Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: MS outsource updates, complicates 3rd party firewall

3 views
Skip to first unread message

PA Bear [MS MVP]

unread,
Apr 9, 2009, 1:02:11 PM4/9/09
to
[[Forwarded to Win2K.WU and Win2K.General newsgroups via crosspost.]]

AndyHancock wrote:
> In Windows Professional 2000, svchost connects out to Limelight
> Networks port 80. A bit of surfing indicates that this might be a
> check for updates. How do users of 3rd party firewalls keep on top of
> the 3rd party content providers that Microsoft uses? The rules must
> be constantly updated.

AndyHancock

unread,
Apr 12, 2009, 2:42:30 AM4/12/09
to
Hello, Anthony,

I'm not clear about your last post.

Are you asking for clarification of what I meant by "the 3rd party


content providers that Microsoft uses"?

The firewall (Kerio Personal Firewall 2.1.5 issues a warning that
svchost is trying to connect out to Limelight Networks port 80. The
rest of my sleuthing is as I describe in the original post. I have no
further details.

If this is Windows checking for updates, it must a common problem,
endemic to users with third party firewalls. So I was wondering what
the established practice is to recognize such checks for updates, and
to keep firewall rules that permit such checks synchronized with the
IP addresses used for such checks by the content distributors on
behalf of Microsoft.

On Apr 10, 6:53 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
> "the 3rd party content providers that Microsoft uses" ?

> Your firewall should tell you that something is trying to call out, and ask
> if you want to allow it. You need to know what it is to know whether it
> should be doing that.
> Anthonyhttp://www.airdesk.com
>
> "AndyHancock" <AndyMHanc...@gmail.com> wrote in message
>
> news:b1d906f4-b1ea-4e57...@k2g2000yql.googlegroups.com...

Anthony [MVP]

unread,
Apr 12, 2009, 4:28:00 PM4/12/09
to
Andy,
Limelight is a third party product going out to check for updates. Kerio is
alerting you to that. There is no connection with Microsoft.
Anthony,
http://www.airdesk.com

"AndyHancock" <AndyMH...@gmail.com> wrote in message
news:fcf8c069-3571-41dd...@x6g2000vbg.googlegroups.com...

AndyHancock

unread,
Apr 13, 2009, 10:00:10 AM4/13/09
to
Anthony,

Limelight is a content dissemintaor, not a product or process running
on the computer.

I agree that Kerio is alerting me to an outgoing connection, as I
describe that in my last post.

As per my last post, I was wondering how one can determine whether the
outgoing connection is a check for Windows updates.

I was also curious as to how you determined that there is no
connection with Microsoft. The gist of the thread is how users in
general can keep their firewall rules updated so as to permit Windows
checks for updates. Knowing the content providers and the IP address
blocks would be one part of achieving this. Automated assistance in
keeping the rules synchronized with the changing list of IP addresses
would be another part of the solution.

Thanks.

On Apr 12, 4:28 pm, "Anthony [MVP]" wrote:
> Andy, Limelight is a third party product going out to check for
> updates. Kerio is alerting you to that. There is no connection with
> Microsoft.
>

> "AndyHancock" <AndyMHanc...@gmail.com> wrote:
>
>> Hello, Anthony,
>
>> I'm not clear about your last post.
>>
>> Are you asking for clarification of what I meant by "the 3rd party
>> content providers that Microsoft uses"?
>>
>> The firewall (Kerio Personal Firewall 2.1.5 issues a warning that
>> svchost is trying to connect out to Limelight Networks port 80.
>> The rest of my sleuthing is as I describe in the original post. I
>> have no further details.
>>
>> If this is Windows checking for updates, it must a common problem,
>> endemic to users with third party firewalls. So I was wondering
>> what the established practice is to recognize such checks for
>> updates, and to keep firewall rules that permit such checks
>> synchronized with the IP addresses used for such checks by the
>> content distributors on behalf of Microsoft.
>>
>> On Apr 10, 6:53 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
>>> "the 3rd party content providers that Microsoft uses" ? Your
>>> firewall should tell you that something is trying to call out, and
>>> ask if you want to allow it. You need to know what it is to know
>>> whether it should be doing that.
>>>

>>> "AndyHancock" <AndyMHanc...@gmail.com> wrote in message

Anthony [MVP]

unread,
Apr 14, 2009, 3:27:34 AM4/14/09
to
Hi Andy,
The check for windows updates will be from a hidden process wuauclt.exe
running under a svchost process. Kerio should alert you to these so you can
allow them. They will be going out to xxx.microsoft.com, so you can also
restrict them to going out to those sites only if you want.
Here is an example for Sophos. I don't know the Kerio one.
http://www.sophos.com/support/knowledgebase/article/17444.html
There are no content providers or disseminators involved, so there is no
list to keep updated,
Hope that helps,
Anthony
http://www.airdesk.com

"AndyHancock" <AndyMH...@gmail.com> wrote in message

news:3217a645-b82a-4d21...@z9g2000yqi.googlegroups.com...

