Re: MS outsource updates, complicates 3rd party firewall

"the 3rd party content providers that Microsoft uses" ?
Your firewall should tell you that something is trying to call out, and ask
if you want to allow it. You need to know what it is to know whether it
should be doing that.
Anthony
http://www.airdesk.com


"AndyHancock" <> wrote in message
news:b1d906f4-b1ea-4e57-bfa9-...
> In Windows Professional 2000, svchost connects out to Limelight
> Networks port 80. A bit of surfing indicates that this might be a
> check for updates. How do users of 3rd party firewalls keep on top of
> the 3rd party content providers that Microsoft uses? The rules must
> be constantly updated.

Andy,
Limelight is a third party product going out to check for updates. Kerio is
alerting you to that. There is no connection with Microsoft.
Anthony,
http://www.airdesk.com



"AndyHancock" <> wrote in message
news:fcf8c069-3571-41dd-bcd5-...
> Hello, Anthony,
>
> I'm not clear about your last post.
>
> Are you asking for clarification of what I meant by "the 3rd party
> content providers that Microsoft uses"?
>
> The firewall (Kerio Personal Firewall 2.1.5 issues a warning that
> svchost is trying to connect out to Limelight Networks port 80. The
> rest of my sleuthing is as I describe in the original post. I have no
> further details.
>
> If this is Windows checking for updates, it must a common problem,
> endemic to users with third party firewalls. So I was wondering what
> the established practice is to recognize such checks for updates, and
> to keep firewall rules that permit such checks synchronized with the
> IP addresses used for such checks by the content distributors on
> behalf of Microsoft.
>
> On Apr 10, 6:53 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>> "the 3rd party content providers that Microsoft uses" ?
>> Your firewall should tell you that something is trying to call out, and
>> ask
>> if you want to allow it. You need to know what it is to know whether it
>> should be doing that.
>> Anthony
http://www.airdesk.com
>>
>> "AndyHancock" <AndyMHanc...@gmail.com> wrote in message
>>
>> news:b1d906f4-b1ea-4e57-bfa9-...
>>
>> > In Windows Professional 2000, svchost connects out to Limelight
>> > Networks port 80. A bit of surfing indicates that this might be a
>> > check for updates. How do users of 3rd party firewalls keep on top of
>> > the 3rd party content providers that Microsoft uses? The rules must
>> > be constantly updated.
>

Hi Andy,
The check for windows updates will be from a hidden process wuauclt.exe
running under a svchost process. Kerio should alert you to these so you can
allow them. They will be going out to xxx.microsoft.com, so you can also
restrict them to going out to those sites only if you want.
Here is an example for Sophos. I don't know the Kerio one.
http://www.sophos.com/support/knowle...cle/17444.html
There are no content providers or disseminators involved, so there is no
list to keep updated,
Hope that helps,
Anthony
http://www.airdesk.com





