time you used it :)


    When I used the lite version last it was called 'lite' :)

    I now use the full Pro product
     
    SNOman, Dec 11, 2003
    #11
  12. Biggles

    SNOman Guest

    Biggles wrote:

    > "SNOman" <> wrote in message
    > news:br8hri$32s$...
    >
    >>Biggles wrote:
    >>
    >>
    >>>I telehouse a win2000 server box and with the tight local security

    >
    > policy
    >
    >>>(aka firewall) in place, I have trouble with windows update.....in fact,

    >
    > I
    >
    >>>disable the firewall whenever I CHECK for updates....this also means the
    >>>auto update feature will not work.
    >>>
    >>>Anyone have any ideas of the ports that need to be opened (By default I

    >
    > have
    >
    >>>incoming and outgoing ports blocked) in order to operate windows update?
    >>>
    >>>Thanks
    >>>John
    >>>Email: @ihug.co.nz with 'file-it' in front
    >>>
    >>>

    >>
    >>Windows update is a pain.
    >>
    >>Why don't you go to http://www.shavlik.com and checkout their HFNetChk
    >>Lite. You will be able to use this with 1 server and 10 workstations for
    >>free. I use the fully purchased product and it is great. In fact
    >>Microsoft licenses their update technology from Shavlik :)
    >>

    >
    >
    > It is the server itself I am trying to update.
    > This is a telehoused web/mail/other app server
    >
    >

    Yeah, but you can update the server using this product. I update 7
    servers with the full product, included the server it is installed on.
     
    SNOman, Dec 11, 2003
    #12
  13. Biggles

    -{-astrae-}- Guest


    > Why don't you go to http://www.shavlik.com and checkout their HFNetChk
    > Lite. You will be able to use this with 1 server and 10 workstations for
    > free. I use the fully purchased product and it is great. In fact
    > Microsoft licenses their update technology from Shavlik :)
    >


    Does anyone have a URL for the free version? Pain in the butt having to fill
    in the from etc...

    just call me lazy..
     
    -{-astrae-}-, Dec 11, 2003
    #13
  14. Biggles

    SNOman Guest

    -{-astrae-}- wrote:

    >>Why don't you go to http://www.shavlik.com and checkout their HFNetChk
    >>Lite. You will be able to use this with 1 server and 10 workstations for
    >>free. I use the fully purchased product and it is great. In fact
    >>Microsoft licenses their update technology from Shavlik :)
    >>

    >
    >
    > Does anyone have a URL for the free version? Pain in the butt having to fill
    > in the from etc...
    >
    > just call me lazy..
    >
    >

    filling in the form gets you the license key for the free version. It's
    no big deal.
     
    SNOman, Dec 11, 2003
    #14
  15. Biggles

    SNOman Guest

    -{-astrae-}- wrote:

    >>Why don't you go to http://www.shavlik.com and checkout their HFNetChk
    >>Lite. You will be able to use this with 1 server and 10 workstations for
    >>free. I use the fully purchased product and it is great. In fact
    >>Microsoft licenses their update technology from Shavlik :)
    >>

    >
    >
    > Does anyone have a URL for the free version? Pain in the butt having to fill
    > in the from etc...
    >
    > just call me lazy..
    >
    >

    Actually the url for bypassing the rego page is
    http://www.shavlik.com/downloads.aspx
     
    SNOman, Dec 11, 2003
    #15
  16. Biggles

    XPD Guest

    "SNOman" <> wrote in message
    news:br8ldo$5d8$...
    > -{-astrae-}- wrote:
    >
    > >>Why don't you go to http://www.shavlik.com and checkout their HFNetChk
    > >>Lite. You will be able to use this with 1 server and 10 workstations for
    > >>free. I use the fully purchased product and it is great. In fact
    > >>Microsoft licenses their update technology from Shavlik :)
    > >>

    > >
    > >
    > > Does anyone have a URL for the free version? Pain in the butt having to

    fill
    > > in the from etc...
    > >
    > > just call me lazy..
    > >
    > >

    > Actually the url for bypassing the rego page is
    > http://www.shavlik.com/downloads.aspx
    >


    But you still require a license key for it.
     
    XPD, Dec 11, 2003
    #16
  17. Biggles

    SNOman Guest

    XPD wrote:

    > "SNOman" <> wrote in message
    > news:br8ldo$5d8$...
    >
    >>-{-astrae-}- wrote:
    >>
    >>
    >>>>Why don't you go to http://www.shavlik.com and checkout their HFNetChk
    >>>>Lite. You will be able to use this with 1 server and 10 workstations for
    >>>>free. I use the fully purchased product and it is great. In fact
    >>>>Microsoft licenses their update technology from Shavlik :)
    >>>>
    >>>
    >>>
    >>>Does anyone have a URL for the free version? Pain in the butt having to

    >
    > fill
    >
    >>>in the from etc...
    >>>
    >>>just call me lazy..
    >>>
    >>>

    >>
    >>Actually the url for bypassing the rego page is
    >>http://www.shavlik.com/downloads.aspx
    >>

    >
    >
    > But you still require a license key for it.
    >
    >

    Yeah I know and that's what I told him in an earlier post.
     
    SNOman, Dec 11, 2003
    #17
  18. Biggles

    Dumdedo Guest

    On Thu, 11 Dec 2003 12:42:06 +1300, "Biggles" <> wrote:

    >"Enkidu" <> wrote in message
    >> Why are you blocking outgoing ports?

    >Being windows and taking their history into account, I prefer to block all
    >ports, this way, *should* something infect it, it will have difficulty
    >infecting other machines on the internet.
    >
    >I would guess it is also good practice to do this, and I can sleep at night
    >knowing that the only ports open (as far as I know anyway) are the ones I
    >chose to have open.
    >
    >




    Utter Paranoia..

    Do you hand Garlic in your rooms in case of Vampires..?
     
    Dumdedo, Dec 11, 2003
    #18
  19. Biggles

    Enkidu Guest

    On Thu, 11 Dec 2003 12:42:06 +1300, "Biggles" <>
    wrote:

    >"Enkidu" <> wrote in message
    >> Why are you blocking outgoing ports?

    >Being windows and taking their history into account, I prefer to block all
    >ports, this way, *should* something infect it, it will have difficulty
    >infecting other machines on the internet.
    >
    >I would guess it is also good practice to do this, and I can sleep at night
    >knowing that the only ports open (as far as I know anyway) are the ones I
    >chose to have open.
    >

    That is a belt and braces approach. It's good in that it prevents you
    infecting others should you become infected. However, with a firewall
    set up to stop all incoming requests (except the ones that you wish to
    receive) and decent virus protection you should not get hit. It's bad
    that you need to take action for every type of access that you need to
    make through the firewall.

    Only the biggest of organisations really need to control outgoing
    traffic, and that's only because it reflects so badly on the
    organisation.

    Cheers,

    Cliff
    --

    The complete lack of evidence is the surest sign
    that the conspiracy is working.
     
    Enkidu, Dec 11, 2003
    #19
  20. Biggles

    AD. Guest

    On Thu, 11 Dec 2003 17:12:37 +1300, Dumdedo wrote:

    > Utter Paranoia..
    >
    > Do you hand Garlic in your rooms in case of Vampires..?


    And how many web servers have you been responsible for Woger?

    Paranoia is a good thing for an internet server admin to have.

    Cheers
    Anton
     
    AD., Dec 11, 2003
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Greg Onyshczak

    Windows Update & Microsoft Update

    Greg Onyshczak, Jul 28, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    651
    SgtMinor
    Jul 28, 2005
  2. Adriano

    Windows Update not update IE, why?

    Adriano, Sep 5, 2004, in forum: Computer Information
    Replies:
    1
    Views:
    541
  3. Adriano

    Re: Windows Update not update IE, why?

    Adriano, Sep 5, 2004, in forum: Computer Information
    Replies:
    3
    Views:
    470
    VWWall
    Sep 5, 2004
  4. Piet  Slaghekke
    Replies:
    4
    Views:
    1,007
    Meat Plow
    Nov 10, 2006
  5. Lawrence D'Oliveiro

    Update On The Windows Phone 7 Update Update

    Lawrence D'Oliveiro, Feb 24, 2011, in forum: NZ Computing
    Replies:
    2
    Views:
    579
    Another Me
    Feb 25, 2011
Loading...

Share This Page