Hello
I am in the process of setting up a new WSUS on Windows Server 2012 R2 to synchronise with Microsoft update on the internet. I want to be as granular as possible to only allow what is required minimally in order to achieve this.
I found contradicting information from online resources indicating which ports and protocols WSUS uses to communicate with Microsft update for synchronizing updates:
1.) http://technet.microsoft.com/en-us/library/hh852346.aspx at point 3.1.1 says: "To obtain updates from Microsoft Update, the WSUS server uses port443 for HTTPS protocol." This suggests HTTPS (443) only.
2.) http://technet.microsoft.com/en-us/library/bb693717.aspx atTo configure the firewall for software updates, says: "Configure the firewall to allow communication for the HTTP and HTTPS ports used by the WSUS server. By default, a WSUS server that is configured for the default Web site uses port 80 for HTTP and port 443 for HTTPS". This suggests HTTPS (443) as well as HTTP (80).
3.) http://www.lucianolima.org/how-to-configure-wsus-server-4-0-in-windows-server-2012/ atConfiguring the Firewall, says: "If there is a corporate firewall between WSUS and the Internet, you may need to configure your firewall to ensure that WSUS can obtain updates. To obtain updates from Microsoft Update, the WSUS server uses port 8530 for HTTP protocol and port 443 for HTTPSprotocol. These options are not configurable." This suggests HTTPS (443) as well as HTTP (8530).
So which is it? HTTPS (443) only/and/or HTTP (80) only/and/orHTTP (8530)?
Also, as I already mentioned that if want to be as granular as possible with the access I will be allowing through our internet firewall, I tried to restrict the destination to the URLs documented on these above links:http://windowsupdate.microsoft.com;http://*.windowsupdate.microsoft.com;https://*.windowsupdate.microsoft.com;http://*.update.microsoft.com; https://*.update.microsoft.com; http://*.windowsupdate.com;http://download.windowsupdate.com;http://download.microsoft.com; http://*.download.windowsupdate.com; http://wustat.windows.com;http://ntservicepack.microsoft.com on both HTTPS en HTTP protocols respectively, yet the synchronization failed due to not being able to connect to host 134.170.115.62:443. I tried to determine what the hostname is for the IP 134.170.115.62 though it does not have a PTR record for a reverse lookup. I am assuming this IP does not form part of these URL sets I granularly defined in the allowed destination lists on the firewall? Any idea what this IP is for?