"AndyHancock" <> wrote in message
news:3217a645-b82a-4d21-9cb9-...
> Anthony,
>
> Limelight is a content dissemintaor, not a product or process running
> on the computer.
>
> I agree that Kerio is alerting me to an outgoing connection, as I
> describe that in my last post.
>
> As per my last post, I was wondering how one can determine whether the
> outgoing connection is a check for Windows updates.
>
> I was also curious as to how you determined that there is no
> connection with Microsoft. The gist of the thread is how users in
> general can keep their firewall rules updated so as to permit Windows
> checks for updates. Knowing the content providers and the IP address
> blocks would be one part of achieving this. Automated assistance in
> keeping the rules synchronized with the changing list of IP addresses
> would be another part of the solution.
>
> Thanks.
>
> On Apr 12, 4:28 pm, "Anthony [MVP]" wrote:
>> Andy, Limelight is a third party product going out to check for
>> updates. Kerio is alerting you to that. There is no connection with
>> Microsoft.
>>
>> "AndyHancock" <AndyMHanc...@gmail.com> wrote:
>>
>>> Hello, Anthony,
>>
>>> I'm not clear about your last post.
>>>
>>> Are you asking for clarification of what I meant by "the 3rd party
>>> content providers that Microsoft uses"?
>>>
>>> The firewall (Kerio Personal Firewall 2.1.5 issues a warning that
>>> svchost is trying to connect out to Limelight Networks port 80.
>>> The rest of my sleuthing is as I describe in the original post. I
>>> have no further details.
>>>
>>> If this is Windows checking for updates, it must a common problem,
>>> endemic to users with third party firewalls. So I was wondering
>>> what the established practice is to recognize such checks for
>>> updates, and to keep firewall rules that permit such checks
>>> synchronized with the IP addresses used for such checks by the
>>> content distributors on behalf of Microsoft.
>>>
>>> On Apr 10, 6:53 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>>>> "the 3rd party content providers that Microsoft uses" ? Your
>>>> firewall should tell you that something is trying to call out, and
>>>> ask if you want to allow it. You need to know what it is to know
>>>> whether it should be doing that.
>>>>
>>>> "AndyHancock" <AndyMHanc...@gmail.com> wrote in message
>>>>> In Windows Professional 2000, svchost connects out to Limelight
>>>>> Networks port 80. A bit of surfing indicates that this might be a
>>>>> check for updates. How do users of 3rd party firewalls keep on
>>>>> top of the 3rd party content providers that Microsoft uses? The
>>>>> rules must be constantly updated.

Andy,
Does Kerio require you to use an IP address instead of a domain name?

The domain names are registered to Microsoft, which you can confirm in
Whois. windowsupdate.com and microsoftupdate.com are registered by
Microsoft. Only Microsoft have the authority to control the name resolution
for those domains, so any IP address that is a host in those domains must be
one that Microsoft want you to go to.

The actual IP address can be any device, anywhere, hosted by anyone. Its
just that you won't resolve a name to that IP unless it is in the DNS
controlled by Microsoft.

When you lookup the IP address, you are just discovering which organisation
has control of that IP address range. So if I put a server in an ISP
datacentre they will assign me one of their IP addresses. I will then go
into my own DNS and put that address against my server name, so that it
resolves to the IP assigned to me. The ISP can't do that. Oversee.net
control the network and the routing that that particular Microsoft Updates
service is sitting on, but they have no control of the host itself by virtue
of that.

