When there is a firewall between the Configuration Manager 2012 active software update point and the Internet, an active software update point and its upstream server, or an active Internet-based software update point and the active software update point for the site, the firewall might need to be configured to accept the HTTP and HTTPS ports used for the WSUS Web site. On the firewall between the active software update point and the Internet, you can also restrict access to limited domains.
Note |
---|
The steps for configuring the firewall are meant for a corporate firewall positioned between WSUS and the Internet, or between an active software update point or an active Internet-based software update point and the upstream server. Because WSUS initiates all its network traffic, there is no need to configure Windows Firewall on the WSUS server. |
Use the following procedure to configure the firewall for software updates.
To configure the firewall for software updates
-
Configure the firewall to allow communication for the HTTP and HTTPS ports used by the WSUS server. By default, a WSUS server that is configured for the default Web site uses port 80 for HTTP and port 443 for HTTPS. By default, the WSUS server uses port 8530 for HTTP and port 8531 for HTTPS if it is using the WSUS custom Web site. For more information, see How to Determine the Port Settings Used by WSUS.
-
If your organization does not allow the ports and protocols used by the WSUS Web site to be open to all addresses, you can restrict access to the following domains so that WSUS and Automatic Updates can communicate with Microsoft Update:
- http://windowsupdate.microsoft.com
- http://*.windowsupdate.microsoft.com
- https://*.windowsupdate.microsoft.com
- http://*.update.microsoft.com
- https://*.update.microsoft.com
- http://*.windowsupdate.com
- http://download.windowsupdate.com
- http://download.microsoft.com
- http://*.download.windowsupdate.com
- http://test.stats.update.microsoft.com
- http://ntservicepack.microsoft.com
- http://windowsupdate.microsoft.com
-
If there is an active Internet-based software update point or if there are child sites with an active software update point, the following addresses also need to be added to any firewall that is between the servers:
Child site active software update point
- http://<FQDN for active software update
point on child site>
- https://<FQDN for active software update
point on child site>
- http://<FQDN for active software update
point on parent site>
- https://<FQDN for active software update
point on parent site>
Active Internet-based software update point
- http://<FQDN for active software update
point for site>
- https://<FQDN for active software update
point for site>
- http://<FQDN for active Internet-based
software update point>
- https://<FQDN for active Internet-based
software update point>
- http://<FQDN for active software update
point on child site>