Educause Security Discussion mailing list archives

Re: Windows Updates and Cisco Clean Access

From: "Atif Azim (atif)" <atif () CISCO COM>
Date: Fri, 15 Jul 2005 20:13:08 -0700

This is correct. CCA allows administrators to use hostnames instead of
the ip addresses as access policies in the temporary or quarantine
roles.

With regards to the folks who have been having windows update problems,
this is because Microsoft has added a new domain to windows updates.
They now host files on servers with names ending in
"update.microsoft.com".
 
To fix the issues you are seeing, please add "update.microsoft.com" with
the operator "ends" to their list of host-based policies for the
temporary or quarantine Role.  
 
Remember to perform an "ipconfig /flushdns" on your test client machine
before trying to see if this works or not.  The reason is that the clean
access server needs to see the initial DNS responses before it puts the
corresponding IPs on the allow list.

If you have further questions on how this works or other topics please
send an email to cca-questions () external cisco com.

Regards,

Atif Azim
Cisco Clean Access
 

-----Original Message-----
From: Richard Gambrell [mailto:richard-gambrell () UTC EDU] 
Sent: Friday, July 15, 2005 5:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows Updates and Cisco Clean Access

Our understanding of the lastest CCA update (as opposed to Perfigo) is
that it will allow use of DNS names to avoid this problem. We haven't
installed it yet, but will be soon.

Richard
--
Richard L Gambrell, Director of Computing Systems and Networks
Information Technology Division, University of Tennessee at Chattanooga
103 Hunter Dept 4454, 615 McCallie Ave, Chattanooga, TN 37403-2598
Fax: 423-425-4150           Problems: Help-Desk () utc edu or 423-425-4000
Direct phone: 423-425-5316  IT Business Office: 423-425-1755
Urgent/cell: 423-432-5122   Main UTC phone: 423-425-4111
Email: richard-gambrell () utc edu or rgambrel () acm org

Lee Weers wrote:

What I did for our remediation vlan, was setup a FreeBSD box with a 
dns setup with an includes file.  In the included zones it has 
windowsupdate so it doesn't matter how much it changes the students 
can get to all of the redirects.  I got the setup instructions from

this website.

http://bingweb.binghamton.edu/~jroth/cm/

-----Original Message-----
From: Flagg, Martin D. [mailto:FlaggMD () HIRAM EDU]
Sent: Friday, July 15, 2005 9:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows Updates and Cisco Clean Access

I would love to have a copy of that list.  Thanks Marty

Martin D. Flagg
Network Engineer/Administrator
Hiram College
PH:  330-569-5376
FAX: 330-569-5462
email: flaggmd () hiram edu
-
If you lend someone $20,
and never see that person again,
it was probably worth it.

-----Original Message-----
From: Jim Lawson [mailto:jtl+educause () UVM EDU]
Sent: Thursday, July 14, 2005 2:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows Updates and Cisco Clean Access

Martin,

We ran into the same problem here at UVM when implementing NetReg.
There are a list of DNS names by which Microsoft provides access to 
Windows Update, but they are frequently CNAMEs which point to various 
ISPs which get rotated.  I ended up writing a script which 
re-generates the list of DNS names and IP addresses that are allowed 
based upon the result of certain DNS queries.  We do this for other 
sites besides Windows Update, such as Trend Micro's "Housecall" (which

helps in cleaning up virus-infected machines in the unregistered 
subnets.)

I'd be happy to share the list of names with you if it would help.  I 
have to admit that I'm kind of surprised that CCA/Perfigo doesn't 
already do this, though.

Flagg, Martin D. wrote:


We are implementing Cisco Clean Access (formally Perfigo).  It has 
gone really well but we keep coming up with problems with Windows 
Update, it fails because CCA is blocking the IP.  When this happens, I

use a sniffer and add the new IP address that Microsoft is using and 
then it works, until they change address's again.  Cisco says use the 
Host setting allowing requests that end in "update.microsoft.com".
This does not always work.

I am really at a loss because it works for 95% of the machines but I 
can not afford to have 5% of the students in my office when they get 
back from the summer.

Any Ideas?

Martin Flagg
Hiram College



--
Jim Lawson
Technical Support Group, Computing & Information Technology University

of Vermont Burlington, VT USA

Current thread:

Windows Updates and Cisco Clean Access Flagg, Martin D. (Jul 14)
- <Possible follow-ups>
- Re: Windows Updates and Cisco Clean Access Charlie Prothero (Jul 14)
- Re: Windows Updates and Cisco Clean Access Michael Grinnell (Jul 14)
- Re: Windows Updates and Cisco Clean Access Jim Lawson (Jul 14)
- Re: Windows Updates and Cisco Clean Access Franklin, Elliott (Jul 14)
- Re: Windows Updates and Cisco Clean Access Information Security (Jul 14)
- Re: Windows Updates and Cisco Clean Access Flagg, Martin D. (Jul 15)
- Re: Windows Updates and Cisco Clean Access Lee Weers (Jul 15)
- Re: Windows Updates and Cisco Clean Access Richard Gambrell (Jul 15)
- Re: Windows Updates and Cisco Clean Access Atif Azim (atif) (Jul 15)
- Re: Windows Updates and Cisco Clean Access Mike Wiseman (Jul 18)