Hope that helps,
Anthony
http://www.airdesk.com



"AndyHancock" <> wrote in message
news:a29b2dde-893e-47be-945f-...
> In addition to #2 below indicating that MS does indeed use what seem
> to be 3rd party servers, common MS apps like media player also use
> what seem to be 3rd party servers; Limelight Networks,
> http://whois.domaintools.com/213.199.149.164, aka llnw, associated
> with Level 3 below.
>
> This practice is making firewall rule management very difficult.
>
> ---------- Forwarded message ----------
> From: AndyHancock <AndyMHanc...@gmail.com>
> Date: Apr 15, 12:31 am
> Subject: MS outsource updates, complicates 3rd party firewall
> To: microsoft.public.win2000.general,
> microsoft.public.win2000.windows_update,
> microsoft.public.windows.networking.firewall,
> microsoft.public.windowsupdate
>
> Thanks, Anthony. That does indeed help. I looked up the three URLs
> provided at the sophos webpage your cited.
>
> 1. update.microsoft.com resolves to 207.46.21.123, which whois
> confirms
> is Microsoft.
>
> 2. download.microsoftupdates.com resolves to 208.73.210.121, which
> whois
> reveals to be Oversee.net (advertising).
>
> 3. windowsupdate.microsoft.com resolves to 207.46.18.94, which whois
> confirms is Microsoft.
>
> Strangely enough, I have found it necessary in the past to permit
> access to the following before updates would work properly.
>
> 4. Net Access Corp, 209.123.0.0 - 209.123.255.255
> 5. Level 3 Communications, 206.32.0.0 - 206.35.255.255
> 6. Akamai Technologies, 72.246.0.0 - 72.247.255.255
>
> I've disabled permissions #4 thru #6 to see if anything goes awry.
>
> It is #4 thru #6 that caused me to believe that Microsoft uses 3rd
> party content disseminators. Even #2 seems to do this.
>
> On Apr 14, 3:27 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>
>> Hi Andy,
>> The check for windows updates will be from a hidden process
>> wuauclt.exe running under a svchost process. Kerio should alert you
>> to these so you can allow them. They will be going out to
>> xxx.microsoft.com, so you can also restrict them to going out to
>> those sites only if you want. Here is an example for Sophos. I
>> don't know the Kerio
>> one.http://www.sophos.com/support/knowle...cle/17444.html
>> There are no content providers or disseminators involved, so there
>> is no list to keep updated,
>> Hope that helps,
>> Anthonyhttp://www.airdesk.com
>
>> "AndyHancock" <AndyMHanc...@gmail.com> wrote:
>>> Anthony,
>
>>> Limelight is a content dissemintaor, not a product or process running
>>> on the computer.
>
>>> I agree that Kerio is alerting me to an outgoing connection, as I
>>> describe that in my last post.
>
>>> As per my last post, I was wondering how one can determine whether the
>>> outgoing connection is a check for Windows updates.
>
>>> I was also curious as to how you determined that there is no
>>> connection with Microsoft. The gist of the thread is how users in
>>> general can keep their firewall rules updated so as to permit Windows
>>> checks for updates. Knowing the content providers and the IP address
>>> blocks would be one part of achieving this. Automated assistance in
>>> keeping the rules synchronized with the changing list of IP addresses
>>> would be another part of the solution.
>
>>> Thanks.
>
>>> On Apr 12, 4:28 pm, "Anthony [MVP]" wrote:
>>>> Andy, Limelight is a third party product going out to check for
>>>> updates. Kerio is alerting you to that. There is no connection with
>>>> Microsoft.
>
>>>> "AndyHancock" <AndyMHanc...@gmail.com> wrote:
>
>>>>> Hello, Anthony,
>
>>>>> I'm not clear about your last post.
>
>>>>> Are you asking for clarification of what I meant by "the 3rd party
>>>>> content providers that Microsoft uses"?
>
>>>>> The firewall (Kerio Personal Firewall 2.1.5 issues a warning that
>>>>> svchost is trying to connect out to Limelight Networks port 80.
>>>>> The rest of my sleuthing is as I describe in the original post. I
>>>>> have no further details.
>
>>>>> If this is Windows checking for updates, it must a common problem,
>>>>> endemic to users with third party firewalls. So I was wondering
>>>>> what the established practice is to recognize such checks for
>>>>> updates, and to keep firewall rules that permit such checks
>>>>> synchronized with the IP addresses used for such checks by the
>>>>> content distributors on behalf of Microsoft.
>
>>>>> On Apr 10, 6:53 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>>>>>> "the 3rd party content providers that Microsoft uses" ? Your
>>>>>> firewall should tell you that something is trying to call out, and
>>>>>> ask if you want to allow it. You need to know what it is to know
>>>>>> whether it should be doing that.
>
>>>>>> "AndyHancock" <AndyMHanc...@gmail.com> wrote in message
>>>>>>> In Windows Professional 2000, svchost connects out to Limelight
>>>>>>> Networks port 80. A bit of surfing indicates that this might be a
>>>>>>> check for updates. How do users of 3rd party firewalls keep on
>>>>>>> top of the 3rd party content providers that Microsoft uses? The
>>>>>>> rules must be constantly updated.

