Forum Discussion
List with FQDNs and IPs for updates via proxy
Good day,
I am sorry if its the wrong subspace. I have a couple of Windows servers above or equal server 2016 that do download updates directly from the internet via a proxy. I can not find a website by MS that lists all needed IPs and ports that are to be opened on the proxy to do that successfully. Since a month ago, it failed and we think the reason is that some more requirements we were not aware of were added.
Best Regards
1 Reply
Hi there,
You're in the right place — and this is a common question when Windows Update clients connect through a proxy.
Starting from Windows Server 2016 and later, Windows Update (WU) and Windows Update for Business (WUfB) communicate with multiple Microsoft endpoints, not just one set of IPs.
Microsoft does not publish a fixed IP list for Windows Update because the backend infrastructure is hosted on multiple CDN networks (Akamai, Azure Front Door, and others) that change dynamically.Instead, Microsoft officially recommends using domain-based allow rules on your proxy/firewall.
Here are the required endpoints and ports:TCP 80 (HTTP) and TCP 443 (HTTPS)
Required FQDNs to Allow (without SSL interception)
*.windowsupdate.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
*.delivery.mp.microsoft.com
*.do.dsp.mp.microsoft.com
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com
fe2.update.microsoft.com
sls.update.microsoft.com
tsfe.trafficshaping.dsp.mp.microsoft.com*.wdcp.microsoft.com
*.windowsupdate.com
*.delivery.mp.microsoft.com
*.microsoft.comIf your proxy performs SSL inspection, you must exclude these Microsoft update domains — otherwise, TLS validation will fail. Hope this helps.
