Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
"cola8d8" <cola8d8@discussions.microsoft.com> wrote in message
news:EEC6BD66-0B92-4549-A9F2-3FEC6020E27B@microsoft.com...
> Thanks for the info but I was needing IP addresses (or range(s)) for my
> firewall. Those DNS names translate to multiple IP addresses.
>
>
That's because Microsoft uses some 3rd party 'load balancing' companies that
have servers all over the place, on multiple subnets. It's to minimize
spikes due to popular downloads or DDoS attacks. I guess you could put in
every IP that currently resolves to those DNS names, but of course this
could change on a regular basis and it's possible that these hosting
companies don't even notify Microsoft (since Microsoft has contracted it
out.)
One idea for you is to deploy SUS... which basically lets you have your own
Windows Update Server (while also giving you some control over which patches
get deployed.) Of course, your SUS server would need to be able to talk to
the Microsoft servers but you could just stick that box in a DMZ.
--
Colin Nash
Microsoft MVP
Windows Shell/User