Earlier this week I presented a webinar on ColdFusion 10. During that session I noted that, in my own opinion, the single most critical reason to upgrade to CF10 was the simplified and improved update process which dramatically simplifies the process of keeping your server up-to-date with the latest patches or hotfixes.
One attendee asked about the server making outbound requests, voicing a concern that firewalls may block this checking, and wanting to know what the server actually needs to talk to. So, here's the answer.
On scheduled intervals (and when checked from within ColdFusion Administrator) ColdFusion makes an outbound HTTP request (over port 80) to http://www.adobe.com:80/go/coldfusion-updates, which redirects to http://download.adobe.com/pub/adobe/coldfusion/xml/updates.xml. If there are updates available they are downloaded from the addresses in that XML file, all on host download.adobe.com.
So, as long as you server can make outbound HTTP requests (on standard HTTP port 80) to hosts download.adobe.com and www.adobe.com, you should have no problem checking for and applying updates via the new update mechanism. And if you want to limit the hosts that need to be accessed, you can actually go to the Settings page in ColdFusion Administrator > Server Update > Updates, and change the Update Site URL to http://download.adobe.com/pub/adobe/coldfusion/xml/updates.xml (bypassing the extra call and redirect).