Solved

Port numbers used by Windows Update process

Posted on 2004-03-24
8
659 Views
Last Modified: 2013-12-04
My servers, one win 2K and the other win 2K3 server, both are behind a firewall machine, running web applications. At the firewall, only the essential ports for web site access (eg, ports 80, 8080 and 9080) are allowed to those two servers. Now, I can not run windows updater on any of those servers. Can do it on the firewall machine allright. So, it looks like the firewall has to allow certain port(s) to those two servers. Can you please tell me what are those port numbers are? Thank you.
0
Comment
Question by:chemwatch
8 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10672749
Well here is the ports being usued on my machine

IEXPLORE.EXE:2556      TCP      :3058      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      biscuitheads.attbi.com:3059      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3060      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3061      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3062      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      .com:3063      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3064      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 10673420
Mine is differnt... ( 3272 )
It's going to vary... as will the actual IP of the server you connect to on windows update because of their loadbalancing. If your firewall will let you specify DNS names, instead of JUST ip's you can get around this quite easily.

access-list One allow tcp any any port to v4-ori.windowsupdate.microsoft.com any   (any meaning any port- and "any any" meaning any host any port)
or to be more specfic...
access-list Two allow tcp host1.your-domain.com any to v4-ori.windowsupdate.microsoft.com any


-rich
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10674983
IPEye is a freeware TCP port scanner
http://www.ntsecurity.nu/toolbox/ipeye/

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10678068
He wants to know WHAT ports windows update uses, not how to scan another computer. I've checked 3 times since I posted here, and windows update port's change everytime, I've not once see it connect to the same source port, destination is actually 80. Like I said, you'll need to allow connections to v4-ori.windowsupdate.microsoft.com in your firewall... or permit your internal boxes to access the internet via port 80. The downloads are also done on port 80, my first post was a little off... the rule would look like this instead

access-list Two allow tcp host1.your-domain.com any to v4-ori.windowsupdate.microsoft.com 80

If you allow your internal host's to go to destination port 80, you should be fine.  not sure what firewall your using... they all operate differently.
-rich
0
 
LVL 7

Expert Comment

by:Chatable
ID: 10696217
Port numbers are relevant only to servers. If you try to connect to another server (rather than listening for connections), Windows automatically selects a random high port (>1024) to establish the connection from.
The only port number relevant is the destination port on the target machine. In this case, Windows Update always uses http (port 80). Sometimes https is also used (port 443).
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10696889
To some extent... A few services or programs do go out a certain Source port, and almost always the destination to a specfic port. Windows uses certain sourceports and destination ports, espically in AD. It's actually an interesting work-around for their IPSEC "firewall" policies. If you bind a scanner like nmap to src port 88 or 445 and scan a box running windows ipsec firewall, you can see all the ports that are open on that windows box, however if you Nmap the regular way, by using ephemeral ports (1024 to 4999- typically) the scan will reveal only what Ipsec let's in. So you see Kerberos uses port 88 as Src and Dst. This is not typical of most applications to use the same src and dst. Your Usually concerned with the dst port. http://www.securityfocus.com/infocus/1528
Item E states...
Kerberos – Kerberos is the core authentication protocol used in Windows 2000 and XP. Kerberos traffic uses a TCP and UDP source and destination port 88. It is important to keep in mind that the IPSec exemption for Kerberos traffic is as simple as: if a packet is TCP or UDP, and has a source or destination port equal to 88, then permit the packet unprotected. This exemption can be disabled in Windows 2000 and XP.


Anyway- port 80 as the dst is what you need to allow, either to all hosts, or specfic ones.
-rich
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now