AndyHancock

unread,
Apr 15, 2009, 12:31:31 AM4/15/09
to
Thanks, Anthony. That does indeed help. I looked up the three URLs
provided at the sophos webpage your cited.

1. update.microsoft.com resolves to 207.46.21.123, which whois
confirms
is Microsoft.

2. download.microsoftupdates.com resolves to 208.73.210.121, which
whois
reveals to be Oversee.net (advertising).

3. windowsupdate.microsoft.com resolves to 207.46.18.94, which whois
confirms is Microsoft.

Strangely enough, I have found it necessary in the past to permit
access to the following before updates would work properly.

4. Net Access Corp, 209.123.0.0 - 209.123.255.255
5. Level 3 Communications, 206.32.0.0 - 206.35.255.255
6. Akamai Technologies, 72.246.0.0 - 72.247.255.255

I've disabled permissions #4 thru #6 to see if anything goes awry.

It is #4 thru #6 that caused me to believe that Microsoft uses 3rd
party content disseminators. Even #2 seems to do this.

On Apr 14, 3:27 am, "Anthony [MVP]" <anth...@no-reply.com> wrote:
> Hi Andy,
> The check for windows updates will be from a hidden process
> wuauclt.exe running under a svchost process. Kerio should alert you
> to these so you can allow them. They will be going out to
> xxx.microsoft.com, so you can also restrict them to going out to
> those sites only if you want. Here is an example for Sophos. I
> don't know the Kerio

> one.http://www.sophos.com/support/knowledgebase/article/17444.html


> There are no content providers or disseminators involved, so there
> is no list to keep updated,
> Hope that helps,
> Anthony http://www.airdesk.com
>

AndyHancock

unread,
Apr 19, 2009, 11:27:57 AM4/19/09
to
In addition to #2 below indicating that MS does indeed use what seem
to be 3rd party servers, common MS apps like media player also use
what seem to be 3rd party servers; Limelight Networks,
http://whois.domaintools.com/213.199.149.164, aka llnw, associated
with Level 3 below.

This practice is making firewall rule management very difficult.

> Anthonyhttp://www.airdesk.com

Anthony [MVP]

unread,
Apr 19, 2009, 1:09:36 PM4/19/09
to
Andy,
Does Kerio require you to use an IP address instead of a domain name?

The domain names are registered to Microsoft, which you can confirm in
Whois. windowsupdate.com and microsoftupdate.com are registered by
Microsoft. Only Microsoft have the authority to control the name resolution
for those domains, so any IP address that is a host in those domains must be
one that Microsoft want you to go to.

The actual IP address can be any device, anywhere, hosted by anyone. Its
just that you won't resolve a name to that IP unless it is in the DNS
controlled by Microsoft.

When you lookup the IP address, you are just discovering which organisation
has control of that IP address range. So if I put a server in an ISP
datacentre they will assign me one of their IP addresses. I will then go
into my own DNS and put that address against my server name, so that it
resolves to the IP assigned to me. The ISP can't do that. Oversee.net
control the network and the routing that that particular Microsoft Updates
service is sitting on, but they have no control of the host itself by virtue
of that.

Hope that helps,
Anthony
http://www.airdesk.com

"AndyHancock" <AndyMH...@gmail.com> wrote in message
news:a29b2dde-893e-47be...@e18g2000yqo.googlegroups.com...

AndyHancock

unread,
Apr 20, 2009, 12:48:28 AM4/20/09
to
Kerio 2.1.5 does indeed require IP addresses rather than domain
names. I thought this was the norm for most personal firewalls. Is
this not correct? Not that it matters, it is a problem for need that
I need to find a solution to...somehow. I don't have a lot of
confidence in the firewall rules I set up using whois to lookup IP
addresses...I have no idea whether Microsoft changes these IP
addresses often.

