Solved

How Do I Block MSN Messenger, Windows Messenger & Certain IPs in ISA 2004?

Posted on 2006-06-26
14
15,376 Views
Last Modified: 2012-05-05
Hi, I have ISA 2004 running in my organization but i've noticed at some systems that users are accessing MSN Messenger as well as Windows Messenger & sitting all day along. I have an access rule defined for users who are only allowed to browse the internet and cant even download any applications. I've also added the entire domain users in the Deny IM access rule in ISA 2004 but despite that they are still able to login.

Is there any proper way to completely block MSN Messenger & Windows Messenger through ISA 2004?

Second question: Is there anyway i can block IPs in ISA 2004?

Third Question: Is there anyway that i can provide users access to internet through ISA by just defining their systems IPs? currently i provide access to people who are members of a domain by their usernames.?
0
Comment
Question by:ACNielsenpk
  • 4
  • 2
  • 2
  • +5
14 Comments
 
LVL 9

Expert Comment

by:jabiii
ID: 16985405
MSN Messenger connects to 1863 I believe.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16985413
found these. too
Windows Messenger - voice (computer to phone)             2001-2120, 6801, 6901       from Q324214. NOTE: 6801 is Net2Phone.
MSN Messenger - file transfers       6891-6900             from Q278887. Allows up to 10 simultaneous transfers.
MSN Messenger - voice communications (computer to computer)       6901       6901       from Q278887
0
 
LVL 1

Expert Comment

by:Zabulon777
ID: 16987747
0
 

Author Comment

by:ACNielsenpk
ID: 16989849
How do i provide access to internet through ISA 2004 by using IPs? & not by usernames. It seems pretty hard to completely block Messengers on a network.

What's the use of a Deny IM rule present by default in ISA 2004 then? It shows all the messengers.
0
 
LVL 7

Expert Comment

by:Kumar_Jayant123
ID: 16991567
Hi,

ISA 2004 supports 3 types of client.
1. Secure Nat (These client point to ISA as there default gateway.)
2. Web Proxy (These client point to ISA as there Web Proxy.)
3. Firewall Client (These client has firwall client software installed.)

Which type of clients are you using?

If you are talking about providing internet access to come perticular IP of the network the best way would be create a computer set of those IP addresses and make a firewall rule to allow them to go to Internet. These client can be any type of Client.

Regarding blocking MSN or messanger traffic you can do 2 things.
1. Allow the Protocals on which you want your users to go out.
For example: if you want that the users should be allowed to access Internet only, Create a rule to allow the computer set (In which you put in the specific IP) and select HTTP,HTTPS, and DNS in protocols.
2. Create a Rule to Deny traffic on MSN protocals listed in the protocal defination of the ISA server. Move this rule on the top of all the rules.

Hope this helps...
Kumar
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16992001
MSN is actually easy to block, blocking port 1863 will prevent login via the MSN client. There are other ways to use messenger also, microsoft has a web-based MSN
http://webmessenger.msn.com/
These IP's will also block MSN, webmessenger and Hotmail
64.4.0.0/255.255.192.0 optionally you can add these ports 1863 and 80, but simply blocking those ranges should be enough.
65.54.0.0/255.252.0.0 port 1863 and 80, block port 1863 and users can still access webmessenger and hotmail, block port 80 only, and users can use MSN client, but not hotmail or webmessenger
You can also block those that may have windows "LIVE" accounts
 207.68.128.0 255.255.192.0 ( called a slash 18.... /18)
 207.68.192.0 255.255.240.0  (/20)
-rich
0
 

Author Comment

by:ACNielsenpk
ID: 16998641
thanks Kumar for the detailed help n others :)

one more thing, how do i block a specific port? a little guidance would be appreciated :)
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:ACNielsenpk
ID: 16998654
Kumar i have assigned ISAs IP in every users browser proxy settings, i dont have the firewall client installed on any PC. I simply add the respective username on the domain in the allow rule and set their browser proxy and woala, internet starts working

I was asking for IPs because i have several colleagues who are not on our domain but when they arrive in our network a random IP is assigned to them by the DHCP.
0
 
LVL 7

Expert Comment

by:Kumar_Jayant123
ID: 16999630
Hi,

ISA is designed to block all the communication and if you need to open ports you need to create rules for ports as well as there direction.

Now in case you have created a rule to allow all traffic and you need to block some ports best way would be create a deny rule and mention the Protocals. Now put this rule on the TOP of allow rule. There are many protocals which are predefined in the ISA server, In case you want to mention a perticular port Create a new protocal defination and mention the port number.

As far as the IP address of your colleagues computers are concerned, I would sugest create a reservation in the DHCP and make a computer set mentioning the IP addresses.

Kumar
0
 

Author Comment

by:ACNielsenpk
ID: 17000127
Okay seems that my problem is resolved now :) no one can access MSN or Windows Messenger :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17028073
For the future, ISA uses signatures as well. Each of the messenegers you mention has a key word that it uses in its header. ISA uses an 'agent' to check for these signatures so you can block visitors as well.

This link is for sbs but it is the same for any system using ISA
http://isainsbs.blogspot.com/2006/02/isa-team-blog-on-http-filtering.html
0
 
LVL 2

Expert Comment

by:panman3
ID: 17035822
It is actually very difficult to block it out completely.
When you block the port that Messenger normally uses, then it starts tunneling over port 80, so you can't block it without blocking all internet traffic which you of course don't want to do.

You can however block the messenger servers themselves. After MSN starts tunneling over port 80, you'll see a range of IP-adresses appear in your statistics. If you do a trace route to this IP and you come across a server that reads "msgr.hotmail.com" or "msgr.msn.com" or similar domain names, then you have to block this ip.

The servers always come in ranges. F.e.  x.x.x.51 to x.x.x.65 can all be messenger servers. So if you find one, just scan the surrounding IP's too with a trace route and you'll find more.

You have to have some patience: the day after you'll see more / different IP's pop up in the statistics as MSN looks for other servers, but once you have them all you're safe for quite some time. Just check every month or so that no new ranges have been put into service by Microsoft.

Greetz
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17036604
That did not occur in my findings, port 80 was not used. If you look at what ip your MSN IM is connected to, then use nmap or another scanner to see if port 80 is even open, it's not. you can even use the "-g" that binds the scanner to 1 port,  to try every source port, in case that was a filter MSN has on their firewall. Also the MSN messenger didn't even send out a port 80, or any other port for that matter attempt for over 2 days, just 1863. I used Trillian, GAIM, and the MSN client's themselves.
-rich
0
 
LVL 5

Accepted Solution

by:
beechfielder earned 250 total points
ID: 17075349
I tried without much success to permanently block messenger with ISA and in the end found a way to do it with group policies instead.  That is much more effective in my view. With this you can prevent anyone on the network actually starting the program at all.  I made a group, created a policy blocking messenger and then applied it to the group.  It is best to identify the program by its hash (you get a choice and can navigate to the exe file) as this will still work even if users rename the application
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now