Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Controlling AIM/instant messaging activity with ISA server

Posted on 2007-08-07
40
Medium Priority
?
1,533 Views
Last Modified: 2012-06-27
I have searched countless pages for complete information on this subject and I just cannot seem to find the whole solution I want/need. I want to stop access to AIM using Windows 2003 Standard Server and ISA 2004 Standard Server.   I am new to ISA server so I am trying to accomplish some tasks I am unfamiliar with.  I need step-by-step information on how to block access to AOL Instant Messenger for certain users by schedule.  In a nutshell, I need to be able to stop my teens from accessing AOL after let's say 1:00 am.  I have already figured out how to block outgoing Internet activity at this time and that is working like a charm and if they would not happen to be signed in to AIM at that time it would stop them from signing in-that also works fine. The part that is not working for me is that they are ALWAYS signed in to AIM and I cannot get any Access Rule or GP to force this activity to stop if they are already using it.  I would really rather not use a third party solution, but if that is my only option I would consider some proven products.  I definitely want to stay away from something that has to be installed on individual PC's-I would rather have a network solution that maybe integrates with ISA if that is an option.  If you require more information about my set-up please just ask.  Thanks!
0
Comment
Question by:mooremsbos
  • 16
  • 12
  • 9
  • +2
40 Comments
 

Expert Comment

by:ammadeyy
ID: 19647233
create HTTP policy
check the following link, it will help

http://www.isaserver.org/tutorials/Configuring-ISA-Server-2006-HTTP-Filter.html
0
 

Author Comment

by:mooremsbos
ID: 19648267
Excellent!  Thanks for pointing me in the direction of this article, I will take the steps outlined here in a little while and see what that gets me.  I do have two questions before I start though (bearing in mind my inexperience with ISA)  these instructions are for v2006 and I am running 2004-will it work the same way?  The screenshots look basically the same, but I just wanted to be sure this will work the same on this version.  Second, do I apply this to my allow "unrestricted access rule" (Internet out) that also has the time restricitons set on it, or do I create a whole new rule for http and make these changes to it?  Thanks again, I look forward to your help with this!
0
 

Expert Comment

by:ammadeyy
ID: 19648359
it will work same in 2006 and 2004
you can add in to "unrestricted access rule"

suppose if you add msn messenger in "unrestricted access rule", the users in that rule wont be able to use msn messenger
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 

Author Comment

by:mooremsbos
ID: 19650454
I did the following::input Search in: request headers-HTTP Header: User-Agent-Signature to block: Gecko/ to my Allow "unrestricted Internet Access" rule which goes from internal to external on all outbound traffic.  This rule is active from 5am to 1am all days.  While entering this information I was concerned that it would block this HTTP header traffic while the rule is in effect (5 am to 1 am) but would not be in force during the scheduled time for the rule to not work (1am to 5 am) but at this time it is not blocking IM's (in fact I just sent something to my daughter)  So will it kick in at 1 am or is it not working or do you have an idea about that?
0
 

Author Comment

by:mooremsbos
ID: 19653442
With the above proceedures implemented, the AIM service was not stopped.  They were chatting online past 1 AM.  Should I delete the "unrestricted" access rule and create some other kind of rules, or is the schedule messing this up?  Other traffic was denied accoring to the monitor as that part was already working OK for me, but the established chat sessions were not broken at 1:00 am as I had hoped.  If you have another idea I would be happy to try it out.  If you want more specific info on my setup, I am happy to provide.  Thanks!
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 19657824
Blocking http traffic will have no effect on a messenger client that works on a completely different protocol....you will want to enforce a block of inbound and outbound traffic on port 5190 to stop the iming.
0
 

Author Comment

by:mooremsbos
ID: 19659035
I have blocked  port 5190 and that does prevent the users from signing in after the specified time, however the issue that I am having is that I need to close down already open sessions at a specific time.  I do NOT want to block AIM completely I just want to stop it at a specific time.  I need to be able to close AIM chat clients that are actively chatting or actively connected and "away".  I have been effective at shutting down all internet access at 1 AM and I have been successful in preventing NEW AIM session from being opened after 1 AM, but I cannot find a way to completely cut off out going AIM if they are already connected and actively using it.  As stated, I would even consider a third party solution (although it is my least favorite) if I can run it on the network (and not individual workstations), maybe even in conjunction with my ISA server.  Any other ideas?
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 19659721
If port 5190 is truly blocked both outbound and inbound then any client that is actively chatting or away will be disconnected.  However, it may take a minute or two for aim to realize it has been disconnected if it is away or inactive.
0
 

