Definitive server list for patching?
After two attempts of getting the firewall rules right to allow a server to patch itself (after akamai changed their IP address!), I've deployed Sun Update Connection Proxy only to discover yet *another* server requires access.
Is there a definitive list? So far I have:
- 198.232.168.136 (getupdates1.sun.com)
- 198.232.168.133 (cns-services.sun.com)
- 198.232.168.137 (cns-transport.sun.com)
- 72.5.124.61 (www.sun.com)
- 198.232.168.134 (getupdates.sun.com) - discovered with SUPC
- 193.38.108.198, 193.38.108.214 (a248.e.akamai.net) - although this changes from day-to-day
Perhaps 193.38.108.0/24 for akamai is better? And 198.232.168.0/24 for Sun's servers?
Any more additions that I should be aware of? This will save me bugging the firewall admin every 5 minutes to change the rule!
Iain
# 1
The list of hosts you have is complete, and I am not expecting the sun.com domain systems to change IP address regularly (that said, I don't believe these IPs are set in stone).
The Akamai IPs are, however, volatile (as you have noticed) so setting rules by subnets would probably be more advisable.
I take it it's not possible to configure the firewall using the hostnames themselves?
# 2
Unfortunately not. Whilst the firewall does an IP lookup when the rule is created, it isn't dynamic so it very quickly becomes out of date. Looking at traffic from the server, I think the patch software keeps trying Akamai, then falls back to Sun if/when that connection times out.
Having discussed it with colleagues, we think the best solution for now is to probably create a rule that allows the patch server to connect to any server on 443/tcp. That covers any change made by Akamai, although it's not an ideal solution.
Thanks for your comments.
Iain
