Block Microsoft updates over 3G network

49er · July 15, 2014, 11:23am

Hi, I want to use Mikrotik for our employees.
Like to put an UMTS modem in the USB port.
They use it outdoor and use UMTS connections.
The Data is limited. So can we block Microsoft updates and so on?

rextended · July 15, 2014, 11:25am

block on the pc side is faster.

49er · July 15, 2014, 11:34am

But not save.
The device (mikrotik) is used by a lot of employees.
So de device must block it.
Is this a strange question?

cdiedrich · July 15, 2014, 11:40am

You could give it a try with a layer7 filter with content update.microsoft.com, dst-port udp 53 and drop those.
And/or add a static DNS entry on the RB for update.microsoft.com and point it to 127.0.0.1
And make sure all clients are using the RB DNS only by redirecting any traffic destinated to udp 53 to your router’s udp 53…

This should cover about 90% of all access attempts…
-Chris

49er · July 16, 2014, 6:21am

Hi,
The firewall rule L7 works.
But is it also possible to redirect it to an other page?
So I can display to the uses why thy are blocked.

reinerotto · July 16, 2014, 7:16pm

Use a real proxy, like squid. Caching on large disk would be an advantage, anyway.
Which means, not to use MT, but an embedded LINUX box, like ALIX or APU.

49er · July 16, 2014, 7:37pm

I understand what you are telling but we use the mikrotik for our employees in combination with a 3G/4G USB modem so they have internet in the field.
I can’t ask them to carry allso a server with them.
That’s the reason why I want to do it in the mikrotik.

cdiedrich · July 16, 2014, 7:52pm

Well, I absolutely understand what you want to achieve under the given circumstances.
But that’ll be tough.

We all agree that this is not possible with a MT device.
You’re absolutely right in not asking your crew to carry another server with them, just to get informed that Windoze updates are blocked.

With that said, I’d like to ask you:
Are you sure they manually check for updates with Internet Exploder so they are able to see this message?
I guess about 95% of all Windoze installations check for updates automatically. So the user would never see this message.
I personally would say that putting the bementioned blocking mechanisms in place and dropping a memo to the field crew that updates are blocked on this device is the easier way.

If you reallyreallyreally want a “blocked” message, the last resort I can think of is a DD-WRT image in a metaRouter instance.
Give it a virtual ethernet port, an IP address within your subnet and add this address to your RB’s DNS for update.microsoft.com
in DD-WRT set up the web server and add the message you want.

I frankly doubt if this is worth the effort…
-Chris

reinerotto · July 16, 2014, 8:19pm

An APU with internal SSD is only marginally larger than a MT-box. And has the advantage, you can install latest modem drivers.
And you can install internal mSATA-SSD-card, for caching, if you want.

RogerWilco · July 17, 2014, 12:11am

http://en.wikipedia.org/wiki/Windows_Server_Update_Services
Have the Windows PCs connect to a Windows Server. Only the server will download the updates then pass onto the clients.
I believe the client PCs with WSUS configured then will only try to get updates from the central server.