Educause Security Discussion mailing list archives
Re: Windows Updates and Cisco Clean Access
From: "Atif Azim (atif)" <atif () CISCO COM>
Date: Fri, 15 Jul 2005 20:13:08 -0700
This is correct. CCA allows administrators to use hostnames instead of the ip addresses as access policies in the temporary or quarantine roles. With regards to the folks who have been having windows update problems, this is because Microsoft has added a new domain to windows updates. They now host files on servers with names ending in "update.microsoft.com". To fix the issues you are seeing, please add "update.microsoft.com" with the operator "ends" to their list of host-based policies for the temporary or quarantine Role. Remember to perform an "ipconfig /flushdns" on your test client machine before trying to see if this works or not. The reason is that the clean access server needs to see the initial DNS responses before it puts the corresponding IPs on the allow list. If you have further questions on how this works or other topics please send an email to cca-questions () external cisco com. Regards, Atif Azim Cisco Clean Access -----Original Message----- From: Richard Gambrell [mailto:richard-gambrell () UTC EDU] Sent: Friday, July 15, 2005 5:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Windows Updates and Cisco Clean Access Our understanding of the lastest CCA update (as opposed to Perfigo) is that it will allow use of DNS names to avoid this problem. We haven't installed it yet, but will be soon. Richard -- Richard L Gambrell, Director of Computing Systems and Networks Information Technology Division, University of Tennessee at Chattanooga 103 Hunter Dept 4454, 615 McCallie Ave, Chattanooga, TN 37403-2598 Fax: 423-425-4150 Problems: Help-Desk () utc edu or 423-425-4000 Direct phone: 423-425-5316 IT Business Office: 423-425-1755 Urgent/cell: 423-432-5122 Main UTC phone: 423-425-4111 Email: richard-gambrell () utc edu or rgambrel () acm org Lee Weers wrote:
What I did for our remediation vlan, was setup a FreeBSD box with a dns setup with an includes file. In the included zones it has windowsupdate so it doesn't matter how much it changes the students can get to all of the redirects. I got the setup instructions from
this website.
http://bingweb.binghamton.edu/~jroth/cm/ -----Original Message----- From: Flagg, Martin D. [mailto:FlaggMD () HIRAM EDU] Sent: Friday, July 15, 2005 9:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Windows Updates and Cisco Clean Access I would love to have a copy of that list. Thanks Marty Martin D. Flagg Network Engineer/Administrator Hiram College PH: 330-569-5376 FAX: 330-569-5462 email: flaggmd () hiram edu - If you lend someone $20, and never see that person again, it was probably worth it. -----Original Message----- From: Jim Lawson [mailto:jtl+educause () UVM EDU] Sent: Thursday, July 14, 2005 2:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Windows Updates and Cisco Clean Access Martin, We ran into the same problem here at UVM when implementing NetReg. There are a list of DNS names by which Microsoft provides access to Windows Update, but they are frequently CNAMEs which point to various ISPs which get rotated. I ended up writing a script which re-generates the list of DNS names and IP addresses that are allowed based upon the result of certain DNS queries. We do this for other sites besides Windows Update, such as Trend Micro's "Housecall" (which
helps in cleaning up virus-infected machines in the unregistered subnets.) I'd be happy to share the list of names with you if it would help. I have to admit that I'm kind of surprised that CCA/Perfigo doesn't already do this, though. Flagg, Martin D. wrote:We are implementing Cisco Clean Access (formally Perfigo). It has gone really well but we keep coming up with problems with Windows Update, it fails because CCA is blocking the IP. When this happens, Iuse a sniffer and add the new IP address that Microsoft is using and then it works, until they change address's again. Cisco says use the Host setting allowing requests that end in "update.microsoft.com". This does not always work. I am really at a loss because it works for 95% of the machines but I can not afford to have 5% of the students in my office when they get back from the summer. Any Ideas? Martin Flagg Hiram College-- Jim Lawson Technical Support Group, Computing & Information Technology University
of Vermont Burlington, VT USA
Current thread:
- Windows Updates and Cisco Clean Access Flagg, Martin D. (Jul 14)
- <Possible follow-ups>
- Re: Windows Updates and Cisco Clean Access Charlie Prothero (Jul 14)
- Re: Windows Updates and Cisco Clean Access Michael Grinnell (Jul 14)
- Re: Windows Updates and Cisco Clean Access Jim Lawson (Jul 14)
- Re: Windows Updates and Cisco Clean Access Franklin, Elliott (Jul 14)
- Re: Windows Updates and Cisco Clean Access Information Security (Jul 14)
- Re: Windows Updates and Cisco Clean Access Flagg, Martin D. (Jul 15)
- Re: Windows Updates and Cisco Clean Access Lee Weers (Jul 15)
- Re: Windows Updates and Cisco Clean Access Richard Gambrell (Jul 15)
- Re: Windows Updates and Cisco Clean Access Atif Azim (atif) (Jul 15)
- Re: Windows Updates and Cisco Clean Access Mike Wiseman (Jul 18)