Solved

Port numbers used by Windows Update process

Posted on 2004-03-24
8
671 Views
Last Modified: 2013-12-04
My servers, one win 2K and the other win 2K3 server, both are behind a firewall machine, running web applications. At the firewall, only the essential ports for web site access (eg, ports 80, 8080 and 9080) are allowed to those two servers. Now, I can not run windows updater on any of those servers. Can do it on the firewall machine allright. So, it looks like the firewall has to allow certain port(s) to those two servers. Can you please tell me what are those port numbers are? Thank you.
0
Comment
Question by:chemwatch
8 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10672749
Well here is the ports being usued on my machine

IEXPLORE.EXE:2556      TCP      :3058      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      biscuitheads.attbi.com:3059      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3060      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3061      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3062      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      .com:3063      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3064      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 10673420
Mine is differnt... ( 3272 )
It's going to vary... as will the actual IP of the server you connect to on windows update because of their loadbalancing. If your firewall will let you specify DNS names, instead of JUST ip's you can get around this quite easily.

access-list One allow tcp any any port to v4-ori.windowsupdate.microsoft.com any   (any meaning any port- and "any any" meaning any host any port)
or to be more specfic...
access-list Two allow tcp host1.your-domain.com any to v4-ori.windowsupdate.microsoft.com any


-rich
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10674983
IPEye is a freeware TCP port scanner
http://www.ntsecurity.nu/toolbox/ipeye/

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10678068
He wants to know WHAT ports windows update uses, not how to scan another computer. I've checked 3 times since I posted here, and windows update port's change everytime, I've not once see it connect to the same source port, destination is actually 80. Like I said, you'll need to allow connections to v4-ori.windowsupdate.microsoft.com in your firewall... or permit your internal boxes to access the internet via port 80. The downloads are also done on port 80, my first post was a little off... the rule would look like this instead

access-list Two allow tcp host1.your-domain.com any to v4-ori.windowsupdate.microsoft.com 80

If you allow your internal host's to go to destination port 80, you should be fine.  not sure what firewall your using... they all operate differently.
-rich
0
 
LVL 7

Expert Comment

by:Chatable
ID: 10696217
Port numbers are relevant only to servers. If you try to connect to another server (rather than listening for connections), Windows automatically selects a random high port (>1024) to establish the connection from.
The only port number relevant is the destination port on the target machine. In this case, Windows Update always uses http (port 80). Sometimes https is also used (port 443).
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10696889
To some extent... A few services or programs do go out a certain Source port, and almost always the destination to a specfic port. Windows uses certain sourceports and destination ports, espically in AD. It's actually an interesting work-around for their IPSEC "firewall" policies. If you bind a scanner like nmap to src port 88 or 445 and scan a box running windows ipsec firewall, you can see all the ports that are open on that windows box, however if you Nmap the regular way, by using ephemeral ports (1024 to 4999- typically) the scan will reveal only what Ipsec let's in. So you see Kerberos uses port 88 as Src and Dst. This is not typical of most applications to use the same src and dst. Your Usually concerned with the dst port. http://www.securityfocus.com/infocus/1528
Item E states...
Kerberos – Kerberos is the core authentication protocol used in Windows 2000 and XP. Kerberos traffic uses a TCP and UDP source and destination port 88. It is important to keep in mind that the IPSec exemption for Kerberos traffic is as simple as: if a packet is TCP or UDP, and has a source or destination port equal to 88, then permit the packet unprotected. This exemption can be disabled in Windows 2000 and XP.


Anyway- port 80 as the dst is what you need to allow, either to all hosts, or specfic ones.
-rich
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question