Solved

Port numbers used by Windows Update process

Posted on 2004-03-24
8
667 Views
Last Modified: 2013-12-04
My servers, one win 2K and the other win 2K3 server, both are behind a firewall machine, running web applications. At the firewall, only the essential ports for web site access (eg, ports 80, 8080 and 9080) are allowed to those two servers. Now, I can not run windows updater on any of those servers. Can do it on the firewall machine allright. So, it looks like the firewall has to allow certain port(s) to those two servers. Can you please tell me what are those port numbers are? Thank you.
0
Comment
Question by:chemwatch
8 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10672749
Well here is the ports being usued on my machine

IEXPLORE.EXE:2556      TCP      :3058      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      biscuitheads.attbi.com:3059      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3060      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3061      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3062      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      .com:3063      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3064      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 10673420
Mine is differnt... ( 3272 )
It's going to vary... as will the actual IP of the server you connect to on windows update because of their loadbalancing. If your firewall will let you specify DNS names, instead of JUST ip's you can get around this quite easily.

access-list One allow tcp any any port to v4-ori.windowsupdate.microsoft.com any   (any meaning any port- and "any any" meaning any host any port)
or to be more specfic...
access-list Two allow tcp host1.your-domain.com any to v4-ori.windowsupdate.microsoft.com any


-rich
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10674983
IPEye is a freeware TCP port scanner
http://www.ntsecurity.nu/toolbox/ipeye/

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10678068
He wants to know WHAT ports windows update uses, not how to scan another computer. I've checked 3 times since I posted here, and windows update port's change everytime, I've not once see it connect to the same source port, destination is actually 80. Like I said, you'll need to allow connections to v4-ori.windowsupdate.microsoft.com in your firewall... or permit your internal boxes to access the internet via port 80. The downloads are also done on port 80, my first post was a little off... the rule would look like this instead

access-list Two allow tcp host1.your-domain.com any to v4-ori.windowsupdate.microsoft.com 80

If you allow your internal host's to go to destination port 80, you should be fine.  not sure what firewall your using... they all operate differently.
-rich
0
 
LVL 7

Expert Comment

by:Chatable
ID: 10696217
Port numbers are relevant only to servers. If you try to connect to another server (rather than listening for connections), Windows automatically selects a random high port (>1024) to establish the connection from.
The only port number relevant is the destination port on the target machine. In this case, Windows Update always uses http (port 80). Sometimes https is also used (port 443).
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10696889
To some extent... A few services or programs do go out a certain Source port, and almost always the destination to a specfic port. Windows uses certain sourceports and destination ports, espically in AD. It's actually an interesting work-around for their IPSEC "firewall" policies. If you bind a scanner like nmap to src port 88 or 445 and scan a box running windows ipsec firewall, you can see all the ports that are open on that windows box, however if you Nmap the regular way, by using ephemeral ports (1024 to 4999- typically) the scan will reveal only what Ipsec let's in. So you see Kerberos uses port 88 as Src and Dst. This is not typical of most applications to use the same src and dst. Your Usually concerned with the dst port. http://www.securityfocus.com/infocus/1528
Item E states...
Kerberos – Kerberos is the core authentication protocol used in Windows 2000 and XP. Kerberos traffic uses a TCP and UDP source and destination port 88. It is important to keep in mind that the IPSec exemption for Kerberos traffic is as simple as: if a packet is TCP or UDP, and has a source or destination port equal to 88, then permit the packet unprotected. This exemption can be disabled in Windows 2000 and XP.


Anyway- port 80 as the dst is what you need to allow, either to all hosts, or specfic ones.
-rich
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question