Re: Windows Updates and Cisco Clean Access

[Mike Wiseman <mike.wiseman () UTORONTO CA>]

> We ran into the same problem here at UVM when implementing NetReg.
> There are a list of DNS names by which Microsoft provides access to
> Windows Update, but they are frequently CNAMEs which point to various
> ISPs which get rotated.  I ended up writing a script which re-generates
> the list of DNS names and IP addresses that are allowed based upon the
> result of certain DNS queries.  We do this for other sites besides
> Windows Update, such as Trend Micro's "Housecall" (which helps in
> cleaning up virus-infected machines in the unregistered subnets.)
>
> I'd be happy to share the list of names with you if it would help.  I
> have to admit that I'm kind of surprised that CCA/Perfigo doesn't
> already do this, though.
>
> Jim Lawson
> Technical Support Group, Computing & Information Technology University
> of Vermont Burlington, VT USA

We also found the same problem with our NetReg setup. To solve it, we went with 'squid' to
filter URLs. Filtered URLs have access to a full services DNS server. So now we can use
*.microsoft.com, *.symantec.com, etc.

Mike

Mike Wiseman
Manager - Computer Security Administration
Computing and Networking Services
University of Toronto