Cisco ASA – Allowing Microsoft Activation

KB ID 0001237 

Problem

 

Activation occurs over TCP 80 and 443, so usually this will not trip you up. However if you are on a site with a very restrictive firewall config, then you might want to add the following.

Windows Update - Firewall

Solution

I’ll break with the norm, and just post the config in its entirety, (just remove the comments in red.)

!The Firewall needs a domain name of its own.
!
domain-name petenetlive.com
!
!Setup DNS Lookups so the firewall can resolve the FQDNs we are going to use.
!
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
!
!Create objects for each of the activation FQDN's.
!
object network Obj-go.microsoft.com
  fqdn go.microsoft.com
object network Obj-wpa.one.microsoft.com
  fqdn wpa.one.microsoft.com
object network Obj-crl.microsoft.com
  fqdn crl.microsoft.com
object network Obj-wwwtk2test1.microsoft.com
  fqdn wwwtk2test1.microsoft.com
object network Obj-wwwtk2test2.microsoft.com
  fqdn wwwtk2test2.microsoft.com
object network Obj-db3.sls.microsoft.com
  fqdn db3.sls.microsoft.com
!
!Create objects for each of the activation subnets.
!
object network Obj-MS-Activation-Subnet-1
 subnet 64.4.0.0 255.255.192.0
object network Obj-MS-Activation-Subnet-2
 subnet 65.52.0.0 255.252.0.0
!
!Create an object group that holds all the objects.
!
object-group network Obj-GP-MS-Activation
 network-object object Obj-go.microsoft.com
 network-object object Obj-wpa.one.microsoft.com
 network-object object Obj-crl.microsoft.com
 network-object object Obj-wwwtk2test1.microsoft.com
 network-object object Obj-wwwtk2test2.microsoft.com
 network-object object Obj-db3.sls.microsoft.com
 network-object object Obj-MS-Activation-Subnet-1
 network-object object Obj-MS-Activation-Subnet-2
!
!Create a service object for the activation ports.
!
object-group service Obj-SVC-MS-Activation tcp
 port-object eq www
 port-object eq https
!
!Allow the traffic Out (SEE THE WARNING BELOW!)
!
access-list outbound extended permit tcp any object-group Obj-GP-Microsoft-Activation object-group Obj-SVC-MS-Activation

 

Warning: Before Executing the access-list command, make sure the ACL name matches your existing ACL. In the example above I’ve used outbound, See the following article for clarification;

Cisco ASA – ‘access-group’ Warning

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *