• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 702
  • Last Modified:

Port numbers used by Windows Update process

My servers, one win 2K and the other win 2K3 server, both are behind a firewall machine, running web applications. At the firewall, only the essential ports for web site access (eg, ports 80, 8080 and 9080) are allowed to those two servers. Now, I can not run windows updater on any of those servers. Can do it on the firewall machine allright. So, it looks like the firewall has to allow certain port(s) to those two servers. Can you please tell me what are those port numbers are? Thank you.
0
chemwatch
Asked:
chemwatch
1 Solution
 
CrazyOneCommented:
Well here is the ports being usued on my machine

IEXPLORE.EXE:2556      TCP      :3058      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      biscuitheads.attbi.com:3059      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3060      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3061      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3062      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      .com:3063      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
IEXPLORE.EXE:2556      TCP      :3064      v4-ori.windowsupdate.microsoft.com:http      ESTABLISHED      
0
 
Rich RumbleSecurity SamuraiCommented:
Mine is differnt... ( 3272 )
It's going to vary... as will the actual IP of the server you connect to on windows update because of their loadbalancing. If your firewall will let you specify DNS names, instead of JUST ip's you can get around this quite easily.

access-list One allow tcp any any port to v4-ori.windowsupdate.microsoft.com any   (any meaning any port- and "any any" meaning any host any port)
or to be more specfic...
access-list Two allow tcp host1.your-domain.com any to v4-ori.windowsupdate.microsoft.com any


-rich
0
 
trywaredkCommented:
IPEye is a freeware TCP port scanner
http://www.ntsecurity.nu/toolbox/ipeye/

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Rich RumbleSecurity SamuraiCommented:
He wants to know WHAT ports windows update uses, not how to scan another computer. I've checked 3 times since I posted here, and windows update port's change everytime, I've not once see it connect to the same source port, destination is actually 80. Like I said, you'll need to allow connections to v4-ori.windowsupdate.microsoft.com in your firewall... or permit your internal boxes to access the internet via port 80. The downloads are also done on port 80, my first post was a little off... the rule would look like this instead

access-list Two allow tcp host1.your-domain.com any to v4-ori.windowsupdate.microsoft.com 80

If you allow your internal host's to go to destination port 80, you should be fine.  not sure what firewall your using... they all operate differently.
-rich
0
 
ChatableCommented:
Port numbers are relevant only to servers. If you try to connect to another server (rather than listening for connections), Windows automatically selects a random high port (>1024) to establish the connection from.
The only port number relevant is the destination port on the target machine. In this case, Windows Update always uses http (port 80). Sometimes https is also used (port 443).
0
 
Rich RumbleSecurity SamuraiCommented:
To some extent... A few services or programs do go out a certain Source port, and almost always the destination to a specfic port. Windows uses certain sourceports and destination ports, espically in AD. It's actually an interesting work-around for their IPSEC "firewall" policies. If you bind a scanner like nmap to src port 88 or 445 and scan a box running windows ipsec firewall, you can see all the ports that are open on that windows box, however if you Nmap the regular way, by using ephemeral ports (1024 to 4999- typically) the scan will reveal only what Ipsec let's in. So you see Kerberos uses port 88 as Src and Dst. This is not typical of most applications to use the same src and dst. Your Usually concerned with the dst port. http://www.securityfocus.com/infocus/1528
Item E states...
Kerberos – Kerberos is the core authentication protocol used in Windows 2000 and XP. Kerberos traffic uses a TCP and UDP source and destination port 88. It is important to keep in mind that the IPSec exemption for Kerberos traffic is as simple as: if a packet is TCP or UDP, and has a source or destination port equal to 88, then permit the packet unprotected. This exemption can be disabled in Windows 2000 and XP.


Anyway- port 80 as the dst is what you need to allow, either to all hosts, or specfic ones.
-rich
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now