Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Stop Updates when connected to RRAS

16 views
Skip to first unread message

RBot

unread,
Jan 16, 2007, 3:25:44 PM1/16/07
to
I currently have a RRAS server setup with specialized software that our

sales reps use to receive updates on current products and prices and to

send orders at the end of each day. The process itself seems to work
perfectly, aside from one major problem. Every time a computer
connects to this server (over phone line through RRAS) to attempt a
download or to send orders, the first thing it does is try to check the

WSUS server for Windows Updates. This causes a large amount of data to

be sent over the phone line if there are updates available, and crashes

their transmission of data. When I change the GPO to receive updates
automatically from Windows Updates servers, it is able to reach these
internet
servers to receive their updates. Is there a way to stop the
connecting
computer from finding the WSUS server even if it attempts to do so, or
is there
a way to make the connecting computer stop trying to find a server for
updates
to begin with?

Any help would be appreciated. Thanks in advance!

Jorge Silva

unread,
Jan 16, 2007, 4:19:02 PM1/16/07
to
Hi
IIRC: You only have to remove the PC from WSUS console, or create a specific
group of computers in WSUS, then via GPO configure the computers that you
want to belong to that group and provide updates only these group of
computers.

--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"RBot" <cdhgoog...@yahoo.com> wrote in message
news:1168979144.7...@38g2000cwa.googlegroups.com...

RBot

unread,
Jan 16, 2007, 4:51:13 PM1/16/07
to
Jorge,

Thank you for your quick response. This, however, is only a good
TEMPORARY fix, and I have actually already done this (sorry for the
lack in description). Because we are a larger company, we must follow
SOX compliances, and disabling Windows Updates from WSUS or other
Automatic Windows Updates servers is a security threat. What I would
like to do is stop this from happening ONLY when they connect to the
network through the RRAS server (maybe by making it impossible for the
connecting computer to see other machies on the network while connected
through RRAS or not being able to get to the internet while connected
through RRAS). When in office or when connected via VPN, I would like
them to receive updates. Is this possible?

Thank you again for your quick response

Jorge Silva

unread,
Jan 16, 2007, 5:03:44 PM1/16/07
to
Ok
Assuming that your WSUS isn't running in the 80Port, you could create
filters in RRAS that prevent trafffic on WSUS port, of course you can do
this to port 80, but if remote users want to connect to some internal
webpages they won't be able to do that.

--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"RBot" <cdhgoog...@yahoo.com> wrote in message

news:1168984271.3...@l53g2000cwa.googlegroups.com...

RBot

unread,
Jan 16, 2007, 5:28:04 PM1/16/07
to
That sounds like it should work. I will definitely try that. One
concern I have: after the computer has connected to the RRAS and has
established a connection, is it possible for the remote computer to
find it's own way to the internet or the WSUS server? For instance,
when the remote computer is connected, it tries broadcasts for DHCP,
and is able to find the WSUS server. Will disabling the port that WSUS
uses and port 80 (for going to the internet) on the RRAS server also
block the remote computer from gaining access to these locations?

I'm not extremely knowledgeable in this area, so the help you have
provided so far and to come is very useful and appreciated. Thanks
again.

Herb Martin

unread,
Jan 16, 2007, 6:06:07 PM1/16/07
to

"RBot" <cdhgoog...@yahoo.com> wrote in message
news:1168986483....@m58g2000cwm.googlegroups.com...

> That sounds like it should work. I will definitely try that. One
> concern I have: after the computer has connected to the RRAS and has
> established a connection, is it possible for the remote computer to
> find it's own way to the internet or the WSUS server? For instance,
> when the remote computer is connected, it tries broadcasts for DHCP,
> and is able to find the WSUS server. Will disabling the port that WSUS
> uses and port 80 (for going to the internet) on the RRAS server also
> block the remote computer from gaining access to these locations?

Yes, and you can disable those ports ONLY for the WSUS server
and still allow the clients to reach other Web servers or even this one
on different ports.

RRAS filters are reasonably sophisticated. (Not the most advanced
filtering system in the world but pretty good and fairly granular.)

> I'm not extremely knowledgeable in this area, so the help you have
> provided so far and to come is very useful and appreciated. Thanks
> again.

Try a simple RRAS filter for the range of addresses used for the remote
(dial/vpn) clients as source with WSUS web server and port 80 or other
as the destination) -- if you disallow this the dial/vpn clients will never
reach the WSUS server.

Filters are ALMOST self-explanatory in RRAS but it takes just a little
bit of clicking around and testing to "get it" -- not much and we'll help.

You could also put the filter on the WSUS server with either RRAS
(it doesn't have to be an RAS/VPN SERVER to do this, just run the
RRAS service and use the filters) or with IPSec filters.

Many people overlook that IPSec filters can be used for merely
BLOCK and pass without any intention of using IPSec facilities for
encryption etc.

As long as you specify the range of addresses the clients will get
when dialing (different DHCP scope or do it on the RRAS server
in an address pool*) then this is pretty easy to match up.

