AndyHancock wrote:
> In Windows Professional 2000, svchost connects out to Limelight
> Networks port 80. A bit of surfing indicates that this might be a
> check for updates. How do users of 3rd party firewalls keep on top of
> the 3rd party content providers that Microsoft uses? The rules must
> be constantly updated.
I'm not clear about your last post.
Are you asking for clarification of what I meant by "the 3rd party
content providers that Microsoft uses"?
The firewall (Kerio Personal Firewall 2.1.5 issues a warning that
svchost is trying to connect out to Limelight Networks port 80. The
rest of my sleuthing is as I describe in the original post. I have no
further details.
If this is Windows checking for updates, it must a common problem,
endemic to users with third party firewalls. So I was wondering what
the established practice is to recognize such checks for updates, and
to keep firewall rules that permit such checks synchronized with the
IP addresses used for such checks by the content distributors on
behalf of Microsoft.
On Apr 10, 6:53 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
> "the 3rd party content providers that Microsoft uses" ?
> Your firewall should tell you that something is trying to call out, and ask
> if you want to allow it. You need to know what it is to know whether it
> should be doing that.
> Anthonyhttp://www.airdesk.com
>
> "AndyHancock" <AndyMHanc...@gmail.com> wrote in message
>
> news:b1d906f4-b1ea-4e57...@k2g2000yql.googlegroups.com...
"AndyHancock" <AndyMH...@gmail.com> wrote in message
news:fcf8c069-3571-41dd...@x6g2000vbg.googlegroups.com...
Limelight is a content dissemintaor, not a product or process running
on the computer.
I agree that Kerio is alerting me to an outgoing connection, as I
describe that in my last post.
As per my last post, I was wondering how one can determine whether the
outgoing connection is a check for Windows updates.
I was also curious as to how you determined that there is no
connection with Microsoft. The gist of the thread is how users in
general can keep their firewall rules updated so as to permit Windows
checks for updates. Knowing the content providers and the IP address
blocks would be one part of achieving this. Automated assistance in
keeping the rules synchronized with the changing list of IP addresses
would be another part of the solution.
Thanks.
On Apr 12, 4:28 pm, "Anthony [MVP]" wrote:
> Andy, Limelight is a third party product going out to check for
> updates. Kerio is alerting you to that. There is no connection with
> Microsoft.
>
> "AndyHancock" <AndyMHanc...@gmail.com> wrote:
>
>> Hello, Anthony,
>
>> I'm not clear about your last post.
>>
>> Are you asking for clarification of what I meant by "the 3rd party
>> content providers that Microsoft uses"?
>>
>> The firewall (Kerio Personal Firewall 2.1.5 issues a warning that
>> svchost is trying to connect out to Limelight Networks port 80.
>> The rest of my sleuthing is as I describe in the original post. I
>> have no further details.
>>
>> If this is Windows checking for updates, it must a common problem,
>> endemic to users with third party firewalls. So I was wondering
>> what the established practice is to recognize such checks for
>> updates, and to keep firewall rules that permit such checks
>> synchronized with the IP addresses used for such checks by the
>> content distributors on behalf of Microsoft.
>>
>> On Apr 10, 6:53 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>>> "the 3rd party content providers that Microsoft uses" ? Your
>>> firewall should tell you that something is trying to call out, and
>>> ask if you want to allow it. You need to know what it is to know
>>> whether it should be doing that.
>>>
>>> "AndyHancock" <AndyMHanc...@gmail.com> wrote in message
"AndyHancock" <AndyMH...@gmail.com> wrote in message
news:3217a645-b82a-4d21...@z9g2000yqi.googlegroups.com...
1. update.microsoft.com resolves to 207.46.21.123, which whois
confirms
is Microsoft.
2. download.microsoftupdates.com resolves to 208.73.210.121, which
whois
reveals to be Oversee.net (advertising).
3. windowsupdate.microsoft.com resolves to 207.46.18.94, which whois
confirms is Microsoft.
Strangely enough, I have found it necessary in the past to permit
access to the following before updates would work properly.
4. Net Access Corp, 209.123.0.0 - 209.123.255.255
5. Level 3 Communications, 206.32.0.0 - 206.35.255.255
6. Akamai Technologies, 72.246.0.0 - 72.247.255.255
I've disabled permissions #4 thru #6 to see if anything goes awry.
It is #4 thru #6 that caused me to believe that Microsoft uses 3rd
party content disseminators. Even #2 seems to do this.
On Apr 14, 3:27 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
> Hi Andy,
> The check for windows updates will be from a hidden process
> wuauclt.exe running under a svchost process. Kerio should alert you
> to these so you can allow them. They will be going out to
> xxx.microsoft.com, so you can also restrict them to going out to
> those sites only if you want. Here is an example for Sophos. I
> don't know the Kerio
> one.http://www.sophos.com/support/knowledgebase/article/17444.html
> There are no content providers or disseminators involved, so there
> is no list to keep updated,
> Hope that helps,
> Anthony http://www.airdesk.com
>
This practice is making firewall rule management very difficult.
