Block Gtalk / MSN

Hey Guys,

I am trying to block Gtalk and MSN in our network. MSN seems to be simple port 1864.

For Gtalk it uses 5222 and or 443. If 5222 is not available it goes to 443.

But port 443 seems to be hard to block because certain websites require a https secure connection.

Please guide.
LVL 1
ShivtekAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lobo797Commented:
I take it you want to go beyond blocking domain names and keywords at the firewall.
ICaldwellCommented:
Google Talk uses Port 80, Port 443 and Port 5223 other than Port 5222 for its communication purposes. Worst of all: Google Talk connects to 216.239.37.125, 72.14.253.125 and 72.14.217.189 other than 209.85.137.125. It connects to Ports 5222, 5223, 443 and 80 in all the cases.

Blocking all these 4 addresses blocks Google Talk at both Browser and Talk Client. Note: This does not disable Google mail


For MSN block anything going to *gateway.messenger.hotmail.com

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ShivtekAuthor Commented:
What you said doesn't make sense.
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

ShivtekAuthor Commented:
I meant what lobo797 said.
ShivtekAuthor Commented:
Blocking via ports would be hard because of port 80 and 443, Blocking the IP addresses might be possible. How can I block Gtalk client and online and Gmail completely?
lobo797Commented:
Generally, you can block URLs or keywords at the firewall.  The only problem there can be a lot of URLs just for one site
ICaldwellCommented:
Block these IP's for GTalk

     216.239.37.125
     72.14.253.125
     72.14.217.189
     209.85.137.12

Block these IP's for MSN Messanger:

64.4.13.171 - 64.4.13.190
207.46.106.1 - 207.46.108.254
and the IPs 65.54.239.20

These IP's can change, GTalk posts their's so they won't change much but MSN says block *gateway.messenger.hotmail.com since they do change IP ranges....
ICaldwellCommented:
Usually you block by URL's... I wouldn't recommend blocking by keywords as lobo797 says...
ShivtekAuthor Commented:
Well gmail gets blocked by just blocking port 443....coz all gmail connections are secured. That would do it for Gtalk as well, 443, 5223, 5222 can be blocked too.

For yahoo if I block just yahoo.com it actually blocks everything....apparently all yahoo international sites redirect to ca.yahoo.com

There must be direct way to get to it?

does MSN have web messenger?
ICaldwellCommented:
yes

http://people.live.com is MSN Web

I would not block 443, that blocks all secure communication... People use that from time to time on legit websites...
ShivtekAuthor Commented:
My firewall by default blocks all ports, I have to manually open the ones I need. So msn and yahoo are automatically taken care of. web msn, yahoo and gmail are also taken care of...

Only problem is Gtalk client which can use port 443 to connect. The IP's you have listed ICaldwell dont do the trick for some reason, I am pretty sure Google has a bigger network for Gtalk than those 4 IP addresses. We need to find the CIDR's for Gtalk to completely block it I think.

Any other way?
ShivtekAuthor Commented:
I dont know why I can still access Gtalk after blocking those 4 IP's
ICaldwellCommented:
Its possible they have changed IP's... can you block talk.google.com?
ShivtekAuthor Commented:
I did but it uses https://talk.google.com
ICaldwellCommented:
can you block by the host name talk.google.com which will cover both http & https?

http - port 80
https - port 443
ShivtekAuthor Commented:
Thats what I was thinking too, but I am not sure if that will work or not...

I can test by opening 443 anf blocking talk.google.com for 80 and 443
ICaldwellCommented:
just to cover a few others, also block these two host names:

talkx.l.google.com
chatenabled.mail.google.com
ICaldwellCommented:
Are you using the Web GTalk or the desktop App?
ShivtekAuthor Commented:
I dont think the https blocking is working for individual IP/hostnames...because facebook.com is blocked...and after entering https://facebook.com I can access the site and if I block https://facebook.com it doesn't do anything.
ShivtekAuthor Commented:
I am using IPCop's URL Filter addon to do all this along with its Advanced Proxy
ICaldwellCommented:
interesting, I have not used this one before... most if you put a * before it, that covers http & https...
ShivtekAuthor Commented:
Moreover its a transparent proxy, being used without entering the proxy settings in the browser.
ICaldwellCommented:
yes, that is normal at most companies for it to be transparent... less setup and forces everything to go via the proxy even if there are no settings...  No way for users to get around it, unless you use something such as a vpn, which I figure in your case is what your looking for...
Jakob DigranesSenior ConsultantCommented:
the best way to block IMs is by using application signatures, and - of course - a firewall that can read and block application signatures.
Blocking ports and URLs is messy and time consuming and easy to bypass.

here's some application signatures; http://technet.microsoft.com/en-us/library/cc302520.aspx
but it's an old list and you moight update this using Wireshark (www.wireshark.org)
Haven't used IPCop and just browsed through the manual. Couldn't see anything on app signatures
farjadarshadCommented:
My friend install ISA server in which you can easily block all messengers. For configuration of rules in ISA 2004 please refer to these sites

http://isaserver.org
http://articles.techrepublic.com.com/5100-22_11-6029342.html
Jakob DigranesSenior ConsultantCommented:
ISA's great, but  be ware that you most likely need updated application signatures, since the articles is a couple of years old.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.