• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1555
  • Last Modified:

Controlling AIM/instant messaging activity with ISA server

I have searched countless pages for complete information on this subject and I just cannot seem to find the whole solution I want/need. I want to stop access to AIM using Windows 2003 Standard Server and ISA 2004 Standard Server.   I am new to ISA server so I am trying to accomplish some tasks I am unfamiliar with.  I need step-by-step information on how to block access to AOL Instant Messenger for certain users by schedule.  In a nutshell, I need to be able to stop my teens from accessing AOL after let's say 1:00 am.  I have already figured out how to block outgoing Internet activity at this time and that is working like a charm and if they would not happen to be signed in to AIM at that time it would stop them from signing in-that also works fine. The part that is not working for me is that they are ALWAYS signed in to AIM and I cannot get any Access Rule or GP to force this activity to stop if they are already using it.  I would really rather not use a third party solution, but if that is my only option I would consider some proven products.  I definitely want to stay away from something that has to be installed on individual PC's-I would rather have a network solution that maybe integrates with ISA if that is an option.  If you require more information about my set-up please just ask.  Thanks!
0
mooremsbos
Asked:
mooremsbos
  • 16
  • 12
  • 9
  • +2
1 Solution
 
ammadeyyCommented:
create HTTP policy
check the following link, it will help

http://www.isaserver.org/tutorials/Configuring-ISA-Server-2006-HTTP-Filter.html
0
 
mooremsbosAuthor Commented:
Excellent!  Thanks for pointing me in the direction of this article, I will take the steps outlined here in a little while and see what that gets me.  I do have two questions before I start though (bearing in mind my inexperience with ISA)  these instructions are for v2006 and I am running 2004-will it work the same way?  The screenshots look basically the same, but I just wanted to be sure this will work the same on this version.  Second, do I apply this to my allow "unrestricted access rule" (Internet out) that also has the time restricitons set on it, or do I create a whole new rule for http and make these changes to it?  Thanks again, I look forward to your help with this!
0
 
ammadeyyCommented:
it will work same in 2006 and 2004
you can add in to "unrestricted access rule"

suppose if you add msn messenger in "unrestricted access rule", the users in that rule wont be able to use msn messenger
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
mooremsbosAuthor Commented:
I did the following::input Search in: request headers-HTTP Header: User-Agent-Signature to block: Gecko/ to my Allow "unrestricted Internet Access" rule which goes from internal to external on all outbound traffic.  This rule is active from 5am to 1am all days.  While entering this information I was concerned that it would block this HTTP header traffic while the rule is in effect (5 am to 1 am) but would not be in force during the scheduled time for the rule to not work (1am to 5 am) but at this time it is not blocking IM's (in fact I just sent something to my daughter)  So will it kick in at 1 am or is it not working or do you have an idea about that?
0
 
mooremsbosAuthor Commented:
With the above proceedures implemented, the AIM service was not stopped.  They were chatting online past 1 AM.  Should I delete the "unrestricted" access rule and create some other kind of rules, or is the schedule messing this up?  Other traffic was denied accoring to the monitor as that part was already working OK for me, but the established chat sessions were not broken at 1:00 am as I had hoped.  If you have another idea I would be happy to try it out.  If you want more specific info on my setup, I am happy to provide.  Thanks!
0
 
justchat_1Commented:
Blocking http traffic will have no effect on a messenger client that works on a completely different protocol....you will want to enforce a block of inbound and outbound traffic on port 5190 to stop the iming.
0
 
mooremsbosAuthor Commented:
I have blocked  port 5190 and that does prevent the users from signing in after the specified time, however the issue that I am having is that I need to close down already open sessions at a specific time.  I do NOT want to block AIM completely I just want to stop it at a specific time.  I need to be able to close AIM chat clients that are actively chatting or actively connected and "away".  I have been effective at shutting down all internet access at 1 AM and I have been successful in preventing NEW AIM session from being opened after 1 AM, but I cannot find a way to completely cut off out going AIM if they are already connected and actively using it.  As stated, I would even consider a third party solution (although it is my least favorite) if I can run it on the network (and not individual workstations), maybe even in conjunction with my ISA server.  Any other ideas?
0
 
justchat_1Commented:
If port 5190 is truly blocked both outbound and inbound then any client that is actively chatting or away will be disconnected.  However, it may take a minute or two for aim to realize it has been disconnected if it is away or inactive.
0
 