I think I get the gist of your explanation below, though the details
are just a tad foggy. You gave an example where you put a server in
an ISP data centre, yet they have no control of the host, by which I
assume you mean the server. How is it tha can they have no control
when the server is in their data centre? Is it a hosting service that
they rent out, including control of the information that the client
(e.g. Microsoft) wants disseminated, and access from the client to
update content for dissemintation?

As well, I wasn't too clear on what you meant by putting that IP
address against your server name...is that related to the domain name
that you mentioned in paragraph 1 of your reply? For example, would
cds156.lon9.llnw.net (or cds156) be a server name, while lon9.llnw.net
is a domain name? How does it help for you (or Microsoft) to put that
IP address on your DNS? Doesn't it have to be mapped that way in the
DNS's used by Microsoft users around the world? I assume that those
DNS's are maintained by the users' ISPs, but I'm really quite foggy
when it comes to the nuts and bolts under the hood of the internet.

---------- Original message ----------
From: "Anthony [MVP]" <anth...@no-reply.com>
Date: Apr 19, 1:09 pm
Subject: MS outsource updates, complicates 3rd party firewall

Andy,
Does Kerio require you to use an IP address instead of a domain name?

The domain names are registered to Microsoft, which you can confirm in
Whois. windowsupdate.com and microsoftupdate.com are registered by
Microsoft. Only Microsoft have the authority to control the name
resolution for those domains, so any IP address that is a host in
those domains must be one that Microsoft want you to go to.

The actual IP address can be any device, anywhere, hosted by anyone.
Its just that you won't resolve a name to that IP unless it is in the
DNS controlled by Microsoft.

When you lookup the IP address, you are just discovering which
organisation has control of that IP address range. So if I put a
server in an ISP datacentre they will assign me one of their IP
addresses. I will then go into my own DNS and put that address against
my server name, so that it resolves to the IP assigned to me. The ISP
can't do that. Oversee.net control the network and the routing that
that particular Microsoft Updates service is sitting on, but they have
no control of the host itself by virtue of that.

Hope that helps,
Anthony

"AndyHancock" <AndyMHanc...@gmail.com> wrote:
> In addition to #2 below indicating that MS does indeed use what seem
> to be 3rd party servers, common MS apps like media player also use
> what seem to be 3rd party servers; Limelight Networks,
> http://whois.domaintools.com/213.199.149.164, aka llnw, associated
> with Level 3 below.
>
> This practice is making firewall rule management very difficult.
>

> ---------- Original message ----------
> From: AndyHancock <AndyMHanc...@gmail.com>
> Date: Apr 15, 12:31 am
> Subject: MS outsource updates, complicates 3rd party firewall
>

Anthony [MVP]

unread,
Apr 23, 2009, 6:56:13 PM4/23/09
to
Andy,
Its an interesting topic.
Although you can safely identify a specific host that you know, e.g your own
mail server, you can't use IP address to identify a known corporation. They
could easily change. So for example, you can safely trust a site that is
called xyz.adobe.com because Adobe control that domain. That's why ssl
certificates are tied to names and not to IP addresses,
Anthony
http://www.airdesk.com

"AndyHancock" <AndyMH...@gmail.com> wrote in message

news:3494a08b-40e7-4b68...@r37g2000yqn.googlegroups.com...

AndyHancock

unread,
May 6, 2009, 12:03:46 AM5/6/09
to
This does not bode well for firewalls that require IP addresses for
their rules. Has there been a sea change in firewalls in the past few
years so that current firewalls use names rather than IP addresses? I
really hate to move away from my current KPF because the newer
versions are so much more difficult to understand.

---------- Forwarded message ----------
From: "Anthony [MVP]" <anth...@no-reply.com>
Date: Apr 23, 6:56 pm
Subject: MS outsource updates, complicates 3rd party firewall

To: microsoft.public.win2000.general,
microsoft.public.win2000.windows_update,
microsoft.public.windows.networking.firewall,
microsoft.public.windowsupdate

Andy,
Its an interesting topic.
Although you can safely identify a specific host that you know, e.g
your own
mail server, you can't use IP address to identify a known corporation.
They
could easily change. So for example, you can safely trust a site that
is
called xyz.adobe.com because Adobe control that domain. That's why ssl
certificates are tied to names and not to IP addresses,
Anthonyhttp://www.airdesk.com

"AndyHancock" <AndyMHanc...@gmail.com> wrote in message

news:3494a08b-40e7-4b68-93a8-
b786f0...@r37g2000yqn.googlegroups.com...

0 new messages