* I don't usually recommend RRAS address pools to those who
have DHCP (easier to do the management in one place) but if
you need a way to give out an identifiable range to Dial/VPN
clients than to local machines then DHCP can be a pain sometimes.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)


Jorge Silva

unread,
Jan 16, 2007, 7:05:09 PM1/16/07
to
Yes, the computer can access to WSUS server, just not on the 80 port. It has
been awile since I played with RRAS (Generally I use ISA or other hardware
devices), but as Herb said isn't really such a big deal, also have a look at
MS documentation about RRAS filtering.
--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"RBot" <cdhgoog...@yahoo.com> wrote in message

news:1168986483....@m58g2000cwm.googlegroups.com...

Jorge Silva

unread,
Jan 16, 2007, 7:08:35 PM1/16/07
to
http://support.microsoft.com/kb/254018/en-us

--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Jorge Silva" <jorges...@hotmail.com> wrote in message
news:FCB77A81-1A20-49E4...@microsoft.com...

Herb Martin

unread,
Jan 16, 2007, 7:14:47 PM1/16/07
to
> "Jorge Silva" <jorges...@hotmail.com> wrote in message
> news:FCB77A81-1A20-49E4...@microsoft.com...
>> Yes, the computer can access to WSUS server, just not on the 80 port. It
>> has been awile since I played with RRAS (Generally I use ISA or other
>> hardware devices), but as Herb said isn't really such a big deal, also
>> have a look at MS documentation about RRAS filtering.

"Jorge Silva" <jorges...@hotmail.com> wrote in message

news:F6C4E8C5-1156-458B...@microsoft.com...
> http://support.microsoft.com/kb/254018/en-us


And just TRY it before reading a BUNCH of that stuff
(it's all in the built-in help too) because the GUI is ALMOST
self-explanatory if you understand the purpose of the filters.

If you figure it out -- great -- if you don't then you will have
specific questions to ask from 2 minutes worth of trying to
build a filter.

RBot

unread,
Jan 17, 2007, 12:26:34 PM1/17/07
to
Thanks for all of the posts. I will continue to work on this issue,
and get back to you very soon. Thanks again for the great support

RBot

unread,
Jan 17, 2007, 1:17:06 PM1/17/07
to
Ok, I have looked into adding inbound filters on the RRAS, however the
"Inbound Filters" and "Outbound Filters" buttons are both grayed out.
I am not sure the reason behind this, and couldn't find anything
stating why this is. Just so this group is aware, I do not need any of
the computers that are RRASing into this server to have access to any
other servers or the internet. They ONLY need to have access to the
server it is RRASing into.

Because they broadcast a DHCP request when connecting (which is
successful), they are able to get IPs for the DNS server and the WSUS
servers. It just so happens that the DNS server and WSUS servers have
an IP of x.x.x.240 (different subnets). The IPs that are assigned to
the connecting computers are x.x.x.50 - x.x.x.55. The software will
ALWAYS need to connect to x.x.x.92. Will setting a subnet mask of
255.255.255.128 (/25) stop them from even having the ability to access
IPs higher than x.x.x.127 and in turn stop them from getting any
information about where the WSUS servers are located and how to get to
the internet? This is a last ditch effort, but better than nothing.
Would I need to disable NetBEUI as well?

My main goal is to stop any connecting computer from going ANYWHERE
other than the RRAS server it is connected to without making changes to
Group Policy (We only want these changes to matter when connected
through RRAS) Thank you again for your help.

Jorge Silva

unread,
Jan 17, 2007, 3:04:51 PM1/17/07
to
if filters are grayded out you should look for permissions issue.
For the DHCP, you can add the DHCP relay agent protocol, and configure it to
get the correct DHCP server. You can also configure the range of ipaddress
in RRAS properties to be attrib.

--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"RBot" <cdhgoog...@yahoo.com> wrote in message

news:1169057826.1...@m58g2000cwm.googlegroups.com...

Herb Martin

unread,
Jan 17, 2007, 5:33:43 PM1/17/07
to

"RBot" <cdhgoog...@yahoo.com> wrote in message
news:1169057826.1...@m58g2000cwm.googlegroups.com...

> Ok, I have looked into adding inbound filters on the RRAS, however the
> "Inbound Filters" and "Outbound Filters" buttons are both grayed out.
> I am not sure the reason behind this, and couldn't find anything
> stating why this is. Just so this group is aware, I do not need any of
> the computers that are RRASing into this server to have access to any
> other servers or the internet. They ONLY need to have access to the
> server it is RRASing into.

You can do this even simpler -- have the RRAS server use and give
out a distinct IP range that isn't even routable on your internal
network. (And block it on the internal/corp NIC as an inbound dest or
outbound source).

Are you trying to set filters on an INTERFACE?
(or you can do it in the Firewall if you use the NAT/Basic Firewall but
the interfaces are supposed to be there without the firewall itself.)

0 new messages