sales reps use to receive updates on current products and prices and to
send orders at the end of each day. The process itself seems to work
perfectly, aside from one major problem. Every time a computer
connects to this server (over phone line through RRAS) to attempt a
download or to send orders, the first thing it does is try to check the
WSUS server for Windows Updates. This causes a large amount of data to
be sent over the phone line if there are updates available, and crashes
their transmission of data. When I change the GPO to receive updates
automatically from Windows Updates servers, it is able to reach these
internet
servers to receive their updates. Is there a way to stop the
connecting
computer from finding the WSUS server even if it attempts to do so, or
is there
a way to make the connecting computer stop trying to find a server for
updates
to begin with?
Any help would be appreciated. Thanks in advance!
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE
"RBot" <cdhgoog...@yahoo.com> wrote in message
news:1168979144.7...@38g2000cwa.googlegroups.com...
Thank you for your quick response. This, however, is only a good
TEMPORARY fix, and I have actually already done this (sorry for the
lack in description). Because we are a larger company, we must follow
SOX compliances, and disabling Windows Updates from WSUS or other
Automatic Windows Updates servers is a security threat. What I would
like to do is stop this from happening ONLY when they connect to the
network through the RRAS server (maybe by making it impossible for the
connecting computer to see other machies on the network while connected
through RRAS or not being able to get to the internet while connected
through RRAS). When in office or when connected via VPN, I would like
them to receive updates. Is this possible?
Thank you again for your quick response
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE
"RBot" <cdhgoog...@yahoo.com> wrote in message
news:1168984271.3...@l53g2000cwa.googlegroups.com...
I'm not extremely knowledgeable in this area, so the help you have
provided so far and to come is very useful and appreciated. Thanks
again.
Yes, and you can disable those ports ONLY for the WSUS server
and still allow the clients to reach other Web servers or even this one
on different ports.
RRAS filters are reasonably sophisticated. (Not the most advanced
filtering system in the world but pretty good and fairly granular.)
> I'm not extremely knowledgeable in this area, so the help you have
> provided so far and to come is very useful and appreciated. Thanks
> again.
Try a simple RRAS filter for the range of addresses used for the remote
(dial/vpn) clients as source with WSUS web server and port 80 or other
as the destination) -- if you disallow this the dial/vpn clients will never
reach the WSUS server.
Filters are ALMOST self-explanatory in RRAS but it takes just a little
bit of clicking around and testing to "get it" -- not much and we'll help.
You could also put the filter on the WSUS server with either RRAS
(it doesn't have to be an RAS/VPN SERVER to do this, just run the
RRAS service and use the filters) or with IPSec filters.
Many people overlook that IPSec filters can be used for merely
BLOCK and pass without any intention of using IPSec facilities for
encryption etc.
As long as you specify the range of addresses the clients will get
when dialing (different DHCP scope or do it on the RRAS server
in an address pool*) then this is pretty easy to match up.
* I don't usually recommend RRAS address pools to those who
have DHCP (easier to do the management in one place) but if
you need a way to give out an identifiable range to Dial/VPN
clients than to local machines then DHCP can be a pain sometimes.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE
"RBot" <cdhgoog...@yahoo.com> wrote in message
news:1168986483....@m58g2000cwm.googlegroups.com...
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE
"Jorge Silva" <jorges...@hotmail.com> wrote in message
news:FCB77A81-1A20-49E4...@microsoft.com...
"Jorge Silva" <jorges...@hotmail.com> wrote in message
news:F6C4E8C5-1156-458B...@microsoft.com...
> http://support.microsoft.com/kb/254018/en-us
And just TRY it before reading a BUNCH of that stuff
(it's all in the built-in help too) because the GUI is ALMOST
self-explanatory if you understand the purpose of the filters.
If you figure it out -- great -- if you don't then you will have
specific questions to ask from 2 minutes worth of trying to
build a filter.
Because they broadcast a DHCP request when connecting (which is
successful), they are able to get IPs for the DNS server and the WSUS
servers. It just so happens that the DNS server and WSUS servers have
an IP of x.x.x.240 (different subnets). The IPs that are assigned to
the connecting computers are x.x.x.50 - x.x.x.55. The software will
ALWAYS need to connect to x.x.x.92. Will setting a subnet mask of
255.255.255.128 (/25) stop them from even having the ability to access
IPs higher than x.x.x.127 and in turn stop them from getting any
information about where the WSUS servers are located and how to get to
the internet? This is a last ditch effort, but better than nothing.
Would I need to disable NetBEUI as well?
My main goal is to stop any connecting computer from going ANYWHERE
other than the RRAS server it is connected to without making changes to
Group Policy (We only want these changes to matter when connected
through RRAS) Thank you again for your help.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE
"RBot" <cdhgoog...@yahoo.com> wrote in message
news:1169057826.1...@m58g2000cwm.googlegroups.com...
You can do this even simpler -- have the RRAS server use and give
out a distinct IP range that isn't even routable on your internal
network. (And block it on the internal/corp NIC as an inbound dest or
outbound source).
Are you trying to set filters on an INTERFACE?
(or you can do it in the Firewall if you use the NAT/Basic Firewall but
the interfaces are supposed to be there without the firewall itself.)