IP adresses to get Microsoft patches

Hi,

We need to restrict internet access of our Patch server to allow only those IP's used by MS Windows update to get the Windows update CAB file and the related patches. Is it possible to get the list of IP or class IP (not the URL's) used by MS to provide the above patch service ? Does anybody know if those IP's change frequently ?
Thanks Regards  
 

Question Info


Last updated October 24, 2019 Views 21,547 Applies to:
65.55.200.221
116.214.29.170
64.4.52.30
Mr.TD

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hello,

Sorry for not replying sooner.
I am confused with IP's I got from Mr. TD. The MS URL we are currently contacting is: http://go.microsoft.com/fwlink/?Linhttp://go.microsoft.com/fwlink/?LinkID=76054kID=76054 which seems to be on the server go.microsoft.com (IP 207.46.16.233). This IP is not in the list provided by Mr. TD. Can anyone explain? Is it really possible to get the entire list of MS server IP, we need to contact to get MS patches ? Does anyone know if these IPs are changed frequently ?

Thanks Regards     

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I wouldn't use the addresses listed in the previous response.  An IP whois on the middle address is a telecom company in india, its not registered to any microsoft subsidiary.  The best ip ranges I have found so far is:

64.4.*.*
64.158.*.*
65.59.*.*
67.72.*.*
207.46.*.*
208.172.*.*

I got that from an online forum and haven't tested it myself though.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I wouldn't use the addresses listed in the previous response.  An IP whois on the middle address is a telecom company in india, its not registered to any microsoft subsidiary.  The best ip ranges I have found so far is:

64.4.*.*
64.158.*.*
65.59.*.*
67.72.*.*
207.46.*.*
208.172.*.*

I got that from an online forum and haven't tested it myself though.

just fyi - 64.4.x.x - found to be MS Hotmail out of Richmond, WA.

              65.59.x.x - Level 3 Communications (Dial-up), No Services detected, Wichita, KS.

              67.72.x.x - Level 3 Communications (Dial-up), No Services detected, Wichita, KS.

              207.46.x.x - Microsoft Corp., Microsoft Azure

              208.172.0.0 - Savvis, in MO. (??)

...still Not sure what to allow for (SAFE) Windows Updates..!  PapaBear says the IP addresses change frequently, so the best solution may be to make an Outbound Rule in the Firewall to allow certain sites/domains to connect to get updates... but I'm having a hard time Finding that response (with the site list).

4 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I know this is an old thread, but I just wanted to see if you had any luck isolating the IPs?

I found a few KB/Community articles specifying the FQDNs required for Windows Update.

The problem is though, that some of the FQDNs specified have wildcard subdomains... IE: *.windowsupdate.microsoft.com

In our application, we have servers that need to run updates. These servers are behind a fairly restricted network and have almost no Internet access. The firewalls that we're using do support FQDN based address objects (to use in policies) but they do not support wildcard FQDNs, so we can create an FQDN object for windowsupdate.microsoft.com but we cannot create an address object for *.windowsupdate.microsoft.com.

Any help would be appreciated!

Thanks,

Z

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.