TechTip: Windows activation firewall rules

If you have a Windows system behind a restrictive firewall and you want to use the online activation option, you will need to configure the following firewall rules to allow it.

First, you need to make sure that your system can access DNS, so allow outbound UDP 53 (you can allow outbound TCP 53 as well, but is only used by certain applications and activation should work without it).

If your firewall supports DNS name resolution (most hardware firewalls, such as Juniper SSG, Juniper SRX or, with some limitations, Cisco ASA series do nowadays), create rules to allow HTTP and HTTPS traffic to the following domains: go.microsoft.com, wpa.one.microsoft.com, crl.microsoft.com, wwwtk2test1.microsoft.com, wwwtk2test2.microsoft.com, sls.microsoft.com (the last one seems to be deprecated, so it is optional unless Microsoft decides to bring it back online). If your firewall does not support DNS resolution, you may want to resolve the above URL's to IP addresses and create rules for those. This, however, is not an optimal solution as DNS records may change in the future and you will have to refresh the rules to reflect that change.

If all else fails, you can allow outbound HTTP and HTTPS access to the following Microsoft-owned IP block: 65.52.0.0/14 Such wildcard rules are not really the optimal way to configure your firewalls, and if you don't trust Microsoft and want to tighten these down - run the activation on the system in question, then check the firewall logs for blocked/denied connection attempts from that host and create rules for them. If you really have a lot of free time on your hands - search the Internet for reverse DNS records for the IP addresses that you will discover that way and create rules for those (this will increase your chances of rules not failing if Microsoft decides to move the activation server to a different IP).

Summary of outbound rules:

Allow UDP 53, TCP 53 to [DNS server of your choice]
Allow TCP 80, TCP 443 to go.microsoft.com
Allow TCP 80, TCP 443 to wpa.one.microsoft.com
Allow TCP 80, TCP 443 to crl.microsoft.com
Allow TCP 80, TCP 443 to wwwtk2test1.microsoft.com
Allow TCP 80, TCP 443 to wwwtk2test2.microsoft.com
Allow TCP 80, TCP 443 to db3.sls.microsoft.com
Allow TCP 80, TCP 443 to 64.4.11.160/32
Allow TCP 80, TCP 443 to 64.4.0.0/18
Allow TCP 80, TCP 443 to 65.52.0.0/14

*Please note that this list is based on connectivity identified as of July 2010 and may be outdated.

5 comments:

Anonymous said...

This is an interesting article, however, I would like to make a comment: You claim it is possible to configure dns-based acl rules on Cisco ASA. I do not think that this is possible. Can you share your experience and provide a cfg example? Thank you. Mirek

Oleksiy Gayda said...

While you are technically correct, and it is not possible to create DNS-based rules in Cisco ASA (this is one of the advantages of using Juniper), it is possible to have it analyze HTTP headers for a certain value: http://www.ciscosystems.com/en/US/docs/security/asa/asa83/configuration/guide/inspect_basic.html#wp1514315

Juan said...

Useful info. Helped me alot.

Update/add:
Allow TCP 80(http), TCP 443(https) to 64.4.11.160/32
Allow TCP 80(http), TCP 443(https) to 157.55.44.71/32

Anonymous said...

Cisco ASA now supports FQDN ACL resolution in version 8.4(2). Link to instructions:
https://supportforums.cisco.com/docs/DOC-17014

mgp

Anonymous said...

Thanks!
And, Can this list would be used for Office 2013 too?