This article applies to PRTG Network Monitor 13 or later


Why does our PRTG probe create connections to an Akamai IP range when monitoring ESX hosts with VMware sensors?

Connection Attempts to Akamai CDN

Sensors that make use of SSL secured connections need corresponding certificates for communication. These certificates are used to encrypt data in https connections. Certificates have to be issued by a trustworthy certificate authority (CA). To check this, there is a list of trustable root certificates. Every Application that relies on the CryptoAPI provided by Windows uses root certificates provided by Microsoft.

However, Windows’ CryptoAPI has a mechanism which dynamically updates the list of root certificates in the case that the currently needed one is not found on the system. This Automatic Root Certificates Update is activated on all Windows versions by default.

If the certificate of a server indicates that it was certificated by a CA which the browser does not know, Windows downloads the file authrootstl.cab from the Windows update server. This list includes digitally signed information about CAs. If the unknown CA is on the list, this CA’s certificate will be downloaded and marked as trustworthy from the system. This import runs automatically in background—the user will not be notified.

In order to get the root CA list authrootstl.cab, Windows tries to connect to the Akamai content delivery network (CDN). This explains the “strange” connections from your probe when using sensors with SSL secured connections.


Consequences of Automatic Root CA Updates

  • Potentially, all sensors with SSL connections can be affected of connection attempts to Akamai.
  • Affected sensors might have a longer runtime.
  • If you use dedicated certificates for your VMware machines, ensure that root-ca is installed on your probe machine.
  • You might encounter problems with the trust. For example, if you turn off the automatic update of root CAs and regular, bought certificates are used, the system could classify these CAs not as trusted if it does not know the root certificate of a particular CA.


Disclaimer:
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.