Export (0) Print
Expand All
Expand Minimize
10 out of 28 rated this helpful - Rate this topic

How to Configure a Firewall for Software Updates

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

When there is a firewall between the Configuration Manager 2007 active software update point and the Internet, an active software update point and its upstream server, or an active Internet-based software update point and the active software update point for the site, the firewall might need to be configured to accept the HTTP and HTTPS ports used for the WSUS Web site. On the firewall between the active software update point and the Internet, you can also restrict access to limited domains.

noteNote
The steps for configuring the firewall are meant for a corporate firewall positioned between WSUS and the Internet, or between an active software update point or an active Internet-based software update point and the upstream server. Because WSUS initiates all its network traffic, there is no need to configure Windows Firewall on the WSUS server.

Use the following procedure to configure the firewall for software updates.

To configure the firewall for software updates

  1. Configure the firewall to allow communication for the HTTP and HTTPS ports used by the WSUS server. By default, a WSUS server that is configured for the default Web site uses port 80 for HTTP and port 443 for HTTPS. By default, the WSUS server uses port 8530 for HTTP and port 8531 for HTTPS if it is using the WSUS custom Web site. For more information, see How to Determine the Port Settings Used by WSUS.

  2. If your organization does not allow the ports and protocols used by the WSUS Web site to be open to all addresses, you can restrict access to the following domains so that WSUS and Automatic Updates can communicate with Microsoft Update:

    • http://windowsupdate.microsoft.com

    • http://*.windowsupdate.microsoft.com

    • https://*.windowsupdate.microsoft.com

    • http://*.update.microsoft.com

    • https://*.update.microsoft.com

    • http://*.windowsupdate.com

    • http://download.windowsupdate.com

    • http://download.microsoft.com

    • http://*.download.windowsupdate.com

    • http://test.stats.update.microsoft.com

    • http://ntservicepack.microsoft.com

  3. If there is an active Internet-based software update point or if there are child sites with an active software update point, the following addresses also need to be added to any firewall that is between the servers:

    Child site active software update point

    • http://<FQDN for active software update point on child site>

    • https://<FQDN for active software update point on child site>

    • http://<FQDN for active software update point on parent site>

    • https://<FQDN for active software update point on parent site>

    Active Internet-based software update point

    • http://<FQDN for active software update point for site>

    • https://<FQDN for active software update point for site>

    • http://<FQDN for active Internet-based software update point>

    • https://<FQDN for active Internet-based software update point>

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.