Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How do I allow MSN Messenger through a downstream proxy (ISA Server 2006)?

Posted on 2006-11-16
8
961 Views
Last Modified: 2008-01-09
We have two ISA 2006 servers, one is acting as a proxy server (S-Proxy) and the other is our firewall (S-WS)

S-Proxy connects upstream to S-WS (web chain rule) for its internet connection.

I am unable to get MSN Messenger to work when using S-Proxy as the proxy server. I have tried this with and without the firewall client. (Firewall client is enabled on S-Proxy and firewall chaining is configured to look at S-WS)

I have a rule on S-Proxy which allows web ports and msn port 1863 from internal to internal (i.e. from S-Proxy to S-WS) for "All Authenticated Users".

I have a rule on S-WS which allows web ports and msn port 1863 from S-Proxy and S-WS to the internet for "All users"

I have also tried setting up a rule on S-Proxy to allow all ports from internal to internal for "All users" to see if it is an authentication issue but that didnt work either.

Any ideas what I am missing or doing wrong?

Thanks
0
Comment
Question by:thill1982
  • 4
  • 2
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17957663
What version of messenger are you using? have you set the MSN client to use the Proxy server settings also? If you do then you can minimise the disruption.

there is no benefit in an internal - internal rule. as you are using the box in a single-nic scenario it will not be assisting you.

If you open the ISA gui on both servcers and run the real time monitor (monitoring - logging - click start query), are you seeing the traffic pass? Are you saying that you have the ISA firewall client installed on the S-Proxy box?
0
 

Author Comment

by:thill1982
ID: 17959208
We are using Windows Live Messenger and some people are using MSN Messenger 7.5. The proxy settings are automatically configured in messenger (picking it up from the browser probably.)

The internal-internal rule was mainly added to allow Websense to work properly.

I have tried logging into messenger from a workstation (IP .117.79) and I get the following error which I have looked up without much luck.

"We are unable to sign you into Windows Live Messenger at this time"
"Error Code: 80072eff"

I have run the monitor on both ISA servers simultaneously while trying to log into messenger. I have uploaded screenshots of the results from both servers:

https://filedb.experts-exchange.com/incoming/ee-stuff/1411-s-proxy.JPG (Proxy server > S-Proxy (IP .112.16))

https://filedb.experts-exchange.com/incoming/ee-stuff/1412-s-ws-firewall.JPG  (S-WS > Firewall (IP .112.22))

Hope this helps

0
 

Author Comment

by:thill1982
ID: 17959226
I forgot to mention, I dont have the firewall client installed on either of these servers. What I meant was that the firewall client service is enabled on S-Proxy, allowing clients to connect to it using the firewall client.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17968599
Hmmm Not sure why it is failing the authentication stage. Any other sites giving you hassle like this? I think it is the firewall service causing the problem. There were some issues some time ago with certain ssl type connections also.

1. Click Start, click Run, type firewall.cpl, and then click OK.  
2. In the Windows Firewall dialog box, click the Advanced tab.
3. In the Network Connection Settings box, click the connection that your computer uses, and then click Settings.
4. In the Advanced Settings dialog box, click Web Server (HTTP), and then click Secure Web Server (HTTPS).

Note For additional information about when you must allow users to access the Secure Web Server (HTTPS) on your computer, see the "More Information" section.
5. Click OK.
6. In the Windows Firewall dialog box, click OK.

Have a go at this....
0
 

Author Comment

by:thill1982
ID: 17977841
I have tried the above but there is still no change. I don't know if this would make much difference anyway as Windows Firewall is disabled on client computers.

At the moment HTTPS is not configured on either of the ISA servers (I've not really dealt with SSL server certificates and how they are configured)

Would HTTPS make a difference?
0
 

Author Comment

by:thill1982
ID: 17978948
I have decided to configure the firewall S-WS to use the firewall client instead. Not ideal but it seems to allow messenger to work properly. Clients now use S-Proxy for web access and use the firewall client connecting to S-WS for all other ports.

I am going to use this workaround for the time being unless there are any other suggestions which may help to resolve the problem.




0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18199853
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5505 NAT question 8 121
Opening Port 80 10 66
SQL Server 2014 Setup Question 5 152
SRX240 SYSLOG Setting 6 119
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question