• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on using the ISA firewall to enable selective IM use

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> Discussion about article on using the ISA firewall to enable selective IM use Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion about article on using the ISA firewall to e... - 8.Mar.2006 2:38:34 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thead is for discussing the article on enabling selective use of Instant Messengers at http://www.isaserver.org/tutorials/ISA-Firewall-Quick-Tip-Blocking-MSN-Messenger-Access-Enabling-Access-Some-Users.html

Thanks!
Tom

< Message edited by tshinder -- 8.Mar.2006 2:50:28 PM >


_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Discussion about article on using the ISA firewall ... - 8.Mar.2006 11:45:19 PM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
Hi Tom,
Great article, one question though.

In your first rule you state that we are creating a 'deny' rule, but in the action you say "Allow".  Is this correct??


quote:


The first step is to create the rule that will deny access to MSN Messenger to members of the ISA firewall Group that we do not want to use this application over HTTP, but still allows users access to all other HTTP and HTTPS sites:
  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node in the left pane of the console. Click the Tasks tab in the Task Pane and click the Create New Access Rule link.
  2. On the Welcome to the New Access Rule Wizard page enter the name for the rule in the Access Rule name text box. In this example we’ll name the rule Deny MSN 7.5 over HTTP and click Next.
  3. On the Rule Action page, select the Allow option and click Next.
  4. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
  5. In the Add Protocols dialog box, click the Common Protocols folder and then double click the HTTP and HTTPS protocols. Click Close.

(in reply to tshinder)
Post #: 2
RE: Discussion about article on using the ISA firewall ... - 8.Mar.2006 11:53:27 PM   
Timmay

 

Posts: 2
Joined: 7.Nov.2005
Status: offline
Thanks Tom for the article. It was quite helpful. One question when I apply it I lose all Realplayer, Skype and some other programs access as well. It not only blocks MSN 7.5 Messenger but blocks those as well. What am I doing wrong?

(in reply to tshinder)
Post #: 3
RE: Discussion about article on using the ISA firewall ... - 9.Mar.2006 12:32:34 AM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
quote:

ORIGINAL: jbarsodi

Hi Tom,
Great article, one question though.

In your first rule you state that we are creating a 'deny' rule, but in the action you say "Allow".  Is this correct??




Nevermind Tom, I re-read it a few times and it makes sense now.

Thanks for the article!

(in reply to jbarsodi)
Post #: 4
RE: Discussion about article on using the ISA firewall ... - 11.Mar.2006 5:04:42 PM   
Philip Colmer

 

Posts: 15
Joined: 25.Mar.2003
Status: offline
Tom

Thanks for the article - great example of user exceptions.

One drawback to the "allow" rule is that it does permit ALL web access. I accept that that is implied by the name of the user group but there may be circumstances when you want to craft a rule that actually only allows HTTP access for MSN Messenger.

Unfortunately, the HTTP security filters only apply to deny rules, as I understand it, so you can't use the user-agent method to work that way, and MS don't exactly make it easy to put a rule in that just allows access to the Messenger servers.

If you have some thoughts on how the HTTP rule could be tightened, I'd appreciate it.

--Philip

(in reply to jbarsodi)
Post #: 5
RE: Discussion about article on using the ISA firewall ... - 12.Mar.2006 8:20:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Philip,

No, the HTTP Security filter only applies to Allow rules, they have no function for deny rules.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Philip Colmer)
Post #: 6
RE: Discussion about article on using the ISA firewall ... - 13.Mar.2006 4:45:11 PM   
Philip Colmer

 

Posts: 15
Joined: 25.Mar.2003
Status: offline
quote:

ORIGINAL: tshinder

No, the HTTP Security filter only applies to Allow rules, they have no function for deny rules.

Tom,

You are (of course ) correct. What I meant to say was that the security filters can only be used to block. In other words, it isn't possible to say "Allow traffic through if the signature matches this pattern". You can only block traffic if the signature matches. It is an unfortunate limitation.