> Anthonyhttp://www.airdesk.com
The domain names are registered to Microsoft, which you can confirm in
Whois. windowsupdate.com and microsoftupdate.com are registered by
Microsoft. Only Microsoft have the authority to control the name resolution
for those domains, so any IP address that is a host in those domains must be
one that Microsoft want you to go to.
The actual IP address can be any device, anywhere, hosted by anyone. Its
just that you won't resolve a name to that IP unless it is in the DNS
controlled by Microsoft.
When you lookup the IP address, you are just discovering which organisation
has control of that IP address range. So if I put a server in an ISP
datacentre they will assign me one of their IP addresses. I will then go
into my own DNS and put that address against my server name, so that it
resolves to the IP assigned to me. The ISP can't do that. Oversee.net
control the network and the routing that that particular Microsoft Updates
service is sitting on, but they have no control of the host itself by virtue
of that.
Hope that helps,
Anthony
http://www.airdesk.com
"AndyHancock" <AndyMH...@gmail.com> wrote in message
news:a29b2dde-893e-47be...@e18g2000yqo.googlegroups.com...
I think I get the gist of your explanation below, though the details
are just a tad foggy. You gave an example where you put a server in
an ISP data centre, yet they have no control of the host, by which I
assume you mean the server. How is it tha can they have no control
when the server is in their data centre? Is it a hosting service that
they rent out, including control of the information that the client
(e.g. Microsoft) wants disseminated, and access from the client to
update content for dissemintation?
As well, I wasn't too clear on what you meant by putting that IP
address against your server name...is that related to the domain name
that you mentioned in paragraph 1 of your reply? For example, would
cds156.lon9.llnw.net (or cds156) be a server name, while lon9.llnw.net
is a domain name? How does it help for you (or Microsoft) to put that
IP address on your DNS? Doesn't it have to be mapped that way in the
DNS's used by Microsoft users around the world? I assume that those
DNS's are maintained by the users' ISPs, but I'm really quite foggy
when it comes to the nuts and bolts under the hood of the internet.
---------- Original message ----------
From: "Anthony [MVP]" <anth...@no-reply.com>
Date: Apr 19, 1:09 pm
Subject: MS outsource updates, complicates 3rd party firewall
Andy,
Does Kerio require you to use an IP address instead of a domain name?
The domain names are registered to Microsoft, which you can confirm in
Whois. windowsupdate.com and microsoftupdate.com are registered by
Microsoft. Only Microsoft have the authority to control the name
resolution for those domains, so any IP address that is a host in
those domains must be one that Microsoft want you to go to.
The actual IP address can be any device, anywhere, hosted by anyone.
Its just that you won't resolve a name to that IP unless it is in the
DNS controlled by Microsoft.
When you lookup the IP address, you are just discovering which
organisation has control of that IP address range. So if I put a
server in an ISP datacentre they will assign me one of their IP
addresses. I will then go into my own DNS and put that address against
my server name, so that it resolves to the IP assigned to me. The ISP
can't do that. Oversee.net control the network and the routing that
that particular Microsoft Updates service is sitting on, but they have
no control of the host itself by virtue of that.
Hope that helps,
Anthony
"AndyHancock" <AndyMHanc...@gmail.com> wrote:
> In addition to #2 below indicating that MS does indeed use what seem
> to be 3rd party servers, common MS apps like media player also use
> what seem to be 3rd party servers; Limelight Networks,
> http://whois.domaintools.com/213.199.149.164, aka llnw, associated
> with Level 3 below.
>
> This practice is making firewall rule management very difficult.
>
> ---------- Original message ----------
> From: AndyHancock <AndyMHanc...@gmail.com>
> Date: Apr 15, 12:31 am
> Subject: MS outsource updates, complicates 3rd party firewall
>
"AndyHancock" <AndyMH...@gmail.com> wrote in message
news:3494a08b-40e7-4b68...@r37g2000yqn.googlegroups.com...
---------- Forwarded message ----------
From: "Anthony [MVP]" <anth...@no-reply.com>
Date: Apr 23, 6:56 pm
Subject: MS outsource updates, complicates 3rd party firewall
To: microsoft.public.win2000.general,
microsoft.public.win2000.windows_update,
microsoft.public.windows.networking.firewall,
microsoft.public.windowsupdate
Andy,
Its an interesting topic.
Although you can safely identify a specific host that you know, e.g
your own
mail server, you can't use IP address to identify a known corporation.
They
could easily change. So for example, you can safely trust a site that
is
called xyz.adobe.com because Adobe control that domain. That's why ssl
certificates are tied to names and not to IP addresses,
Anthonyhttp://www.airdesk.com
"AndyHancock" <AndyMHanc...@gmail.com> wrote in message
news:3494a08b-40e7-4b68-93a8-
b786f0...@r37g2000yqn.googlegroups.com...