From 2f8c7d1ba939ab5dda709a2f00a7d94faab5c8aa Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 26 Jul 2022 20:26:11 -0600 Subject: [PATCH] Adding new content for endpoints, other minor clean-up items --- windows/deployment/do/TOC.yml | 4 +- .../do/delivery-optimization-endpoints.md | 40 +++++++++++++++++++ .../do/delivery-optimization-proxy.md | 26 ++++++------ windows/deployment/do/index.yml | 4 +- .../do/waas-delivery-optimization-setup.md | 6 +++ .../update/waas-delivery-optimization-faq.md | 4 +- 6 files changed, 67 insertions(+), 17 deletions(-) create mode 100644 windows/deployment/do/delivery-optimization-endpoints.md diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index ba824d08fb..e949b2c0b3 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -8,14 +8,14 @@ - name: What's new href: whats-new-do.md - - - name: Configure Delivery Optimization items: - name: Configure Windows Clients items: - name: Windows Delivery Optimization settings href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings + - name: Windows Delivery Optimization Frequently Asked Questions + href: url: waas-delivery-optimization-faq.md - name: Configure Microsoft Endpoint Manager items: - name: Delivery Optimization settings in Microsoft Intune diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md new file mode 100644 index 0000000000..0df5ea859e --- /dev/null +++ b/windows/deployment/do/delivery-optimization-endpoints.md @@ -0,0 +1,40 @@ +--- +title: # Delivery Optimization and Microsoft Connected Cache content endpoints. +description: # The complete list of all fully qualified domain names, ports, and associated content types to use Delivery Optimization and Microsoft Connected Cache. +ms.date: 07/26/2022 +ms.prod: windows +ms.technology: windows +ms.topic: conceptual #reference for complete list of content types, endpoint names, ports, etc. +ms.localizationpriority: medium +author: # GitHub username (cmknox) +ms.author: # MS alias (carmenf) +ms.reviewer: # MS alias of feature PM, optional +manager: # MS alias of manager (naengler) +ms.collection: # optional +- # highpri - high priority, strategic, important, current, etc. articles +- # openauth - the article is owned by PM or community for open authoring +--- + +## Delivery Optimization and Microsoft Connected Cache content type endpoints + +_Applies to:_ + +- Windows 11 +- Windows 10 + +> [!NOTE] +> All ports are outbound. + +To ensure connect delivered via Delivery Optimization and Microsoft Connected Cache is properly configured, the following list of endpoints need to be allowed through the firewall. Use the table below to reference any particular content types supported by Delivery Optimization and Microsoft Connected Cache. + +|Domain Name |Protocol/Port(s) | Content Type | Additional Information | Version | +|---------|---------|---------------|-------------------|-----------------| +| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com | HTTP / 80 | Windows Update Windows Defender Windows Drivers | [Complete list](https://docs.microsoft.com/en-us/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Microsoft Endpoint Configuration Manager Distribution Point | +| *.delivery.mp.microsoft.com | HTTP / 80 | Edge Browser | [Complete list](https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-endpoints) of endpoints for Edge Browser. | Microsoft Endpoint Configuration Manager Distribution Point | +| *.officecdn.microsoft.com.edgesuite.net, *.officecdn.microsoft.com, *.cdn.office.net | HTTP / 80 | Office CDN updates | [Complete list](https://docs.microsoft.com/en-us/office365/enterprise/office-365-endpoints) of endpoints for Office CDN updates. | Microsoft Endpoint Configuration Manager Distribution Point | +| *.manage.microsoft.com, *.swda01.manage.microsoft.com, *.swda02.manage.microsoft.com, *.swdb01.manage.microsoft.com, *.swdb02.manage.microsoft.com, *.swdc01.manage.microsoft.com, *.swdc02.manage.microsoft.com, *.swdd01.manage.microsoft.com, *.swdd02.manage.microsoft.com, *.swda01-mscdn.manage.microsoft.com, *.swda02-mscdn.manage.microsoft.com, *.swdb01-mscdn.manage.microsoft.com, *.swdb02-mscdn.manage.microsoft.com, *.swdc01-mscdn.manage.microsoft.com, *.swdc02-mscdn.manage.microsoft.com, *.swdd01-mscdn.manage.microsoft.com, *.swdd02-mscdn.manage.microsoft.com | HTTP / 80, HTTPs / 443 | Intune Win32 Apps | [Complete list](https://docs.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints) of endpoints for Intune Win32 Apps updates. | Microsoft Endpoint Configuration Manager Distribution Point | +| *.statics.teams.cdn.office.net | HTTP / 80, HTTPs / 443 | Teams | | Microsoft Endpoint Configuration Manager Distribution Point | +| *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Microsoft Endpoint Configuration Manager Distribution Point | +| *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](https://docs.microsoft.com/en-us/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Microsoft Endpoint Configuration Manager Distribution Point | +| *.do.dsp.mp.microsoft.com | HTTP / 80, HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure | +| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com | AMQP / 5671, MQTT / 8883, HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure | diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md index 5afb66f3f6..0b070b05ad 100644 --- a/windows/deployment/do/delivery-optimization-proxy.md +++ b/windows/deployment/do/delivery-optimization-proxy.md @@ -12,27 +12,27 @@ ms.topic: article # Using a proxy with Delivery Optimization -**Applies to** +_Applies to:_ -- Windows 10 - Windows 11 +- Windows 10 -When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls. +When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls. Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows. For downloads that use Delivery Optimization to successfully use the proxy, you should set the proxy via Windows **Proxy Settings** or the Internet Explorer proxy settings. -Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the “NetworkService” context if proxy authentication is required. +Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the “NetworkService” context if proxy authentication is required. > [!NOTE] > We don't recommend that you use `netsh winhttp set proxy ProxyServerName:PortNumber`. Using this offers no auto-detection of the proxy, no support for an explicit PAC URL, and no authentication to the proxy. This setting is ignored by WinHTTP for requests that use auto-discovery (if an interactive user token is used). If a user is signed in, the system uses the Internet Explorer proxy. -If no user is signed in, even if both the Internet Explorer proxy and netsh configuration are set, the netsh configuration will take precedence over the Internet Explorer proxy. This can result in download failures. For example, you might receive HTTP_E_STATUS_PROXY_AUTH_REQ or HTTP_E_STATUS_DENIED errors. +If no user is signed in, even if both the Internet Explorer proxy and netsh configuration are set, the netsh configuration will take precedence over the Internet Explorer proxy. This can result in download failures. For example, you might receive HTTP_E_STATUS_PROXY_AUTH_REQ or HTTP_E_STATUS_DENIED errors. -You can still use netsh to import the proxy setting from Internet Explorer (`netsh winhttp import proxy source=ie `) if your proxy configuration is a static *proxyServerName:Port*. However, the same limitations mentioned previously apply. +You can still use netsh to import the proxy setting from Internet Explorer (`netsh winhttp import proxy source=ie `) if your proxy configuration is a static *proxyServerName:Port*. However, the same limitations mentioned previously apply. ### Summary of settings behavior @@ -43,7 +43,7 @@ With an interactive user signed in: |Named proxy set by using: |Delivery Optimization successfully uses proxy | |---------|---------| |Internet Explorer proxy, current user | Yes | -|Internet Explorer proxy, device-wide | Yes | +|Internet Explorer proxy, device-wide | Yes | |netsh proxy | No | |Both Internet Explorer proxy (current user) *and* netsh proxy | Yes, Internet Explorer proxy is used | |Both Internet Explorer proxy (device-wide) *and* netsh proxy | Yes, Internet Explorer proxy is used | @@ -53,7 +53,7 @@ With NetworkService (if unable to obtain a user token from a signed-in user): |Named proxy set by using: |Delivery Optimization successfully uses proxy | |---------|---------| |Internet Explorer proxy, current user | No | -|Internet Explorer proxy, device-wide | Yes | +|Internet Explorer proxy, device-wide | Yes | |netsh proxy | Yes | |Both Internet Explorer proxy (current user) *and* netsh proxy | Yes, netsh proxy is used | |Both Internet Explorer proxy (device-wide) *and* netsh proxy | Yes, netsh proxy is used | @@ -70,10 +70,10 @@ This policy is meant to ensure that proxy settings apply uniformly to the same c Starting with Windows 10, version 2004, you can use Connected Cache behind a proxy. In older versions, when you set Delivery Optimization to download from Connected Cache, it will bypass the proxy and try to connect directly to the Connected Cache server. This can cause failure to download. -However, you can set the Connected Cache server to use an unauthenticated proxy. For more information, see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache#prerequisites-and-limitations). +However, you can set the Connected Cache server to use an unauthenticated proxy. For more information, see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache#prerequisites-and-limitations). - ## Related articles +## Related articles -- [How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP)?](/archive/blogs/askie/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp) -- [How to use GPP Registry to uncheck automatically detect settings? ](/archive/blogs/askie/how-to-use-gpp-registry-to-uncheck-automatically-detect-settings) -- [How to configure a proxy server URL and Port using GPP Registry?](/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry) \ No newline at end of file +- [How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP)?](/archive/blogs/askie/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp) +- [How to use GPP Registry to uncheck automatically detect settings?](/archive/blogs/askie/how-to-use-gpp-registry-to-uncheck-automatically-detect-settings) +- [How to configure a proxy server URL and Port using GPP Registry?](/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry) diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index c1f2b5eb4a..f2292d6e08 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -1,6 +1,6 @@ ### YamlMime:Landing -title: Delivery Optimization for Windows client # < 60 chars +title: Delivery Optimization # < 60 chars summary: Set up peer to peer downloads for Windows Updates and learn about Microsoft Connected Cache. # < 160 chars metadata: @@ -97,4 +97,6 @@ landingContent: url: delivery-optimization-workflow.md - text: Using a proxy with Delivery Optimization url: delivery-optimization-proxy.md + - text: Content endpoints for Delivery Optimization / Microsoft Connected Cache + url: delivery-optimization-endpoints.md diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index fd6f82f98c..a7410f4b72 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -31,6 +31,12 @@ Starting with Microsoft Intune version 1902, you can set many Delivery Optimizat **Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. +## Allow content endpoints + +When using a firewall, it is important that the content endpoints are allowed and associated ports are open. + +[Learn more](delivery-optimization-endpoints.md) about the complete list for fully qualified domains, ports for all Delivery Optimization and Microsoft Connected Cache content types. + ## Recommended Delivery Optimization settings Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq.md index 4e752ce90b..ec8a820b3e 100644 --- a/windows/deployment/update/waas-delivery-optimization-faq.md +++ b/windows/deployment/update/waas-delivery-optimization-faq.md @@ -37,7 +37,7 @@ For Delivery Optimization to successfully use the proxy, you should set up the p ## What hostnames should I allow through my firewall to support Delivery Optimization? -**For communication between clients and the Delivery Optimization cloud service**: +**For communication between clients and the Delivery Optimization cloud service**: - `*.do.dsp.mp.microsoft.com` @@ -55,6 +55,8 @@ For Delivery Optimization to successfully use the proxy, you should set up the p - `win1910.ipv6.microsoft.com` +[Complete list](delivery-optimization-endpoints.md) of all content endpoints used for Delivery Optimization and Microsoft Connected Cache. + ## Does Delivery Optimization use multicast? No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.