mooremsbosAuthor Commented:
Ok, here is how my AIM rule is configured, maybe there is fault with it, take a look: It is a deny rule, it covers the included AOL IM protocol for outbound 5190, and I created my own AIM2 protocol for 5190 inbound, they are both listed in the rule applies to section, from Anywhere and All networks (and local host) To All networks and anywhere. Users All users, schedule in effect from 1AM to 5 AM. Content types All content types (default)  This is the first rule listed in my ISA firewall rules above all other rules.  Also, it was my understanding that AIM (and really most of them) will use any port they can get their hands on for connecting so I think that might be part of the problem.  Also, I must mention that if you watch the monitor and send out an instant message when the rule is active, there is nothing that shows up in there.  ISA does not recognize each individule chat message sent or received, so this must have something to do with it too somehow.  Hoping for another suggestion....
0
 
justchat_1Commented:
Aim is the only protocol that doesn't port-hop. (switch ports to maintain a connection)... I'm looking into why chat messages don't show up/fail to be blocked, hopefully another expert has an idea
0
 
justchat_1Commented:
*Aim used to be the only protocol that doesn't port hop....newer versions have been reported using port 80 but I cant verify that yet so your best bet is to also block a dns lookup of login.oscar.aol.com
0
 
mooremsbosAuthor Commented:
I have successfully blocked all outgoing connections except AIM already.  The outgoing Internet itself stops working at 1 AM you cannot reach any pages at all.  To recap-besides the AOL AIM rule I also have an additonal rule that denies all outgoing protocols-from all networks (including local host) to external, all users, from 1 AM to 5 AM (this was actually my first rule, but it did not work for AIM either) so this is stopping everything except AIM.  I would not think that login.oscar.aol.com would be any different than say www.google.com.  I can explicitly deny that if you really think it will make a difference, but it is hard to imagine.  Plus off hand I do not think I can block only login.oscar.aol.com only from 1AM to 5 AM, but maybe.  I will look at that a little later today.
0
 
justchat_1Commented:
login.oscar.aol.com would be a connection on ports 5190, 80, 443, 25 or others....the internet rule is blocking connections only on port 80 (and possibly 443)
0
 
mooremsbosAuthor Commented:
The "Internet" rule actually denies all outgolng protocols, not just 80 and 443.  If you look at the filter in ISA server I have this rule is configured this way Action: Deny-Protocols: ALL outbound traffic-From: Internal-To: External-Users: All Users-Schedule: Active 1AM-5AM-Content Types: All content types.  To my way of thinking this rule should be all I need to block every single thing that attempts to leave my network between 1 AM and 5 AM, and it does deny every single thing except AIM. (DNS, FTP, HTTP, HTTPS and more) Also, I have looked and there is no way I can see to block login.oscar.aol.com, by schedule.  So, I don't know, I am feeling at my wits end.  It does not seem like it should be this hard to stop out going chatting at 1 AM. It is very frustrating that these services think they are above having any policies put on them.  It is my right to control my network, and by virtue of the fact that these instant messengers are hoping ports to get around blocks just goes to show that those companies feel they should be allowed to be any where at any time reguardless of Administrators desires.  If you think of something else I would be glad to hear it.  I thank you for trying :-)
0
 
justchat_1Commented:
Running wireshark or packetyzer on the server might give an indication of how aim is getting around the blocking software.  

There are also third party options available:
http://www.newfreedownloads.com/find/block-aim.html
http://www.plevna.f9.co.uk/index.htm - TerminatorX
0
 
mooremsbosAuthor Commented:
TerminatorX simply blocks always, which I could do with ISA, but that is not my goal.  Those others have to be installed on the workstations and I am really trying to avoid that like the plague.  I too have searched through many of these programs but I have found nothing that suits my needs.  Thanks for trying though.  I might work on a packet analyzer as suggested, but probably not until this weekend. Thank you.
0
 
justchat_1Commented:
no problem...sorry i couldn't be of more help

If you get a chance to do a packet capture I would be happy to help you interpret it
0
 
shawn053077Commented:
The problem with AIM is that it not only connects to oscar.aol.com but when this site is blocked AOL offers a proxy at www.proxy.aol.com.  Symantec's "Threats to Instant Messaging" states that even if the entire AOL site is down there are plenty of proxy's on the internet that will allow access to AIM services.  Some of the messangers will detect the block and looks for alternatives.  I haven't stumbled on any fixes that aren't third party and don't cost money...I'll keep looking.

http://securityresponse.symantec.com/avcenter/reference/threats.to.instant.messaging.pdf
0
 
justchat_1Commented:
That still doesn't explain how aim traffic is able to slip past a full internet blocking rule (all ports).