Andy,
Its an interesting topic.
Although you can safely identify a specific host that you know, e.g your own
mail server, you can't use IP address to identify a known corporation. They
could easily change. So for example, you can safely trust a site that is
called xyz.adobe.com because Adobe control that domain. That's why ssl
certificates are tied to names and not to IP addresses,
Anthony
http://www.airdesk.com



"AndyHancock" <> wrote in message
news:3494a08b-40e7-4b68-93a8-...
> Kerio 2.1.5 does indeed require IP addresses rather than domain
> names. I thought this was the norm for most personal firewalls. Is
> this not correct? Not that it matters, it is a problem for need that
> I need to find a solution to...somehow. I don't have a lot of
> confidence in the firewall rules I set up using whois to lookup IP
> addresses...I have no idea whether Microsoft changes these IP
> addresses often.
>
> I think I get the gist of your explanation below, though the details
> are just a tad foggy. You gave an example where you put a server in
> an ISP data centre, yet they have no control of the host, by which I
> assume you mean the server. How is it tha can they have no control
> when the server is in their data centre? Is it a hosting service that
> they rent out, including control of the information that the client
> (e.g. Microsoft) wants disseminated, and access from the client to
> update content for dissemintation?
>
> As well, I wasn't too clear on what you meant by putting that IP
> address against your server name...is that related to the domain name
> that you mentioned in paragraph 1 of your reply? For example, would
> cds156.lon9.llnw.net (or cds156) be a server name, while lon9.llnw.net
> is a domain name? How does it help for you (or Microsoft) to put that
> IP address on your DNS? Doesn't it have to be mapped that way in the
> DNS's used by Microsoft users around the world? I assume that those
> DNS's are maintained by the users' ISPs, but I'm really quite foggy
> when it comes to the nuts and bolts under the hood of the internet.
>
> ---------- Original message ----------
> From: "Anthony [MVP]" <anth...@no-reply.com>
> Date: Apr 19, 1:09 pm
> Subject: MS outsource updates, complicates 3rd party firewall
>
> Andy,
> Does Kerio require you to use an IP address instead of a domain name?
>
> The domain names are registered to Microsoft, which you can confirm in
> Whois. windowsupdate.com and microsoftupdate.com are registered by
> Microsoft. Only Microsoft have the authority to control the name
> resolution for those domains, so any IP address that is a host in
> those domains must be one that Microsoft want you to go to.
>
> The actual IP address can be any device, anywhere, hosted by anyone.
> Its just that you won't resolve a name to that IP unless it is in the
> DNS controlled by Microsoft.
>
> When you lookup the IP address, you are just discovering which
> organisation has control of that IP address range. So if I put a
> server in an ISP datacentre they will assign me one of their IP
> addresses. I will then go into my own DNS and put that address against
> my server name, so that it resolves to the IP assigned to me. The ISP
> can't do that. Oversee.net control the network and the routing that
> that particular Microsoft Updates service is sitting on, but they have
> no control of the host itself by virtue of that.
>
> Hope that helps,
> Anthony
>
> "AndyHancock" <AndyMHanc...@gmail.com> wrote:
>> In addition to #2 below indicating that MS does indeed use what seem
>> to be 3rd party servers, common MS apps like media player also use
>> what seem to be 3rd party servers; Limelight Networks,
>> http://whois.domaintools.com/213.199.149.164, aka llnw, associated
>> with Level 3 below.
>>
>> This practice is making firewall rule management very difficult.
>>
>> ---------- Original message ----------
>> From: AndyHancock <AndyMHanc...@gmail.com>
>> Date: Apr 15, 12:31 am
>> Subject: MS outsource updates, complicates 3rd party firewall
>>
>> Thanks, Anthony. That does indeed help. I looked up the three URLs
>> provided at the sophos webpage your cited.
>>
>> 1. update.microsoft.com resolves to 207.46.21.123, which whois
>> confirms is Microsoft.
>>
>> 2. download.microsoftupdates.com resolves to 208.73.210.121, which
>> whois reveals to be Oversee.net (advertising).
>>
>> 3. windowsupdate.microsoft.com resolves to 207.46.18.94, which whois
>> confirms is Microsoft.
>>
>> Strangely enough, I have found it necessary in the past to permit
>> access to the following before updates would work properly.
>>
>> 4. Net Access Corp, 209.123.0.0 - 209.123.255.255
>> 5. Level 3 Communications, 206.32.0.0 - 206.35.255.255
>> 6. Akamai Technologies, 72.246.0.0 - 72.247.255.255
>>
>> I've disabled permissions #4 thru #6 to see if anything goes awry.
>>
>> It is #4 thru #6 that caused me to believe that Microsoft uses 3rd
>> party content disseminators. Even #2 seems to do this.
>>
>> On Apr 14, 3:27 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>>
>>> Hi Andy,
>>> The check for windows updates will be from a hidden process
>>> wuauclt.exe running under a svchost process. Kerio should alert you
>>> to these so you can allow them. They will be going out to
>>> xxx.microsoft.com, so you can also restrict them to going out to
>>> those sites only if you want. Here is an example for Sophos. I
>>> don't know the Kerio
>>> one.http://www.sophos.com/support/knowle...cle/17444.html
>>> There are no content providers or disseminators involved, so there
>>> is no list to keep updated,
>>> Hope that helps,
>>> Anthony
>>>
>>> "AndyHancock" <AndyMHanc...@gmail.com> wrote:
>>>> Anthony,
>>>>
>>>> Limelight is a content dissemintaor, not a product or process running
>>>> on the computer.
>>>>
>>>> I agree that Kerio is alerting me to an outgoing connection, as I
>>>> describe that in my last post.
>>>>
>>>> As per my last post, I was wondering how one can determine whether the
>>>> outgoing connection is a check for Windows updates.
>>>>
>>>> I was also curious as to how you determined that there is no
>>>> connection with Microsoft. The gist of the thread is how users in
>>>> general can keep their firewall rules updated so as to permit Windows
>>>> checks for updates. Knowing the content providers and the IP address
>>>> blocks would be one part of achieving this. Automated assistance in
>>>> keeping the rules synchronized with the changing list of IP addresses
>>>> would be another part of the solution.
>>>>
>>>> Thanks.
>>>>
>>>> On Apr 12, 4:28 pm, "Anthony [MVP]" wrote:
>>>>> Andy, Limelight is a third party product going out to check for
>>>>> updates. Kerio is alerting you to that. There is no connection
>>>>> with Microsoft.
>>>>>
>>>>> "AndyHancock" <AndyMHanc...@gmail.com> wrote:
>>>>>> Hello, Anthony,
>>>>>>
>>>>>> I'm not clear about your last post.
>>>>>>
>>>>>> Are you asking for clarification of what I meant by "the 3rd
>>>>>> party content providers that Microsoft uses"?
>>>>>>
>>>>>> The firewall (Kerio Personal Firewall 2.1.5 issues a warning
>>>>>> that svchost is trying to connect out to Limelight Networks port
>>>>>> 80. The rest of my sleuthing is as I describe in the original
>>>>>> post. I have no further details.
>>>>>>
>>>>>> If this is Windows checking for updates, it must a common
>>>>>> problem, endemic to users with third party firewalls. So I was
>>>>>> wondering what the established practice is to recognize such
>>>>>> checks for updates, and to keep firewall rules that permit such
>>>>>> checks synchronized with the IP addresses used for such checks
>>>>>> by the content distributors on behalf of Microsoft.
>>>>>>
>>>>>> On Apr 10, 6:53 am, "Anthony [MVP]" <anth...@no-reply.com>
>>>>>> wrote:
>>>>>>> "the 3rd party content providers that Microsoft uses" ? Your
>>>>>>> firewall should tell you that something is trying to call out,
>>>>>>> and ask if you want to allow it. You need to know what it is to
>>>>>>> know whether it should be doing that.
>>>>>>>
>>>>>>> "AndyHancock" <AndyMHanc...@gmail.com> wrote in message
>>>>>>>> In Windows Professional 2000, svchost connects out to
>>>>>>>> Limelight Networks port 80. A bit of surfing indicates that
>>>>>>>> this might be a check for updates. How do users of 3rd party
>>>>>>>> firewalls keep on top of the 3rd party content providers that
>>>>>>>> Microsoft uses? The rules must be constantly updated.