Cisco ASA – Allowing Microsoft Activation

KB ID 0001237 

Problem

 

Activation occurs over TCP 80 and 443, so usually this will not trip you up. However if you are on a site with a very restrictive firewall config, then you might want to add the following.

Solution

I’ll break with the norm, and just post the config in its entirety, (just remove the comments in red.)

[box]

!The Firewall needs a domain name of its own.
!
domain-name petenetlive.com
!
!Setup DNS Lookups so the firewall can resolve the FQDNs we are going to use.
!
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
!
!Create objects for each of the activation FQDN's.
!
object network Obj-go.microsoft.com
  fqdn go.microsoft.com
object network Obj-wpa.one.microsoft.com
  fqdn wpa.one.microsoft.com
object network Obj-crl.microsoft.com
  fqdn crl.microsoft.com
object network Obj-wwwtk2test1.microsoft.com
  fqdn wwwtk2test1.microsoft.com
object network Obj-wwwtk2test2.microsoft.com
  fqdn wwwtk2test2.microsoft.com
object network Obj-db3.sls.microsoft.com
  fqdn db3.sls.microsoft.com
!
!Create objects for each of the activation subnets.
!
object network Obj-MS-Activation-Subnet-1
 subnet 64.4.0.0 255.255.192.0
object network Obj-MS-Activation-Subnet-2
 subnet 65.52.0.0 255.252.0.0
!
!Create an object group that holds all the objects.
!
object-group network Obj-GP-MS-Activation
 network-object object Obj-go.microsoft.com
 network-object object Obj-wpa.one.microsoft.com
 network-object object Obj-crl.microsoft.com
 network-object object Obj-wwwtk2test1.microsoft.com
 network-object object Obj-wwwtk2test2.microsoft.com
 network-object object Obj-db3.sls.microsoft.com
 network-object object Obj-MS-Activation-Subnet-1
 network-object object Obj-MS-Activation-Subnet-2
!
!Create a service object for the activation ports.
!
object-group service Obj-SVC-MS-Activation tcp
 port-object eq www
 port-object eq https
!
!Allow the traffic Out (SEE THE WARNING BELOW!)
!
access-list outbound extended permit tcp any object-group Obj-GP-Microsoft-Activation object-group Obj-SVC-MS-Activation

[/box]

 

Warning: Before Executing the access-list command, make sure the ACL name matches your existing ACL. In the example above I’ve used outbound, See the following article for clarification;

Cisco ASA – ‘access-group’ Warning

Related Articles, References, Credits, or External Links

NA

Leave a Reply

Your email address will not be published. Required fields are marked *