Byte25 Application Classification
Identifying & Classifying Microsoft Traffic
Microsoft applications, and in particular Office365, are pervasive across most enterprise environments. The ability to report on usage and performance of individual Microsoft applications is important to maintain good user experience and to diagnose and resolve issues.
Microsoft applications typically utilise an encrypted transport protocol (TLS over HTTPS) making tradition deep packet inspection classification mechanisms impossible. To address this, Byte25 have implemented several techniques that allows for the identification and classification of individual Microsoft applications to provide visibility for reporting and troubleshooting.
The following document summarises the techniques and capabilities Byte25 deploy to achieve detailed visibility of Microsoft applications
Summary of Capability
The Byte25 appliance classifies Microsoft applications into broad application groups identifying the most common Microsoft business applications as listed here:
| Azure | Cloud based services |
| Microsoft | Generic catch all for non-specified Microsoft apps |
| Teams | Teams collaboration |
| MS_OneDrive | Document & File sharing |
| Windows Update | Software update utilities |
| Office365 | Microsoft Office365 applications |
| Skype | Teams audio/video conferencing |
| Outlook | |
| Xbox/Playstation | Gaming applications |
Within each application group there are a number of sub-groups based on specific Microsoft URLs that allow for further classification of other Micosoft applications (e.g. Sharepoint, Outlook etc). A complete list of sub-groups is provided in Appendix A.
On the Byte25 clioud dashboard, filters can be applied to any application group or sub-group to identify specific usage, users or conversations. For example, if Sharepoint traffic is of particular interest, it is a simple matter to apply a filter to just show Sharepoint traffic, with all normal Byte25 metrics available such as throughput, top talkers, conversations, latency and so on.
Additionally, each application group and sub-group is classified using the standard Byte25 Category and Rating framework to provide high level summaries of network usage.
TLS Certificate Inspection
Encrypted traffic, such as Microsoft Office365 using Transport Layer Security (TLS) over HTTPS[1], is difficult to classify as the payload in encrypted preventing deep packet inspection. To circumvent this, Byte25 use certificate inspection to identify the owner of the destination server.
Figure 1. Sample Certificate Owner Chart
The above chart shows an example of the Top 30 Certificate Owners and Organisations available from the Application Summary tab from the Byte25 Performance dashboard. We can clearly see 2 certificate ‘owners’ relating to Microsoft; one for Microsoft Corporation and the other for Microsoft. Selecting either of these entries will apply a filter on the Byte25 dashboard to isolate just Microsoft traffic.
Once selected, looking at the Application Type chart (from the Overview tab on the Performance dashboard), we see just the Microsoft Applications.
Figure 2. Application Type with Microsoft Certificate Owner Filter
In our example, we see entries for Office365, Skype[2], MSN and MS_OneDrive. That is, Byte25 specifically classifies individual Microsoft applications even though they all share the same encrypted HTTPS transport protocol. Note that these are just the applications visible in our example, refer to the Appendix A for a full list of supported Microsoft applications.
There are also some ‘generic’ applications, ‘TLS’ and ‘TLS.Microsoft’ which don’t appear to point to a specific Microsoft applications yet clearly use a Microsoft TLS certificate. By selecting them and applying a filter, we can drill down further into these applications to further identify and classify. More detail of how to identify specific applications that are classified with a generic TLS or TLS.Microsoft label is provided in the following section.
Destination Host/Server Based Inspection
The Microsoft application landscape is large and dynamic. New applications frequently emerge and with the advent of cloud computing via Azure, there is an increasingly large number of available applications. To make Microsoft application even more complicated, many Microsoft applications are organisation specific. For example Microsoft Sharepoint uses an organisational specific URL such as byte25.sharepoint.com.
Byte25 classifies these applications under a generic Microsoft.TLS label, however, further detail as to the specific application and associated users is still available from the Top 30 TLS Destinations (HTTPS server) under Application Summary tab.
Figure 3. Sample Microsoft Specific URLs
This allows us to clearly see, and filter on, individual custom Microsoft applications such as Sharepoint and other Microsoft specific applications. Again, note that this screenshot is an example from our office, the range of Microsoft applications will vary depending on the specific mix of Microsoft services run in your environment.
Appendix A. Supported Microsoft Applications
Application |
Server/Host UL |
Category |
Rating |
| Playstation | .wbagora.com | Gaming | Unrated |
| Playstation | .wbplay.com | Gaming | Unrated |
| Xbox | .xbox.com | Gaming | Fun |
| Xbox | .xboxlive.com | Gaming | Fun |
| Xbox | .xboxlive.com.akadns.net | Gaming | Fun |
| Xbox | .xboxlive.com.c.footprint.net | Gaming | Fun |
| Xbox | .xboxservices.com | Gaming | Fun |
| Playstation | e13555.b.akamaiedge.net | Gaming | Fun |
| Playstation | e1800.d.akamaiedge.net | Gaming | Fun |
| Playstation | e1879.e7.akamaiedge.net | Gaming | Fun |
| Outlook | outlook.com | Acceptable | |
| Outlook | hotmail.com | Acceptable | |
| Skype_Teams | .skype. | Voice | Acceptable |
| Skype_Teams | .skypeassets. | Voice | Acceptable |
| Skype_Teams | .skypedata. | Voice | Acceptable |
| Skype_Teams | .skypeecs- | Voice | Acceptable |
| Skype_Teams | .skypeforbusiness. | Voice | Acceptable |
| Skype_Teams | .lync.com | Voice | Acceptable |
| Skype_Teams | e7768.b.akamaiedge.net | Voice | Acceptable |
| Skype_Teams | e4593.dspg.akamaiedge.net | Voice | Acceptable |
| Skype_Teams | e4593.g.akamaiedge.net | Voice | Acceptable |
| Skype_Teams | *.gateway.messenger.live.com | Voice | Acceptable |
| Skype_Teams | skype-calling-missedcallsregistrar- | Voice | Acceptable |
| Skype_Teams | teams.cloudapp.net | Voice | Acceptable |
| Microsoft | .wpc.v0cdn.net | Cloud | Safe |
| Microsoft | .gfx.ms | Cloud | Safe |
| Microsoft | .aka.ms | Cloud | Safe |
| Microsoft | .sfx.ms | Cloud | Safe |
| Microsoft | .appcenter.ms | Cloud | Safe |
| Microsoft | -msedge.net | Cloud | Safe |
| Microsoft | .microsoft.us | Cloud | Safe |
| Microsoft | .dynamics.com | Cloud | Safe |
| Microsoft | msftncsi.com | Connectivity Check | Safe |
| Microsoft | .windows.net | Cloud | Safe |
| Microsoft | .windows.com | Cloud | Safe |
| Microsoft | .microsoft.com | Cloud | Safe |
| Microsoft | .microsoft.net | Cloud | Safe |
| Microsoft | msn.com | Web | Acceptable |
| Microsoft | .s-msft.com | System OS | Acceptable |
| Microsoft | .msftstatic.com | System OS | Acceptable |
| Microsoft | .msftauth.net | System OS | Acceptable |
| Microsoft | .msauth.net | System OS | Acceptable |
| Microsoft | .nelreports.net | System OS | Acceptable |
| Microsoft | .webtrends.com | Web | Acceptable |
| Microsoft | .msecnd.net | Web | Acceptable |
| Microsoft | bing.com | Web | Safe |
| Microsoft | .visualstudio.com | Collaborative | Safe |
| Microsoft | login.live.com | System OS | Safe |
| Microsoft | statics-marketingsites-wcus-ms-com.akamaized.net | Web | Safe |
| Microsoft | statics-marketingsites-eus-ms-com.akamaized.net | Web | Safe |
| Microsoft | img-prod-cms-rt-microsoft-com.akamaized.net | Web | Safe |
| Microsoft | prod-streaming-video-msn-com.akamaized.net | Media | Safe |
| Microsoft | wus-streaming-video-rt-microsoft-com.akamaized.net | Media | Safe |
| Microsoft | onecollector.cloudapp.aria.akadns.net | Cloud | Safe |
| Microsoft | onecollector.akadns.net | Cloud | Safe |
| Microsoft | microsoft.akadns.net | Cloud | Safe |
| Microsoft | e1723.dscd.akamaiedge.net | Cloud | Safe |
| Microsoft | .microsofttranslator.com | Web | Safe |
| Microsoft | sharepointonline.com | Cloud | Safe |
| Microsoft | sharepoint.com | Cloud | Safe |
| Microsoft | .msftconnecttest.com | Connectivity Check | Safe |
| Microsoft | .windowsmedia.com | System OS | Safe |
| Microsoft | .windowsphone.com | System OS | Safe |
| Microsoft | .msa.akadns6.net | Cloud | Safe |
| Microsoft | .s-microsoft.com | Cloud | Safe |
| Microsoft | .msidentity.com | Cloud | Safe |
| Microsoft | .wac.phicdn.net | Cloud | Safe |
| Microsoft | .onestore.ms | Cloud | Safe |
| Microsoft | .msedge.net | Cloud | Safe |
| Microsoft | .mshome.net | Cloud | Safe |
| Microsoft | ..msn-com. | Web | Safe |
| Microsoft | .-s-msn-com. | Web | Safe |
| Microsoft | .s-msn.com | Web | Safe |
| Microsoft | .img-s-msn-com. | Web | Safe |
| Microsoft | img-s-msn-com. | Web | Safe |
| Microsoft | .location.live.net | Web | Safe |
| Microsoft | .virtualearth.net | Web | Safe |
| Microsoft | trafficmanager.net | Web | Safe |
| Microsoft | testconnectivity.microsoft.com | Connectivity Check | Safe |
| Microsoft | teredo.ipv6.microsoft.com | Connectivity Check | Safe |
| Microsoft | teredo.ipv6.microsoft.com.nsatc.net | Connectivity Check | Safe |
