From: Jan van Hoek (NL) 

Within our company (1 head office, 50 branch offices) we are planning to
start using MS SUS (Software Update Services) to keep our workstations
(500) and servers (75) up to date. SUS is advertised as the corporate
variant of Windows Update, the latter being designed with the home user in
mind. FYI: We are using a mixture of Windows NT 4.0 and Windows 2000.

We have configured a SUS server, which tries to retrieve hotfixes and the
like on a daily basis. My problem is related to the fact that the files
that are pulled from the Windows Update website, are inspected by our
virus/vandal server (Aladdin eSafe), which works with a very strict policy
and hence often refuses those files.

In an attempt to escape from that anti-virus policy, we added a list of
IP-addresses that are part of the Windows Update site, to the
"trusted" (VIP) list within the eSafe server. We started this
seemingly trivial task, guided by blocked addresses as reported in the
eSafe logfiles. But gradually it starts looking more like what Sysiphus had
to do for many years in a row (or the 50 daughters of Danaus AKA Danaides
for that matter).

The current situation is that we continuously have to deal with new
IP-addresses that are shown blocked by the eSafe server. Obviously (and
understandably) MS uses some load balancing strategy, which involves a lot
of distinct websites and hence a lot of IP-addresses that we are forced to
add into the "trusted" list.

It started with 207.46.249.126 and 62.58.34.75, being the "front"
websites for Windows Update. We had to add the full 213.161.82.* range soon
after that. This went well for a few days. This process seems to have no
end, because we see new addresses being blocked every day.

This repressive way to establish the full range of IP-addresses that are
used indirectly by Windows Update, by inspecting "blocked"
entries in eSafe's logfiles and subsequently adjusting the VIP list, is not
the right way. Acting such, the SUS server cannot be guaranteed to be
complete ever. There will remain a considerable chance that we forgot some
IP-addresses and that part of the Windows Update contents fails to get
retrieved.

We tried to get this problem across with MicroSoft NL. Though always
helpful and friendly, problems like this one seems beyond their league.

I may assume that someone reading this message has already encountered (and
tackled!) this problem in a corporate environment, and is willing to share
his/her secrets with us.
--
-- Jan van Hoek (NL)
-- Thu 5 Feb 2004 10:02 CET

PS: Please don't recommend to relax our content policy. Our company belongs
to the 3% of the Dutch industry that were virus free for almost 4 years now
(the Loveletter incident was the last one). This is largely due to our
strict virus policy (that is OTOH felt as a nuiscance by most non-IT
people).

--- BBBS/NT v4.01 Flag-5