Educause Security Discussion mailing list archives

Re: Windows Updates and Cisco Clean Access

From: "Flagg, Martin D." <FlaggMD () HIRAM EDU>
Date: Fri, 15 Jul 2005 10:07:48 -0400

I would love to have a copy of that list.  Thanks Marty 


Martin D. Flagg
Network Engineer/Administrator
Hiram College
PH:  330-569-5376
FAX: 330-569-5462
email: flaggmd () hiram edu
-
If you lend someone $20, 
and never see that person again,
it was probably worth it.


 


-----Original Message-----
From: Jim Lawson [mailto:jtl+educause () UVM EDU] 
Sent: Thursday, July 14, 2005 2:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows Updates and Cisco Clean Access

Martin,

We ran into the same problem here at UVM when implementing NetReg.
There are a list of DNS names by which Microsoft provides access to
Windows Update, but they are frequently CNAMEs which point to various
ISPs which get rotated.  I ended up writing a script which re-generates
the list of DNS names and IP addresses that are allowed based upon the
result of certain DNS queries.  We do this for other sites besides
Windows Update, such as Trend Micro's "Housecall" (which helps in
cleaning up virus-infected machines in the unregistered subnets.)

I'd be happy to share the list of names with you if it would help.  I
have to admit that I'm kind of surprised that CCA/Perfigo doesn't
already do this, though.

Flagg, Martin D. wrote:

 
We are implementing Cisco Clean Access (formally Perfigo).  It has 
gone really well but we keep coming up with problems with Windows 
Update, it fails because CCA is blocking the IP.  When this happens, I

use a sniffer and add the new IP address that Microsoft is using and 
then it works, until they change address's again.  Cisco says use the 
Host setting allowing requests that end in "update.microsoft.com".  
This does not always work.

I am really at a loss because it works for 95% of the machines but I 
can not afford to have 5% of the students in my office when they get 
back from the summer.

Any Ideas?

Martin Flagg
Hiram College


--
Jim Lawson
Technical Support Group, Computing & Information Technology University
of Vermont Burlington, VT USA

Current thread:

Windows Updates and Cisco Clean Access Flagg, Martin D. (Jul 14)
- <Possible follow-ups>
- Re: Windows Updates and Cisco Clean Access Charlie Prothero (Jul 14)
- Re: Windows Updates and Cisco Clean Access Michael Grinnell (Jul 14)
- Re: Windows Updates and Cisco Clean Access Jim Lawson (Jul 14)
- Re: Windows Updates and Cisco Clean Access Franklin, Elliott (Jul 14)
- Re: Windows Updates and Cisco Clean Access Information Security (Jul 14)
- Re: Windows Updates and Cisco Clean Access Flagg, Martin D. (Jul 15)
- Re: Windows Updates and Cisco Clean Access Lee Weers (Jul 15)
- Re: Windows Updates and Cisco Clean Access Richard Gambrell (Jul 15)
- Re: Windows Updates and Cisco Clean Access Atif Azim (atif) (Jul 15)
- Re: Windows Updates and Cisco Clean Access Mike Wiseman (Jul 18)