We close off all outside connections to our Windows Servers but wanted to do windows update from the internet. We don’t use WSUS instead we use ConnectWise automate for patch management but it requires internet on the gateway level.
I am aware that Microsoft uses a CDN to distribute the updates. It isn’t practical to develop an allow list of IPs. It’s probably also pretty dynamic. Far better to use WSUS or a proxy, or firewall that can allow via DNS. I know that pfense firewall can’t use wildcard DNS entries.
Would you guys know any better way to handle this?
You can create an alias using the fully qualified domain names of the URLs you need to get to. They are “updated periodically” according to pfSense documentation. Firewall — Aliases | pfSense Documentation
it is not an option because Pfsesne does not support wildcard…
"
This process only supports forward name resolution of FQDNs using A and AAAA records such as host.domain.com . Aliases do not support pattern matches, wildcard matches (e.g. *.domain.com ), or any other style of record comparison."
" This feature is not useful for allowing or disallowing users to large public web sites such as those served by content delivery network (CDN) providers. Such sites tend to have constantly rotating or random responses to DNS queries so the contents of the alias on the firewall do not necessarily match up with the response a user will receive when they resolve the same site name. It can work for smaller sites that have only a few servers and do not include incomplete sets of addresses in their DNS responses"
The real problem is wild card DNS entries (Microsoft uses a CDN to distribute the updates). Pfsense firewall can’t allow wildcard DNS entries for whitelist
Do you have a support contract with Microsoft? If so you could bring this up with them.
The way IP firewalls work you cannot use wildcards for a domain as that would require a DNS lookup every time there was an IP conversation. It has to be an IP that is allowed and the way I mentioned with an alias dynamically builds that list of IP addresses on a regular schedule. Thus, you add the Microsoft update sites whos IP changes every month by design and it allows them as needed. If you were using a DNS black hole such as pfBlockerNG DNSBL there is a means of allowing a top level domain, but that is a separate thing from the firewall.
Don’t overthink the CDN part. If the Microsoft IP is too far away then setup a WSUS server to cache the updates for the rest of the network and apply a GPO to point the Windows computers to the WSUS server. Best of luck!