Author Comment

by:mooremsbos
ID: 19661364
Ok, here is how my AIM rule is configured, maybe there is fault with it, take a look: It is a deny rule, it covers the included AOL IM protocol for outbound 5190, and I created my own AIM2 protocol for 5190 inbound, they are both listed in the rule applies to section, from Anywhere and All networks (and local host) To All networks and anywhere. Users All users, schedule in effect from 1AM to 5 AM. Content types All content types (default)  This is the first rule listed in my ISA firewall rules above all other rules.  Also, it was my understanding that AIM (and really most of them) will use any port they can get their hands on for connecting so I think that might be part of the problem.  Also, I must mention that if you watch the monitor and send out an instant message when the rule is active, there is nothing that shows up in there.  ISA does not recognize each individule chat message sent or received, so this must have something to do with it too somehow.  Hoping for another suggestion....
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 19661901
Aim is the only protocol that doesn't port-hop. (switch ports to maintain a connection)... I'm looking into why chat messages don't show up/fail to be blocked, hopefully another expert has an idea
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 19662005
*Aim used to be the only protocol that doesn't port hop....newer versions have been reported using port 80 but I cant verify that yet so your best bet is to also block a dns lookup of login.oscar.aol.com
0
 

Author Comment

by:mooremsbos
ID: 19662490
I have successfully blocked all outgoing connections except AIM already.  The outgoing Internet itself stops working at 1 AM you cannot reach any pages at all.  To recap-besides the AOL AIM rule I also have an additonal rule that denies all outgoing protocols-from all networks (including local host) to external, all users, from 1 AM to 5 AM (this was actually my first rule, but it did not work for AIM either) so this is stopping everything except AIM.  I would not think that login.oscar.aol.com would be any different than say www.google.com.  I can explicitly deny that if you really think it will make a difference, but it is hard to imagine.  Plus off hand I do not think I can block only login.oscar.aol.com only from 1AM to 5 AM, but maybe.  I will look at that a little later today.
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 19666151
login.oscar.aol.com would be a connection on ports 5190, 80, 443, 25 or others....the internet rule is blocking connections only on port 80 (and possibly 443)
0
 

Author Comment

by:mooremsbos
ID: 19666880
The "Internet" rule actually denies all outgolng protocols, not just 80 and 443.  If you look at the filter in ISA server I have this rule is configured this way Action: Deny-Protocols: ALL outbound traffic-From: Internal-To: External-Users: All Users-Schedule: Active 1AM-5AM-Content Types: All content types.  To my way of thinking this rule should be all I need to block every single thing that attempts to leave my network between 1 AM and 5 AM, and it does deny every single thing except AIM. (DNS, FTP, HTTP, HTTPS and more) Also, I have looked and there is no way I can see to block login.oscar.aol.com, by schedule.  So, I don't know, I am feeling at my wits end.  It does not seem like it should be this hard to stop out going chatting at 1 AM. It is very frustrating that these services think they are above having any policies put on them.  It is my right to control my network, and by virtue of the fact that these instant messengers are hoping ports to get around blocks just goes to show that those companies feel they should be allowed to be any where at any time reguardless of Administrators desires.  If you think of something else I would be glad to hear it.  I thank you for trying :-)
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 19667159
Running wireshark or packetyzer on the server might give an indication of how aim is getting around the blocking software.  

There are also third party options available:
http://www.newfreedownloads.com/find/block-aim.html
http://www.plevna.f9.co.uk/index.htm - TerminatorX
0
 

Author Comment

by:mooremsbos
ID: 19667482
TerminatorX simply blocks always, which I could do with ISA, but that is not my goal.  Those others have to be installed on the workstations and I am really trying to avoid that like the plague.  I too have searched through many of these programs but I have found nothing that suits my needs.  Thanks for trying though.  I might work on a packet analyzer as suggested, but probably not until this weekend. Thank you.
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 19667690
no problem...sorry i couldn't be of more help

If you get a chance to do a packet capture I would be happy to help you interpret it
0
 

Expert Comment

by:shawn053077
ID: 19672424
The problem with AIM is that it not only connects to oscar.aol.com but when this site is blocked AOL offers a proxy at www.proxy.aol.com.  Symantec's "Threats to Instant Messaging" states that even if the entire AOL site is down there are plenty of proxy's on the internet that will allow access to AIM services.  Some of the messangers will detect the block and looks for alternatives.  I haven't stumbled on any fixes that aren't third party and don't cost money...I'll keep looking.

http://securityresponse.symantec.com/avcenter/reference/threats.to.instant.messaging.pdf
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 19673167
That still doesn't explain how aim traffic is able to slip past a full internet blocking rule (all ports).

mooremsbos is there a possibilty that aim is circumventing the server?
0
 

Author Comment

by:mooremsbos
ID: 19673281
No, it is a multi-homed server (two NICS, one server)  All LAN traffic passes thru the server, that is the only way to the Internet.  So in from the LAN out through the server, back in through the server and out to the LAN. That is what is so completely frustrating!   Like I said before, it is really wierd because I can stop AIM if it is not signed in-that is not the issue, but there is something about it once it makes the connection to the service you can't force it to close-that is where the issue lies.  But really I agree, why is anything passing once the deny "all outging protcols" rule kicks in.  It just doesn't make sense!!!   I am back at the office now, so I am going to look at the monitoring area and see what other filters are available for monitoring.  Then maybe we can better pin point what is happening when an IM is sent and how to stop it. I will let you know what I see.  Again, thanks for sticking with me!
0
 
LVL 9

Expert Comment

by:justchat_1
ID: 19674337
Not a problem... If your still stuck try activating the rule while a video stream (TCP source) is being watched...thats a single always open connection-if the stream isn't closed then maybe the server is only blocking new connections.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19698377
Just seen your link appear in ISA server.

The link provided above to the tutorial is the way this is done. However, the sequence of rule provision is also important in these conditions.
When you ran the Wireshark/Ethereal trace, you would have seen the agent identifier (as you opened up the packets and drilled down). You have reported that it is gecko/... ? As I recall, AIM uses two headers (http://www.applicationsignatures.com/backend/index.php), the other one being AIM.

You do not need a rule for inbound AIM so take this out. The connection is instigated from the inside and the stateful packet inspection session table is used to allow responses to return so that rule (for inbound) is an unnecessary overhead and 'could' actually cause you an issue in itself.

Take off all filters on the monitoring - logging section and leave it at default. ie time = live, action not equal connection status etc and lets get a full capture display running.

Keith
0
 

Author Comment

by:mooremsbos
ID: 19698678
I took off the incoming AIM protocol from the block AIM rule as suggested and just left the default outgoing AIM protocol on that rule.  This is the first rule listed in my firewall policy and has been since I configured it.  The second rule listed is the Deny rule for all outbound traffic that is scheduled to also be in effect from 1AM to 5AM all days. (both deny rules are configured to be active with this schedule)
I guess I am not understanding the tutorial that you also point to.  When it was first suggested I followed the instructions for configuring HTTP Filter signatures-I did see how to do that-I ultimately tried it with both signatures(with the gecko and AIM HTTP header) but not both together, but neither stopped traffic.  As a side note, it seems to me that if I put this filter on my default "Unrestricted Internet Access" rule it will filter for this all the time and that is not what I want.  Please give me a little more specific guidance if you can.  I get the feeling I am just missing something.
Lastly, I never did change any of the filtering in the monitor as I could not find something better to filter by in the choices, so I left it as is.  
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19701429
No, you would put a seperate deny rule in first for the aim and gecko signatures on a schedule for the hours that they are NOT allowed to use it.
The next rule would be an allow all with an always schedule.

0
 

Author Comment

by:mooremsbos
ID: 19702437
So am I basically following these steps: http://www.isaserver.org/tutorials/ISA-Firewall-Quick-Tip-Blocking-MSN-Messenger-Access-Enabling-Access-Some-Users.html except I will ignore the groups thing, because I am applying it to the whole network and I can add in the part about the schedule?  Do I have to configure both rules as they have and do I have to do anything with my "Unrestricted Internet Access" rule?  Thanks for your help.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19702823
You don't want two rules of all outbound, no. personally I don't allow ANY all outbounds - I am old fashioned and I have rules for groups.

For example, DNS only needs to go outbound from my internal DNS servers
Email (smtp) only needs to go out from my mail servers
http/https goes out from the clients and servers from all authenticated users
ntp only goes out from the Domain conrtollers
etc etc

The first (deny) rule needs to just cover the http and the IM protocols and include the agent signatures
The second outbound can be all outbound if that is what you are comfortable with, or you can start collecting the protocols together and start locking down the traffic by source as well as be destination or signature.
0
 

Author Comment

by:mooremsbos
ID: 19702972
I do not see a way to configure HTTP Signatures on a deny rule.  So, if I am being completely dense (which is entirely possible) please get me started here.  Also, before I go through this next step can I ask why my deny rule for "ALL outbound traffic" from internal to external based on the desired schedule is not accomplishing this exact same thing?  This is the second rule I have configured and is far above the default allow "all outbound traffic" rule.  Is there a change that can be made to this deny rule as it does seem to be working for blocking general internet useage.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19702990
Interesting - maybe I have made aboo-boo - let me test quickly
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19703027
Hah - what an idiot. My apologies - the version I am using (for testing purposes) is a number of versions above ISA2004. I've remedied that and loaded my 2004 test bed.