| Azure | .azure.com | Cloud | Safe |
| Azure | .azureedge.us | Cloud | Safe |
| Azure | .azurefd. | Cloud | Safe |
| Azure | .azure-automation.net | Network | Acceptable |
| Azure | .azureedge.net | Network | Acceptable |
| Azure | .azurewebsites.net | Cloud | Acceptable |
| Teams | teams.microsoft.com | Collaborative | Safe |
| Teams | teams.microsoft.us | Collaborative | Safe |
| Teams | teams.skype.com | Collaborative | Safe |
| Teams | teams.live.com | Collaborative | Safe |
| Teams | -teams.cloudapp.net | Collaborative | Safe |
| Teams | teams.trafficmanager.net | Collaborative | Safe |
| Teams | teams-msgapi.trafficmanager.net | Collaborative | Safe |
| Teams | teams.office.net | Collaborative | Safe |
| Teams | teams.office.com | Collaborative | Safe |
| Teams | statics.teams.cdn.live.net | Collaborative | Safe |
| Teams | .mstea.ms | Collaborative | Safe |
| Teams | aka.ms | Collaborative | Safe |
| Teams | teams.events.data.microsoft.com | Collaborative | Safe |
| MS_OneDrive | .storage.live.com | Cloud | Acceptable |
| MS_OneDrive | skyapi.live.net | Cloud | Acceptable |
| MS_OneDrive | d.docs.live.net | Cloud | Acceptable |
| MS_OneDrive | onedrive.live.com | Cloud | Acceptable |
| WindowsUpdate | cs9.wac.phicdn.net | Software Update | Safe |
| WindowsUpdate | .dl.delivery.mp.microsoft.com. | Software Update | Safe |
| WindowsUpdate | .delivery.dsp.mp.microsoft.com.nsatc.net | Software Update | Safe |
| WindowsUpdate | sls.update.microsoft.com | Software Update | Safe |
| WindowsUpdate | slscr.update.microsoft.com | Software Update | Safe |
| WindowsUpdate | fe3.update.microsoft.com | Software Update | Safe |
| WindowsUpdate | .mp.microsoft.com. | Software Update | Safe |
| WindowsUpdate | fe2.update.microsoft.com. | Software Update | Safe |
| WindowsUpdate | .wac.phicdn.net. | Software Update | Safe |
| WindowsUpdate | .geo-prod.do.dsp.mp.microsoft.com. | Software Update | Safe |
| WindowsUpdate | geo-prod.do.dsp.mp.microsoft.com. | Software Update | Safe |
| WindowsUpdate | .delivery.mp.microsoft.com | Software Update | Safe |
| WindowsUpdate | .emdl.ws.microsoft.com | Software Update | Safe |
| WindowsUpdate | .prod.do.dsp.mp.microsoft.com | Software Update | Safe |
| WindowsUpdate | update.microsoft.com | Software Update | Safe |
| WindowsUpdate | update.microsoft.com.akadns.net | Software Update | Safe |
| WindowsUpdate | .windowsupdate.com | Software Update | Safe |
| WindowsUpdate | .ntservicepack.microsoft.com | Software Update | Safe |
| WindowsUpdate | .wustat.windows.com | Software Update | Safe |
| Microsoft365 | crl.microsoft.com | Collaborative | Acceptable |
| Microsoft365 | evsecure-ocsp.verisign.com | Collaborative | Acceptable |
| Microsoft365 | evsecure-aia.verisign.com | Collaborative | Acceptable |
| Microsoft365 | evsecure-crl.verisign.com | Collaborative | Acceptable |
| Microsoft365 | .omniroot.com | Collaborative | Acceptable |
| Microsoft365 | .microsoftonline.com | Collaborative | Acceptable |
| Microsoft365 | .microsoftonline.us | Collaborative | Acceptable |
| Microsoft365 | .office365.com | Collaborative | Acceptable |
| Microsoft365 | .office.com | Collaborative | Acceptable |
| Microsoft365 | office.net | Collaborative | Acceptable |
| Microsoft365 | .msocsp.com | Collaborative | Acceptable |
| Microsoft365 | .msocdn.com | Collaborative | Acceptable |
| Microsoft365 | officeapps.live.com | Collaborative | Acceptable |
| Microsoft365 | outlook.live.com | Collaborative | Acceptable |
| Microsoft365 | mail.live.com | Collaborative | Acceptable |
| Microsoft365 | office.live.com | Collaborative | Acceptable |
| Microsoft365 | .onenote. | Collaborative | Acceptable |
| Microsoft365 | .cloud.microsoft | Collaborative | Acceptable |
| Microsoft365 | whiteboard.microsoft.com | Collaborative | Acceptable |
| Microsoft365 | events.data.microsoft.com | Collaborative | Acceptable |
[1] TLS and HTTPS are related but not the same. TLS is a protocol for encrypting data, while HTTPS is a protocol for transferring data over the Internet
[2] As a result of the Microsoft acquisition of Skype, Teams uses the Skype protocol for audio and video calls. Byet25 classify and label Teams traffic as ‘Skype’. Note that it still uses a Microsoft certificate so is visible when we filter on Microsoft traffic.