darran_d
asked on
Firewall settings to allow MBSA to work properly
Hi All
We have a server in our company which has an IP address on our network but which is not joined to the domain. It is behind a firewall and does not use the corporate proxy as it is not on the domain and therefore has no web access.
We need to get MBSA up and running on this box and I need to find out what I need to allow through the firewall to this box in order for that to happen.
We will also want to download the updates and install them.
From reading on Microsoft we need to open access to the web from that box on tcp ports 135,139,445 and udp ports 137,138
Do we need to allow access to a web address like windowsupdate.com or microsft.com for the downloads etc to work as well.
I have read a lot of the documentation but havent been able to get a clear answer.
All help apreciated..
We have a server in our company which has an IP address on our network but which is not joined to the domain. It is behind a firewall and does not use the corporate proxy as it is not on the domain and therefore has no web access.
We need to get MBSA up and running on this box and I need to find out what I need to allow through the firewall to this box in order for that to happen.
We will also want to download the updates and install them.
From reading on Microsoft we need to open access to the web from that box on tcp ports 135,139,445 and udp ports 137,138
Do we need to allow access to a web address like windowsupdate.com or microsft.com for the downloads etc to work as well.
I have read a lot of the documentation but havent been able to get a clear answer.
All help apreciated..
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry my bad. I was thinking Microsoft Small Business Accounting.
You will need to have access to windowsupdate.com for sure. It will need to have access to all avaiable updates.
If this server is on the same network as all of you physical server you will be fine.
But if it is on a DMZ or outside then you will need to port TCP 135,139,445 and udp 137 and 138 from the IP Address of your MBSA Server to your internal network. Allowing traffic in both directions.
The server does not have to be joined the domain to run MBSA.
You will need to have access to windowsupdate.com for sure. It will need to have access to all avaiable updates.
If this server is on the same network as all of you physical server you will be fine.
But if it is on a DMZ or outside then you will need to port TCP 135,139,445 and udp 137 and 138 from the IP Address of your MBSA Server to your internal network. Allowing traffic in both directions.
The server does not have to be joined the domain to run MBSA.
ASKER
Thanks for the plies.
So in summary you are saying that from the server IP address I need to allow acces to the web through
TCP Ports 135,139,445
UDP Ports 137,138
and also to the following website
windowsupdate.com
Should that do it? There are no more web addresses I need to allow and also the traffic needs to be allowed both ways.
So in summary you are saying that from the server IP address I need to allow acces to the web through
TCP Ports 135,139,445
UDP Ports 137,138
and also to the following website
windowsupdate.com
Should that do it? There are no more web addresses I need to allow and also the traffic needs to be allowed both ways.
If the server is internal the only thing you will need to allow is the domain windowsupdate.com, this goes along with port 80 for web of course. You would not have to allow the other ports.
However, If the server is not internal or it is in a DMZ or something then you will have to allow those ports both ways between the MBSA Server and the servers you are testing.
However, If the server is not internal or it is in a DMZ or something then you will have to allow those ports both ways between the MBSA Server and the servers you are testing.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No Objection
http://technet.microsoft.com/en-us/security/cc184922.aspx
See this link, under "Q: How can I scan a computer that is protected by a firewall?"
See this link, under "Q: How can I scan a computer that is protected by a firewall?"
ASKER
The server will only ever be logged on as a local admin, so in that sense one user..
Can you explain how to use terminal services to do this?
Wouldthis also facilitate downloading the updates as well?