Diverting software updates to WAN 2


#1

I’d like to create a rule that will divert all traffic for computers and phones updates (microsoft, apple, android, etc) plus music streaming services, to WAN 2.
I understand that it is a matter og knowing exactly the host names /domains involved.

Is there a ready list of hosts for this?


#2

You can do this by domain name rules I use the following list for MS and Apple:

*.microsoft.com
*.windowsupdate.com
*.apple.com

and set outbound policies to send the traffic via the WAN you want to use for OS updates.


#3

Martin thanks for helping!

Is all this sufficent? Aren’t there any other “hidden” hosts? (for instance I see many connections to hosts belonging to *.akamaitechnologies.com)
Is this achieved in one unique policy or 3? (can you create one policy with a comma separated list of domains?)

Other questions:

  • what policy are you using for youtube/spotify/facebook, or other streaming services, if any?
  • Does a high number of Outbound policies affects CPU performance? If so, how many policies have you got?

Thanks very much for helping!


#4

I am afraid that those hosts fall in the CDN world, and I have read some posts on this topic that seem to be quite complicated to manage.
Is it true that each ISP has it’s own hosts (IPs) for this so it is required to configure a list of hosts for each provider (we have 3!!).
Can you confirm ** or ** can omeone confirm how to properly filter and assign CDN hosts to a given WAN?

Thanks!


#5

@ReeXNeeX You’re of course right that updates are delivered through CDNs, however I’m pretty sure that all requests start using a DNS alias that would be covered by the wildcard rules above. This Technet article suggests that this method is still effective: https://technet.microsoft.com/en-us/library/gg712696.aspx

It lists the following URLS that are involved in software updates:
http://windowsupdate.microsoft.com
http://.windowsupdate.microsoft.com
https://
.windowsupdate.microsoft.com
http://.update.microsoft.com
https://
.update.microsoft.com
http://.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://
.download.windowsupdate.com
http://test.stats.update.microsoft.com
http://ntservicepack.microsoft.com
http://crl.microsoft.com

I haven’t got a live system currently configured that diverts updates via a specific WAN, so perhaps its a question of try it and see. If you dump the URL logging to syslog on your device then run a windows software update you’ll be able to see what URLS are actually called.

I don’t have any policies configured for social media services. Yes a high number of policies will ultimately have an effect on throughput / cpu load. The most I have ever used personally is between 20-30 on a B380 and I saw no negative impact on throughput.


#6

Hi,

You can refer here:

Apple:

Microsoft:
https://support.microsoft.com/en-us/help/10164/i-got-an-error-code-from-windows-update
Choose 80244019

Youtube:

For others domain, you may need to search using google :grin:

Please consider to use the domain rules by special requirement only as single domain for Microsoft/Youtube can have 100 over IP addresses or more. This definitely will increase the CPU load.

Thank You


#7

I have set some 20 domain based outbound policies, however many of them are not working, I wonder if I am doing something wrong. See this one: http://prntscr.com/db5eqs
Inspecting traffic I have discovered some hidden hosts/network being used, and I have added thos to the list, for example:

icloud-content.com


akamaitechnologies.com

Where am I wrong?


#8

This is a difficult task… Fyi, the hidden domains could be changed from time to time. Martin provided the good suggestion here which using URL Logging to trace for the domains.