If you can give me an hour, I am just installing AIM

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19703045
If you click on my name in the question, you will be taken to my profile. If you would care to send me your AIM user ID I can add you and we can test. I don't know anyone who uses AIM so I will be slightly stuck otherwise.

Keith
0
 

Author Comment

by:mooremsbos
ID: 19703049
Wow, you are so helpful to go through all this to help me!  I really can't thank you enough.  For me it is like now I just want to solve it because it seems unsolvable.  I can see you are going to try to disprove that!!  Thanks again.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19703062
Welcome - its why we give our free time up.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19712275
OK.

This is what I have found - I have learned something here myself so it has been a good exercise. I have always understood the scehdule to be an allow/block position based on the allow times and the not allow times but this is not what it actually does. It is an active - inactive controller.  ie when the active time is in force, the rule is followed. When you hit the inactive time then effectively the rule becomes disabled and has no effect at all and the traffic passes down to the next rule for checking whereby the allow all rule lets the traffic pass out - defeating the object......

What I have put in place is two rules. This is not a final solution but is a starting point.
rule 1 says allow http, https and aol messenger to access the urls of http://aol.com/*, aol.co.uk/*, http://sync.aol.com/* and http://aim.com/*  and the domains of *.aol.com, *.aol.co.uk and *.aim.com. Use a schedule set to be active for the times you want the service to be available.

rule 2 is identical but is a deny rule and the schedule is always. So, when rule 1 ceases to be in force (the times you do not want to allow the traffic) - it will drop down to rule 2 which is a specific deny of the AOL traffic flow.

The issue with this is it does not affect traffic connections that are already established. I can tell you that this has created a lot of interest and i have had two different MS Support teams take my lab over this evening. Lots of theories and posturising but no result on the agent-signature.  Anyway, thats where I have got to and I have sent a copy of these thoughts/findings back to the team. Unfortunately my MVP support agreement doesn't provide for outside of core business hours so now i have to wait until the morning for them to carry on but we are progressing.....

0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 19719288
OK - the call has been escalated so its a sit back and wait for an official position update. The newest version of ISA (isn't available to you yet I'm afraid) does seem to block OK given your scenario.

As a temporary solution, what you can do is stop and start the firewall service using a batch file.

On the ISA server, drop out to a cmd prompt (Start - run - cmd Hit return key)
type in exactly as follows with each line having a return key pressed to move to the next line. At the bottom, after the last return key entry, perform a "control Z" key combination to close the new file. (Hold down the control key and press the letter Z once).

copy con doitnow.bat
net stop fwsrv
net start fwsrv
control z - don't type this, just hold down the control key and press z then press the return key

to test it, now type in doitnow and press the return key.
This will stop then start the firewall service on ISA. All connections will drop for a few seconds on the ISA then be available again. The benefit is that we can schedule this batch file to run at any time using the scheduler. If you have set your ISA rule to block the AOL after 11PM, then we run the scheduled batch file at 11.01. This will drop the AOL connection - the kids will then have to try and reconnect - which of course they won't be able to as the isa rule will be blocking it as per my previous posts.

After the ISA moves back into allowed time, they will be able to start aol again.
0
 

Author Comment

by:mooremsbos
ID: 19722751
I have put the suggested batch file in place this morning.  I tested it and it works fine.  I will add it to the scheduled tasks service and let it run tonight.  Thanks for going to MS with this.  I feel slightly vindicated that I was unable to get this to work on my own-now that it is verified (at this time) that it will not work with ISA alone.  Thanks again and I will post the results of the sceduled task running tomorrow.  I feel certain my kids will let me know the situation :-)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19722836
hehehe - blame the Brit - everyone else does....

I have book-marked this question as I will get a solution from MS in due course. Once received, I'll add it to this thread.

Keith

0
 

Author Comment

by:mooremsbos
ID: 19725574
So this seems to work perfectly!  Thanks for the excellent work around.  I look forward to a solution from MS if one comes-but thiswill certainly do the trick as well.  BTW, I just feel it necessary to not only thank you from a technical stand point, but from the position of a mother that is FINALLY not feeling frustrated!  While they are mostly really good kids, this has been a constant battel-now I can go to bed and forget it!  Thanks again.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19726175
You are most welcome - I take it that I need not anticipate a Christmas card from the kids though.....
0
 

Author Comment

by:mooremsbos
ID: 19729327
LOL-yea I doubt you are their favorite person right now so probably not!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19731702
:)
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question