Automatic Updates through a firewall

[Guest]

I am trying to keep functioning the Windows 2000 Server SP4 Automatic Updates service, through an ISA firewall with IP packet filtering activated
I noted that ISA packet filtering was dropping many outbound TCP packets with destination IP addresses of many Microsoft WU servers over many different subnetworks (e.g. 207.46.249.57, 207.46.134.90, 207.46.197.121, etc.), when Automatic Update is trying to contact an available server
I tried to define an IP packet filter, finely tailored for the communication channel dedicated to guarantee Automatic Updates, but every time Automatic Update looks for patch availability, it looks on a different set of destination addresses, thus being blocked by ISA. This is making me crazy
As a result, either I cannot use Automatic Updates notification and installation, or I should leave my firewall widely open. I don't want both

So, what IP packet filtering settings should be enough comprehensive to guarantee the workability of Automatic Update service
I want to get the automatic patch download and the notification when ready to install

Thanks
Sergio.

 

[Mike Perry]

According to whois.arin.net the IP numbers that you listed below below to a
block of IP numbers from 207.46.0.0 to 207.46.255.255 - while MS might own
more than that block of IP numbers I'd configure your ISA server to allow
communications with that block and then see if you have problems with others
after that. If you do, get the IP number in question and go to
whois.arin.net (type it in your browser as is and it will get redirected
appropriately) and identify the block of IPs that particular IP number is a
part of - opening up your ISA to this block should be reasonably safe if you
trust MS (smirk).

I am trying to keep functioning the Windows 2000 Server SP4 Automatic

Updates service, through an ISA firewall with IP packet filtering activated.

I noted that ISA packet filtering was dropping many outbound TCP packets

with destination IP addresses of many Microsoft WU servers over many
different subnetworks (e.g. 207.46.249.57, 207.46.134.90, 207.46.197.121,
etc.), when Automatic Update is trying to contact an available server.

I tried to define an IP packet filter, finely tailored for the

communication channel dedicated to guarantee Automatic Updates, but every
time Automatic Update looks for patch availability, it looks on a different
set of destination addresses, thus being blocked by ISA. This is making me
crazy !

As a result, either I cannot use Automatic Updates notification and

installation, or I should leave my firewall widely open. I don't want
both.

So, what IP packet filtering settings should be enough comprehensive to

guarantee the workability of Automatic Update service ?