Allowing Executables for Software Updates

I'm wondering how everyone else is managing allowing programs to download executables so they can auto update (Java, Adobe, Citrix, Etc)?
It seems there are three main ways, 1 - Add HTTP/S Proxy Exceptions for each affected domain, 2 - setup a new proxy rule that allows executables or 3 - Setup a new packet rule for 80/443. In all cases, you would only add the Networks/FQDN's needed to download the executables.
Right now I have a "Software Downloads" packet rule setup which uses a Software Updates Alias. This seems to work well and allows for reporting however, I'm wondering how it compares to everyone else solution.

Comments

  • I like your idea to allow for better reporting, but I don't care to report on software update downloads, so I just add DPI exceptions as needed.

    Gregg Hill

  • I've thought about that but with 3x HTTPS Proxy Rules (Full Internet, Standard Internet, Servers Internet) per firewall and 3x firewalls, that's 9 changes instead of 3.

  • I also have an alias named FQDN-TrustedSites that is applied to an unrestricted packet filter policy, so I can do it either way.

    Gregg Hill

Sign In to comment.