I deployed windows 2019 on aws how should I write my network firewall rules

Question

I deployed windows 2019 on aws

Since my internet access is restricted by the network firewall, I need to add the domain name to the whitelist

Can you help with windows update, remote desktop licensing, and other domain names that must be used?

At the same time, should I allow http or tls for these domain names?

Answer 1

Hello ,

For Windows Update you will need to open the URLs mentioned in the answer for similar question in our community:

https://learn.microsoft.com/en-us/answers/questions/457840/what-are-the-ip-ranges-for-microsofty-windows-upda.html

Additionally, you will need to open ports, Windows Update requires TCP port 80, 443, and 49152-65535.

In regards, to the Remote Desktop ClearingHouse the IPs for the endpoints are not disclosed by Microsoft as they are multiple, vary depending on geographical location, and may change without pre advice.

As additional help, have you tried to read Amazon Web Services? I would think that they could have some sort of Firewall Template for this sort of purposes, as you may not be the first customer to need it, and would be easier to implement.

Hope this helps with your query,
--If the reply is helpful, please Upvote and Accept as answer--
Luis D

Answer 2

Hi there,
I would suggest you use a WAF in front of your web servers along with using AWS network security groups to restrict access to your windows servers.
Allowing all outbound and monitoring the firewall logs will give you an idea of the domains you’ll want to allow, however you may need to spend some time on figuring out all of the domain names you need to allow before tightening the outbound rules.
The list of domain names will likely require the use of wildcards, which your firewall may or may not support.
More info here:
windows-update-troubleshooting

Answer 3

remote desktop licensing not use internet connect?