mooremsbos is there a possibilty that aim is circumventing the server?
0
 
mooremsbosAuthor Commented:
No, it is a multi-homed server (two NICS, one server)  All LAN traffic passes thru the server, that is the only way to the Internet.  So in from the LAN out through the server, back in through the server and out to the LAN. That is what is so completely frustrating!   Like I said before, it is really wierd because I can stop AIM if it is not signed in-that is not the issue, but there is something about it once it makes the connection to the service you can't force it to close-that is where the issue lies.  But really I agree, why is anything passing once the deny "all outging protcols" rule kicks in.  It just doesn't make sense!!!   I am back at the office now, so I am going to look at the monitoring area and see what other filters are available for monitoring.  Then maybe we can better pin point what is happening when an IM is sent and how to stop it. I will let you know what I see.  Again, thanks for sticking with me!
0
 
justchat_1Commented:
Not a problem... If your still stuck try activating the rule while a video stream (TCP source) is being watched...thats a single always open connection-if the stream isn't closed then maybe the server is only blocking new connections.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Just seen your link appear in ISA server.

The link provided above to the tutorial is the way this is done. However, the sequence of rule provision is also important in these conditions.
When you ran the Wireshark/Ethereal trace, you would have seen the agent identifier (as you opened up the packets and drilled down). You have reported that it is gecko/... ? As I recall, AIM uses two headers (http://www.applicationsignatures.com/backend/index.php), the other one being AIM.

You do not need a rule for inbound AIM so take this out. The connection is instigated from the inside and the stateful packet inspection session table is used to allow responses to return so that rule (for inbound) is an unnecessary overhead and 'could' actually cause you an issue in itself.

Take off all filters on the monitoring - logging section and leave it at default. ie time = live, action not equal connection status etc and lets get a full capture display running.

Keith
0
 
mooremsbosAuthor Commented:
I took off the incoming AIM protocol from the block AIM rule as suggested and just left the default outgoing AIM protocol on that rule.  This is the first rule listed in my firewall policy and has been since I configured it.  The second rule listed is the Deny rule for all outbound traffic that is scheduled to also be in effect from 1AM to 5AM all days. (both deny rules are configured to be active with this schedule)
I guess I am not understanding the tutorial that you also point to.  When it was first suggested I followed the instructions for configuring HTTP Filter signatures-I did see how to do that-I ultimately tried it with both signatures(with the gecko and AIM HTTP header) but not both together, but neither stopped traffic.  As a side note, it seems to me that if I put this filter on my default "Unrestricted Internet Access" rule it will filter for this all the time and that is not what I want.  Please give me a little more specific guidance if you can.  I get the feeling I am just missing something.
Lastly, I never did change any of the filtering in the monitor as I could not find something better to filter by in the choices, so I left it as is.  
0
 
Keith AlabasterEnterprise ArchitectCommented:
No, you would put a seperate deny rule in first for the aim and gecko signatures on a schedule for the hours that they are NOT allowed to use it.
The next rule would be an allow all with an always schedule.

0
 
mooremsbosAuthor Commented:
So am I basically following these steps: http://www.isaserver.org/tutorials/ISA-Firewall-Quick-Tip-Blocking-MSN-Messenger-Access-Enabling-Access-Some-Users.html except I will ignore the groups thing, because I am applying it to the whole network and I can add in the part about the schedule?  Do I have to configure both rules as they have and do I have to do anything with my "Unrestricted Internet Access" rule?  Thanks for your help.
0
 
Keith AlabasterEnterprise ArchitectCommented:
You don't want two rules of all outbound, no. personally I don't allow ANY all outbounds - I am old fashioned and I have rules for groups.

For example, DNS only needs to go outbound from my internal DNS servers
Email (smtp) only needs to go out from my mail servers
http/https goes out from the clients and servers from all authenticated users
ntp only goes out from the Domain conrtollers
etc etc

The first (deny) rule needs to just cover the http and the IM protocols and include the agent signatures
The second outbound can be all outbound if that is what you are comfortable with, or you can start collecting the protocols together and start locking down the traffic by source as well as be destination or signature.
0
 
mooremsbosAuthor Commented:
I do not see a way to configure HTTP Signatures on a deny rule.  So, if I am being completely dense (which is entirely possible) please get me started here.  Also, before I go through this next step can I ask why my deny rule for "ALL outbound traffic" from internal to external based on the desired schedule is not accomplishing this exact same thing?  This is the second rule I have configured and is far above the default allow "all outbound traffic" rule.  Is there a change that can be made to this deny rule as it does seem to be working for blocking general internet useage.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Interesting - maybe I have made aboo-boo - let me test quickly
0
 
Keith AlabasterEnterprise ArchitectCommented:
Hah - what an idiot. My apologies - the version I am using (for testing purposes) is a number of versions above ISA2004. I've remedied that and loaded my 2004 test bed.