--Philip

(in reply to tshinder)
Post #: 7
RE: Discussion about article on using the ISA firewall ... - 13.Mar.2006 7:26:22 PM   
zoubayda04

 

Posts: 2
Joined: 12.Mar.2006
Status: offline
thanks alot for this articles it is so useful for isa 2000 and 2004

i am using isa 2000 ,and i want o make disable to any http but keep msn messenger working .

i try to make access policy -->protocol rule-->that deny http for certain client ,but the problem that will deny msn messenger too.
i try to make another policy -->that allow msn and masn messenger from the protocol rule to the same ip address of the client . but this was not help ,the msn was not work.
i check that i have enable socks iand its port 1080 in isa 2000,so maybe the messenger can connect through it not throw http protcol,but still not work.

so i try another thing.
from site and content. i make policy for this ip address:
first i remove the ip address from the list of the client i have put to allow for them all destination.
and make rule to him that allow only www.msn.com

but maybe this will help to open www.msn.com but i want also to allow msn messenger

please  replay to me, its important to me
zoubayda04@yahoo.com

thanks Mr.  Thomas W Shinder
 

(in reply to tshinder)
Post #: 8
RE: Discussion about article on using the ISA firewall ... - 17.Mar.2006 4:27:41 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: Philip Colmer

quote:

ORIGINAL: tshinder

No, the HTTP Security filter only applies to Allow rules, they have no function for deny rules.

Tom,

You are (of course ) correct. What I meant to say was that the security filters can only be used to block. In other words, it isn't possible to say "Allow traffic through if the signature matches this pattern". You can only block traffic if the signature matches. It is an unfortunate limitation.

--Philip



Hi Philip,

Yes, I agree. I wish we had that option.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Philip Colmer)
Post #: 9
RE: Discussion about article on using the ISA firewall ... - 18.Apr.2006 6:34:22 PM   
denizyalcin

 

Posts: 122
Joined: 19.Jan.2005
From: Turkey
Status: offline
Does anyone know if it's possible to separate the restricted MSN Messengers by their versions. I don't want the users to be able to connect through versions higher than 7.0 because those versions have so much eyecandies and features which do distract the user's attention. They spend their times to get those famous Blue Mountain thingies etc. But we need MSN as a company communication tool, too. I wasn't able to find any difference in the signatures of 7.0 and 7.5 versions. So I need something else which can separate those versions from one another. I don't want to install anything on the computers to disable those features which come with version 7.5 (And I don't even know if there is some tool which can do it). Can someone help me please ?

(in reply to tshinder)
Post #: 10
RE: Discussion about article on using the ISA firewall ... - 19.Apr.2006 3:25:44 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Deni,

Is the file name the same for 7 and 7.5?

thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to denizyalcin)
Post #: 11
RE: Discussion about article on using the ISA firewall ... - 22.Apr.2006 8:34:11 PM   
oh2bamonkey

 

Posts: 2
Joined: 25.Mar.2004
From: san jose, costa rica
Status: offline
Has anyone figured out how to grant MSN Messenger Access without giving full internet HTTP acess?

i.e. i have group a who have full internet access, group b who have access only to some sites (using Domain Name Sets) and group c who have access to MSN Messenger.  group a contains no users from group b, group c contains users from group a and group b.  users hot desk so i can't just control access to the program itself.

right now i have created Address Ranges and Domain Name Sets to try to figure out what destinations to allow for the Messenger group based on the logging, but i get problems like users not seeing their replies for 15 minutes, not being able to log on sometimes, or having their messages undeliverable plus the address sets are huge so i dont' know what other sites i have accidently allowed. 

Matt

(in reply to tshinder)
Post #: 12
RE: Discussion about article on using the ISA firewall ... - 1.May2006 2:38:25 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Oh Two,

Why not allow them access to the MSN protocol instead of HTTP?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to oh2bamonkey)
Post #: 13
RE: Discussion about article on using the ISA firewall ... - 1.May2006 11:53:36 PM   
oh2bamonkey

 

Posts: 2
Joined: 25.Mar.2004
From: san jose, costa rica
Status: offline
Tom,

I wish it were that easy!

You need logginet.passport.com for both HTTP and HTTPS to start with.  Then the logs show a bunch of denies to *.msn.com sites - allowing MSN would then give users too much access.

Maybe I will follow your article's advice but instead of denying the MSN Messneger sig, deny the IE sig for this rule.

Matt

(in reply to tshinder)
Post #: 14
RE: Discussion about article on using the ISA firewall ... - 8.May2006 8:27:59 PM   
lithium_mx

 

Posts: 2
Joined: 8.May2006
Status: offline
Hello all

I'm writting from México.

