ACNielsenpk
asked on
How Do I Block MSN Messenger, Windows Messenger & Certain IPs in ISA 2004?
Hi, I have ISA 2004 running in my organization but i've noticed at some systems that users are accessing MSN Messenger as well as Windows Messenger & sitting all day along. I have an access rule defined for users who are only allowed to browse the internet and cant even download any applications. I've also added the entire domain users in the Deny IM access rule in ISA 2004 but despite that they are still able to login.
Is there any proper way to completely block MSN Messenger & Windows Messenger through ISA 2004?
Second question: Is there anyway i can block IPs in ISA 2004?
Third Question: Is there anyway that i can provide users access to internet through ISA by just defining their systems IPs? currently i provide access to people who are members of a domain by their usernames.?
Is there any proper way to completely block MSN Messenger & Windows Messenger through ISA 2004?
Second question: Is there anyway i can block IPs in ISA 2004?
Third Question: Is there anyway that i can provide users access to internet through ISA by just defining their systems IPs? currently i provide access to people who are members of a domain by their usernames.?
jabiii
MSN Messenger connects to 1863 I believe.
found these. too
Windows Messenger - voice (computer to phone) 2001-2120, 6801, 6901 from Q324214. NOTE: 6801 is Net2Phone.
MSN Messenger - file transfers 6891-6900 from Q278887. Allows up to 10 simultaneous transfers.
MSN Messenger - voice communications (computer to computer) 6901 6901 from Q278887
Windows Messenger - voice (computer to phone) 2001-2120, 6801, 6901 from Q324214. NOTE: 6801 is Net2Phone.
MSN Messenger - file transfers 6891-6900 from Q278887. Allows up to 10 simultaneous transfers.
MSN Messenger - voice communications (computer to computer) 6901 6901 from Q278887
ASKER
How do i provide access to internet through ISA 2004 by using IPs? & not by usernames. It seems pretty hard to completely block Messengers on a network.
What's the use of a Deny IM rule present by default in ISA 2004 then? It shows all the messengers.
What's the use of a Deny IM rule present by default in ISA 2004 then? It shows all the messengers.
Hi,
ISA 2004 supports 3 types of client.
1. Secure Nat (These client point to ISA as there default gateway.)
2. Web Proxy (These client point to ISA as there Web Proxy.)
3. Firewall Client (These client has firwall client software installed.)
Which type of clients are you using?
If you are talking about providing internet access to come perticular IP of the network the best way would be create a computer set of those IP addresses and make a firewall rule to allow them to go to Internet. These client can be any type of Client.
Regarding blocking MSN or messanger traffic you can do 2 things.
1. Allow the Protocals on which you want your users to go out.
For example: if you want that the users should be allowed to access Internet only, Create a rule to allow the computer set (In which you put in the specific IP) and select HTTP,HTTPS, and DNS in protocols.
2. Create a Rule to Deny traffic on MSN protocals listed in the protocal defination of the ISA server. Move this rule on the top of all the rules.
Hope this helps...
Kumar
ISA 2004 supports 3 types of client.
1. Secure Nat (These client point to ISA as there default gateway.)
2. Web Proxy (These client point to ISA as there Web Proxy.)
3. Firewall Client (These client has firwall client software installed.)
Which type of clients are you using?
If you are talking about providing internet access to come perticular IP of the network the best way would be create a computer set of those IP addresses and make a firewall rule to allow them to go to Internet. These client can be any type of Client.
Regarding blocking MSN or messanger traffic you can do 2 things.
1. Allow the Protocals on which you want your users to go out.
For example: if you want that the users should be allowed to access Internet only, Create a rule to allow the computer set (In which you put in the specific IP) and select HTTP,HTTPS, and DNS in protocols.
2. Create a Rule to Deny traffic on MSN protocals listed in the protocal defination of the ISA server. Move this rule on the top of all the rules.
Hope this helps...
Kumar
MSN is actually easy to block, blocking port 1863 will prevent login via the MSN client. There are other ways to use messenger also, microsoft has a web-based MSN
http://webmessenger.msn.com/
These IP's will also block MSN, webmessenger and Hotmail
64.4.0.0/255.255.192.0 optionally you can add these ports 1863 and 80, but simply blocking those ranges should be enough.
65.54.0.0/255.252.0.0 port 1863 and 80, block port 1863 and users can still access webmessenger and hotmail, block port 80 only, and users can use MSN client, but not hotmail or webmessenger
You can also block those that may have windows "LIVE" accounts
207.68.128.0 255.255.192.0 ( called a slash 18.... /18)
207.68.192.0 255.255.240.0 (/20)
-rich
http://webmessenger.msn.com/
These IP's will also block MSN, webmessenger and Hotmail
64.4.0.0/255.255.192.0 optionally you can add these ports 1863 and 80, but simply blocking those ranges should be enough.
65.54.0.0/255.252.0.0 port 1863 and 80, block port 1863 and users can still access webmessenger and hotmail, block port 80 only, and users can use MSN client, but not hotmail or webmessenger
You can also block those that may have windows "LIVE" accounts
207.68.128.0 255.255.192.0 ( called a slash 18.... /18)
207.68.192.0 255.255.240.0 (/20)
-rich
ASKER
thanks Kumar for the detailed help n others :)
one more thing, how do i block a specific port? a little guidance would be appreciated :)
one more thing, how do i block a specific port? a little guidance would be appreciated :)
ASKER
Kumar i have assigned ISAs IP in every users browser proxy settings, i dont have the firewall client installed on any PC. I simply add the respective username on the domain in the allow rule and set their browser proxy and woala, internet starts working
I was asking for IPs because i have several colleagues who are not on our domain but when they arrive in our network a random IP is assigned to them by the DHCP.
I was asking for IPs because i have several colleagues who are not on our domain but when they arrive in our network a random IP is assigned to them by the DHCP.
Hi,
ISA is designed to block all the communication and if you need to open ports you need to create rules for ports as well as there direction.
Now in case you have created a rule to allow all traffic and you need to block some ports best way would be create a deny rule and mention the Protocals. Now put this rule on the TOP of allow rule. There are many protocals which are predefined in the ISA server, In case you want to mention a perticular port Create a new protocal defination and mention the port number.
As far as the IP address of your colleagues computers are concerned, I would sugest create a reservation in the DHCP and make a computer set mentioning the IP addresses.
Kumar
ISA is designed to block all the communication and if you need to open ports you need to create rules for ports as well as there direction.
Now in case you have created a rule to allow all traffic and you need to block some ports best way would be create a deny rule and mention the Protocals. Now put this rule on the TOP of allow rule. There are many protocals which are predefined in the ISA server, In case you want to mention a perticular port Create a new protocal defination and mention the port number.
As far as the IP address of your colleagues computers are concerned, I would sugest create a reservation in the DHCP and make a computer set mentioning the IP addresses.
Kumar
ASKER
Okay seems that my problem is resolved now :) no one can access MSN or Windows Messenger :)
For the future, ISA uses signatures as well. Each of the messenegers you mention has a key word that it uses in its header. ISA uses an 'agent' to check for these signatures so you can block visitors as well.
This link is for sbs but it is the same for any system using ISA
http://isainsbs.blogspot.com/2006/02/isa-team-blog-on-http-filtering.html
This link is for sbs but it is the same for any system using ISA
http://isainsbs.blogspot.com/2006/02/isa-team-blog-on-http-filtering.html
It is actually very difficult to block it out completely.
When you block the port that Messenger normally uses, then it starts tunneling over port 80, so you can't block it without blocking all internet traffic which you of course don't want to do.
You can however block the messenger servers themselves. After MSN starts tunneling over port 80, you'll see a range of IP-adresses appear in your statistics. If you do a trace route to this IP and you come across a server that reads "msgr.hotmail.com" or "msgr.msn.com" or similar domain names, then you have to block this ip.
The servers always come in ranges. F.e. x.x.x.51 to x.x.x.65 can all be messenger servers. So if you find one, just scan the surrounding IP's too with a trace route and you'll find more.
You have to have some patience: the day after you'll see more / different IP's pop up in the statistics as MSN looks for other servers, but once you have them all you're safe for quite some time. Just check every month or so that no new ranges have been put into service by Microsoft.
Greetz
When you block the port that Messenger normally uses, then it starts tunneling over port 80, so you can't block it without blocking all internet traffic which you of course don't want to do.
You can however block the messenger servers themselves. After MSN starts tunneling over port 80, you'll see a range of IP-adresses appear in your statistics. If you do a trace route to this IP and you come across a server that reads "msgr.hotmail.com" or "msgr.msn.com" or similar domain names, then you have to block this ip.
The servers always come in ranges. F.e. x.x.x.51 to x.x.x.65 can all be messenger servers. So if you find one, just scan the surrounding IP's too with a trace route and you'll find more.
You have to have some patience: the day after you'll see more / different IP's pop up in the statistics as MSN looks for other servers, but once you have them all you're safe for quite some time. Just check every month or so that no new ranges have been put into service by Microsoft.
Greetz
That did not occur in my findings, port 80 was not used. If you look at what ip your MSN IM is connected to, then use nmap or another scanner to see if port 80 is even open, it's not. you can even use the "-g" that binds the scanner to 1 port, to try every source port, in case that was a filter MSN has on their firewall. Also the MSN messenger didn't even send out a port 80, or any other port for that matter attempt for over 2 days, just 1863. I used Trillian, GAIM, and the MSN client's themselves.
-rich
-rich
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.