If you can give me an hour, I am just installing AIM

0
 
Keith AlabasterEnterprise ArchitectCommented:
If you click on my name in the question, you will be taken to my profile. If you would care to send me your AIM user ID I can add you and we can test. I don't know anyone who uses AIM so I will be slightly stuck otherwise.

Keith
0
 
mooremsbosAuthor Commented:
Wow, you are so helpful to go through all this to help me!  I really can't thank you enough.  For me it is like now I just want to solve it because it seems unsolvable.  I can see you are going to try to disprove that!!  Thanks again.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Welcome - its why we give our free time up.
0
 
Keith AlabasterEnterprise ArchitectCommented:
OK.

This is what I have found - I have learned something here myself so it has been a good exercise. I have always understood the scehdule to be an allow/block position based on the allow times and the not allow times but this is not what it actually does. It is an active - inactive controller.  ie when the active time is in force, the rule is followed. When you hit the inactive time then effectively the rule becomes disabled and has no effect at all and the traffic passes down to the next rule for checking whereby the allow all rule lets the traffic pass out - defeating the object......

What I have put in place is two rules. This is not a final solution but is a starting point.
rule 1 says allow http, https and aol messenger to access the urls of http://aol.com/*, aol.co.uk/*, http://sync.aol.com/* and http://aim.com/*  and the domains of *.aol.com, *.aol.co.uk and *.aim.com. Use a schedule set to be active for the times you want the service to be available.

rule 2 is identical but is a deny rule and the schedule is always. So, when rule 1 ceases to be in force (the times you do not want to allow the traffic) - it will drop down to rule 2 which is a specific deny of the AOL traffic flow.

The issue with this is it does not affect traffic connections that are already established. I can tell you that this has created a lot of interest and i have had two different MS Support teams take my lab over this evening. Lots of theories and posturising but no result on the agent-signature.  Anyway, thats where I have got to and I have sent a copy of these thoughts/findings back to the team. Unfortunately my MVP support agreement doesn't provide for outside of core business hours so now i have to wait until the morning for them to carry on but we are progressing.....

0
 
Keith AlabasterEnterprise ArchitectCommented:
OK - the call has been escalated so its a sit back and wait for an official position update. The newest version of ISA (isn't available to you yet I'm afraid) does seem to block OK given your scenario.

As a temporary solution, what you can do is stop and start the firewall service using a batch file.

On the ISA server, drop out to a cmd prompt (Start - run - cmd Hit return key)
type in exactly as follows with each line having a return key pressed to move to the next line. At the bottom, after the last return key entry, perform a "control Z" key combination to close the new file. (Hold down the control key and press the letter Z once).

copy con doitnow.bat
net stop fwsrv
net start fwsrv
control z - don't type this, just hold down the control key and press z then press the return key

to test it, now type in doitnow and press the return key.
This will stop then start the firewall service on ISA. All connections will drop for a few seconds on the ISA then be available again. The benefit is that we can schedule this batch file to run at any time using the scheduler. If you have set your ISA rule to block the AOL after 11PM, then we run the scheduled batch file at 11.01. This will drop the AOL connection - the kids will then have to try and reconnect - which of course they won't be able to as the isa rule will be blocking it as per my previous posts.

After the ISA moves back into allowed time, they will be able to start aol again.
0
 
mooremsbosAuthor Commented:
I have put the suggested batch file in place this morning.  I tested it and it works fine.  I will add it to the scheduled tasks service and let it run tonight.  Thanks for going to MS with this.  I feel slightly vindicated that I was unable to get this to work on my own-now that it is verified (at this time) that it will not work with ISA alone.  Thanks again and I will post the results of the sceduled task running tomorrow.  I feel certain my kids will let me know the situation :-)
0
 
Keith AlabasterEnterprise ArchitectCommented:
hehehe - blame the Brit - everyone else does....

I have book-marked this question as I will get a solution from MS in due course. Once received, I'll add it to this thread.

Keith

0
 
mooremsbosAuthor Commented:
So this seems to work perfectly!  Thanks for the excellent work around.  I look forward to a solution from MS if one comes-but thiswill certainly do the trick as well.  BTW, I just feel it necessary to not only thank you from a technical stand point, but from the position of a mother that is FINALLY not feeling frustrated!  While they are mostly really good kids, this has been a constant battel-now I can go to bed and forget it!  Thanks again.
0
 
Keith AlabasterEnterprise ArchitectCommented:
You are most welcome - I take it that I need not anticipate a Christmas card from the kids though.....
0
 
mooremsbosAuthor Commented:
LOL-yea I doubt you are their favorite person right now so probably not!
0
 
Keith AlabasterEnterprise ArchitectCommented:
:)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

  • 16
  • 12
  • 9
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now