Results 1 to 5 of 5
  1. #1
    Newbie
    Join Date
    Nov 2020
    Posts
    2

    Default How do I allow windows update when otherwise blocking internet access

    I have some rules set-up to block internet access of my kids' computers at night. That being said, I'd like to allow the computers to access *.windowsupdate.com and *.update.windows.com. I can't figure out how to allow those sites. The firewall rules seem to only allow IP addresses and not FQDNs. I can put the current IP addresses of the windows update servers but based on microsoft's information, these servers change frequently due to security concerns so I can't hard code today's IP addresses as they might not work tomorrow.

    The rules are set-up from policy manager...if time is between a certain time frame and day of week is this or that then use policy "block internet."

    Policy "block internet" is set-up to block all packets from the LAN to the WAN.

    How do I do this?

    Tim

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Talking Welcome

    ...to Untangle, and the forums!

    I don't normally post unless I have solid facts behind the statements.

    The only fact I have is that what you have found is correct, you can't do it that way in NGFW.

    If you didn't have the time of day requirement, and the granularity of individual hosts, then DNS domain filtering becomes simple.

    A very complicated theoretical solution to explore would be to set up a proxy server for Windows updates.

    Bypass Rules are the native facility in NGFW to detour around Policies, but the only thing that I see that might be useful there is server tagging. With my limited knowledge, I think that 'server' would have to be on the LAN, as a host.

    That's all I have got, sorry!
    Last edited by Jim.Alles; 11-13-2020 at 09:52 AM.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,304

    Default

    Doing this with Untangle reasonably requires two paid modules, Policy Manager, and Web Filter.

    You have a black hole policy that contains a web filter with all categories blocked and appropriate exception domains listed. Which is exactly how I have my kids setup on mine.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Quote Originally Posted by sky-knight View Post
    Doing this with Untangle reasonably requires two paid modules, Policy Manager, and Web Filter.

    You have a black hole policy that contains a web filter with all categories blocked and appropriate exception domains listed. Which is exactly how I have my kids setup on mine.
    He is going to need screenshots/examples for that nuance (that I don't have). The O.P. states he has rules set up in Policy Manager, so the required Apps are available.
    .
    I am watching a video that proves that my Proxy server idea is completely ridiculous, particularly for Windows update. A lot of people aren't old enough to know what I am even talking about:
    https://www.youtube.com/watch?v=qRx_RkdvpS4

    You be the judge!
    Last edited by Jim.Alles; 11-13-2020 at 11:12 AM.

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    A link to some of Untangles' videos about WebFilter:
    https://www.youtube.com/user/untanglecorp/search?query=webfilter

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2