Hello all,
I am interested in finding the best method to restrict outbound traffic for clients. I would like to prevent one of my network from reaching any internet destination, with a single exception for Microsoft Update. Microsoft gives the following URLs to which to allow HTTP or HTTPS traffic:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
https://*.ws.microsoft.com
http://*.ws.microsoft.com
Layer 3 firewall rules won't work since Microsoft gives the * wildcard character in the URLs. Layer 7 firewall rules only allow denial, not permit. I suppose I could look into pairing a Layer 3 firewall rule allowing only TCP 80/443, then use content filtering perhaps? With what methods could this be achieved?