This site relly help me in my new experience using ISA SERVER

I got this problem, maybe you can help me or maybe someone had a same problem.

I followed all the steps described in this article, when I finished to configurate all worked ok, nobody could acces to MSN Messenger.

When I finshed testing this rules, I disabled them, but nobody could acces to MSN Messenger, I tought maybe some configuration I forgot disable,
but i cheked all my rules, and the MSN deny, and MSN allow were disabled. I decided to errase them, but the problem still bother to me.

I tried everything (for example this crazy thing), I opened all the trafic to all users for a minutes, in fact, that was the unique rule in that moment, but nobody can acces to MSN messenger, It is like the signature MSN Messenger still block even the rules does not exist any more.

My problem is that some users using MSN Messenger to comunicate with some guys for tecnichal support or some provideers.

What do you think I did wrong?

Thanks.

(in reply to tshinder)
Post #: 15
RE: Discussion about article on using the ISA firewall ... - 8.May2006 10:29:43 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: oh2bamonkey

Tom,

I wish it were that easy!

You need logginet.passport.com for both HTTP and HTTPS to start with.  Then the logs show a bunch of denies to *.msn.com sites - allowing MSN would then give users too much access.

Maybe I will follow your article's advice but instead of denying the MSN Messneger sig, deny the IE sig for this rule.

Matt


Hi Matt,

That sounds like a plan. Let us know how it works out for you!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to oh2bamonkey)
Post #: 16
RE: Discussion about article on using the ISA firewall ... - 8.May2006 10:32:33 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: lithium_mx

Hello all

I'm writting from México.

This site relly help me in my new experience using ISA SERVER

I got this problem, maybe you can help me or maybe someone had a same problem.

I followed all the steps described in this article, when I finished to configurate all worked ok, nobody could acces to MSN Messenger.

When I finshed testing this rules, I disabled them, but nobody could acces to MSN Messenger, I tought maybe some configuration I forgot disable,
but i cheked all my rules, and the MSN deny, and MSN allow were disabled. I decided to errase them, but the problem still bother to me.

I tried everything (for example this crazy thing), I opened all the trafic to all users for a minutes, in fact, that was the unique rule in that moment, but nobody can acces to MSN messenger, It is like the signature MSN Messenger still block even the rules does not exist any more.

My problem is that some users using MSN Messenger to comunicate with some guys for tecnichal support or some provideers.

What do you think I did wrong?

Thanks.



Hi LiMx,

Try restarting the Firewall service do disconnect the current connections.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to lithium_mx)
Post #: 17
RE: Discussion about article on using the ISA firewall ... - 8.May2006 11:41:36 PM   
lithium_mx

 

Posts: 2
Joined: 8.May2006
Status: offline
Thanks for your answer Tom

But is very strange the problem, I have restarted the firewall service, I've restarted my server, but the problem still there

After many attemps I could connect 1 time to the MSN Messenger today, but this was only for a few minnutes, later I lost the connection, and again I cannot connect with the MSN.

I had this problem since past thursday when I test this configuration

Do you have another idea?

Thanks

Manuel.

(in reply to tshinder)
Post #: 18
RE: Discussion about article on using the ISA firewall ... - 21.May2006 7:14:58 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Manuel,

Could there by a hardware problem? Bad switches, routers, cables?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to lithium_mx)
Post #: 19
RE: Discussion about article on using the ISA firewall ... - 31.May2006 5:42:16 PM   
ivancarlo

 

Posts: 1
Joined: 31.May2006
Status: offline
Greetings,

I´m writing from Lima, Perú.

Thanks Tom for all your helpful articles, especially with the use of RPC Filter to publish the exchange.
But I have a few questions :
- The RPC publishing works fine here in Perú, but in Panama and Colombia seems not to work (my users are not quite expressive with their explanations), not even wireless.  Is there anything we can setup here, or its something with the ISPs?.  I´m thinking about using VPN to connect the outlook from outside Perú as plan B.
- Oh, we have here Windows 2000 server with ISA 2000.
- The director wants me to block the MSN Messenger, or any chat program to all users from the server, we try to use your Tip but we didnt find where to configure the signature text box.  Does this tip work with isa 2000? We hope so.

Thanks again

Ivan

(in reply to tshinder)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> Discussion about article on using the ISA firewall to enable selective IM use Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts