We have a set of public web servers behind a firewall we would like to be able to perform Windows Updates on, without giving them more access than they need.
Besides www.update.microsoft.com:443, what other host names and ports would need to be unblocked for Windows Updates to work?
From http://technet.microsoft.com/en-us/library/cc708605(WS.10).aspx This is what's needed to get WSUS working through your firewall (which IMHO you should definitely think about if you have more than 10 clients). This should be the same for a regular client box to access the MS servers.
To configure the firewall for software updates
Configure the firewall to allow communication over HTTP and HTTPS ports (80 and 443).
Make sure you're allowing all of the Windows Update URLs. Here is a list of URLs you'll also want to make sure are allowed:
URLs:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://test.stats.update.microsoft.com
http://ntservicepack.microsoft.com
As the URLs have changed a bit since the accepted answer, I'll post the latest info as of this time below.
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
http://go.microsoft.com
http://dl.delivery.mp.microsoft.com
https://dl.delivery.mp.microsoft.com
Source: https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#211-connection-from-the-wsus-server-to-the-internet
We've had issues with our proxy and Windows update and they recommended:
Ports should just be 80 and 443 I think. You might need to open BITS if that uses a different port.
Done this today. Need to ad more URL:
fe2.update.microsoft.com*
( Couldnt add that to my firewall so i went with: fe2.update.microsoft.com.nsatc.net) and as far as it seems theres no more need for port 80
Found here: https://docs.microsoft.com/en-us/windows/privacy/windows-endpoints-1903-non-enterprise-editions
I would suggest adding *.microsoft.com as a hostname if the software supports it and with regards to ports you should only need port 80 and 443.