How do I verify network endpoint connectivity.

Iron Contributor

Hi,

    Is there an easy way to verify internet endpoint connectivity.  I come across this regularly where a product documents that I need to verify internet endpoint connectivity to various url's and ports. 

 

For example, for windows update: - 

this page

https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting

 

has this entry - 

Ensure that devices can reach necessary Windows Update endpoints through the firewall. For example, for Windows 10, version 2004, the following protocols must be able to reach these respective endpoints:


Protocol            Endpoint URL
TLS 1.2             *.prod.do.dsp.mp.microsoft.com
HTTP                emdl.ws.microsoft.com
HTTP               *.dl.delivery.mp.microsoft.com
HTTP               *.windowsupdate.com
HTTPS             *.delivery.mp.microsoft.com
TLS 1.2            *.update.microsoft.com
TLS 1.2            tsfe.trafficshaping.dsp.mp.microsoft.com

 

 

How do I test that. obviously using ICMP is no test for verifying http, https or TLS connectivity.  What is the process?
I haven't found anything powershell to do it as everything seems to rely on ping.  

i figure for the standard addresses, I could do something like this for http

Telnet address1.microsoft.com 80 

but I figure Telnet is old school, there should be something newer around these days and also

 

  • how do I test the entries with * on the front of the name
  • how do I test TLS 1.2

I'm sure there are hundreds of tech support people out there doing this currently, somebody should be able to point me in the right direction.  

7 Replies
Normally we recommend you to use WSUS or other Windows Update Management tools and when you deploy update , they will report back of status of the update and if a client is not reachable or update didn't installed, it will show it in diagram and report. This way, you don't need to perform manual check but you just look into report to see what cause the failure and you may investigate only affected clients.
@Reza_Ameri thanks for your response.
My question was more generic and windows update was just one example. We use MECM (with WSUS)
I guess it comes back to - something is wrong, how do i verify connectivity to the required sites as part of your comment "investigate only affected clients".
I have had the requirement for Cloud management gateway and various M365/azure products previously and would like to know how to verify the sites as part of my pre-deployment checks to be sure everything is going to work before I deploy something.

Background : -
The reason I mentioned the windows update sites is because I was investigating the use of Dism repair options which defaults to windows update as the source and we have Group policy in place to enforce that but I regularly see "source not found" messages when running Dism repairs and I'd rather use Windows update rather than constantly maintain offline source images.

@PaulKlerkx you may tracert command which it will show connectivity traces to the client , so the ping only shows if the connection is available but the tracert showing the route to the device. Take a look at tracert | Microsoft Docs.

In the Configuration Manager , you may check the Assets and Compliance to see the connectivity status of your device, take a look at Monitor clients - Configuration Manager | Microsoft Docs.

 

@Reza_Ameri , thanks for the ideas.

I don't need to know if my MECM endpoints are contactable, I am trying to check the generic sites and protocols that my clients need to connect to.
Tracert won't work as it is trying to tracert to a generic address that won't be resolvable E.G. "*.prod.do.dsp.mp.microsoft.com" .
where the site isn't generic and has a full path, yes it will give me half the picture by showing the site exists and is pingable, it won't tell me if the protocol is permitted.
E.G. how does doing a tracert on "tsfe.trafficshaping.dsp.mp.microsoft.com" tell me if TLS 1.2 will get through.

The MECM idea only tells me if the MECM client has connectivity to my MECM server. No good for verifying connectivity to internet sites via various protocols.
I believe this is not possible using current tools and you might use third-party tools.
You may look into network monitoring tools .

@PaulKlerkx Hi... I am looking at deploying AutoPatch and am running through the pre-requisites and have the same question... Did you find a method to test connectivity to these endpoint URL's?

@ShepEd Hi, Sorry no, I wasn't able to find any way of testing this.  When Companies say "Ensure that devices can reach necessary endpoints through the firewall. "; and give you protocols or wildcard addresses, that does not seem to be possible as far as I can tell.  The only thing I found useful is to send these details to the managers of each of our Firewalls if there is a problem and hope they can find something.  What I also found with our firewalls is often traffic is blocked outside the rules inside the firewall and is within configuration of the firewalls so isn't logged which makes that process hit and miss too, so one firewall manager could verify the traffic passed through their firewall, then the next firewall has no record of it ever arriving. If you discover anything, I'd love to know.  good luck.