AXISHK
asked on
Logging IM conversion
Is there any solution that could log all conversions for IM clients in the compay network ?
Are you using an internal IM server?
Depends on the client.
if you are using OCS (aka lync) it has full logging even of "federated" users.
Otherwise, often they are just over HTTPS, so something that can do a HTTPS intercept will work (ironport, or on the cheap, something like squid-in-the-middle)
if they are using something that doesn't respect the windows keystore though, the interception certificate will be questioned (actually, alerted in big red nasty letters) - its debatable what they could do about that, but at least then they would know :)
if you are using OCS (aka lync) it has full logging even of "federated" users.
Otherwise, often they are just over HTTPS, so something that can do a HTTPS intercept will work (ironport, or on the cheap, something like squid-in-the-middle)
if they are using something that doesn't respect the windows keystore though, the interception certificate will be questioned (actually, alerted in big red nasty letters) - its debatable what they could do about that, but at least then they would know :)
ASKER
We haven't implement Lync Sever yet. Do u mean it could log any IM client conversion, not just IM ?
For Ironport, can I really log all conversion - include the text conversion as we need to keep it for evidence.
Thanks
For Ironport, can I really log all conversion - include the text conversion as we need to keep it for evidence.
Thanks
The majority of IM clients (internet ones, not local ones like Lync) communicate to their servers via HTTPS (few are actually P2P; skype however can be)
If you intercept and decrypt that traffic, you can arrange for full logging of it. I am told that Ironport can do this, but haven't actually seen it in action (Ironport is a VERY expensive appliance sold by Cisco)
Regarding Squid, then you need to take advantage of several features.
First, if your users aren't used to using a proxy, then you will need to get the traffic into the proxy. There are several ways to force the use of a proxy (group policy, WPAD files, transparent redirection) so getting that done is job one. Squid supports both TPROXY and WCCP.
Second, the HTTPS traffic is encrypted. you can use ssl bumping to strip the certificate off of the target site and write a "Fake" matching certificate for squid - http://wiki.squid-cache.org/Features/SslBump for details.
Finally, you need to actually intercept the traffic within squid. the easiest way to do this is to abuse the content modification protocol ICAP - http://wiki.squid-cache.org/Features/ICAP - you can use (for example) greasyspoon to host a script to log the traffic then return it unaltered
While looking around for some resources, I found this:
http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/
which seems to be a discussion about the same thing :)
Also, one final note - depending on your juisdiction, you may need to have notified your staff (in writing) that you intercept internet traffic for enforcement of usage policy, and quite probably exclude any banking sites from interception. You may not in fact be permitted to do this at all, check with your corporate lawyer before you impliment ANY of this.
If you intercept and decrypt that traffic, you can arrange for full logging of it. I am told that Ironport can do this, but haven't actually seen it in action (Ironport is a VERY expensive appliance sold by Cisco)
Regarding Squid, then you need to take advantage of several features.
First, if your users aren't used to using a proxy, then you will need to get the traffic into the proxy. There are several ways to force the use of a proxy (group policy, WPAD files, transparent redirection) so getting that done is job one. Squid supports both TPROXY and WCCP.
Second, the HTTPS traffic is encrypted. you can use ssl bumping to strip the certificate off of the target site and write a "Fake" matching certificate for squid - http://wiki.squid-cache.org/Features/SslBump for details.
Finally, you need to actually intercept the traffic within squid. the easiest way to do this is to abuse the content modification protocol ICAP - http://wiki.squid-cache.org/Features/ICAP - you can use (for example) greasyspoon to host a script to log the traffic then return it unaltered
While looking around for some resources, I found this:
http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/
which seems to be a discussion about the same thing :)
Also, one final note - depending on your juisdiction, you may need to have notified your staff (in writing) that you intercept internet traffic for enforcement of usage policy, and quite probably exclude any banking sites from interception. You may not in fact be permitted to do this at all, check with your corporate lawyer before you impliment ANY of this.
what he said. A proxy would be needed to capture the ssl traffic.
ASKER
One more check,
"if you are using OCS (aka lync) it has full logging even of "federated" users."
Do it mean office user using IM client can chat with other IM like (QQ) and the whole conversion could be logged in Lync server ?
Tkx
"if you are using OCS (aka lync) it has full logging even of "federated" users."
Do it mean office user using IM client can chat with other IM like (QQ) and the whole conversion could be logged in Lync server ?
Tkx
ASKER
Is there a solution that could log all message conversion for different IMs (Yahoo, MSN, QQ, etc) used in the office ?
Tkx
Tkx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For Barracuda IM Firewall, can it really track and keep all IM conversions for users in my network ? Any more information on this ?
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tks