Welcome to ISAserver.org

how to pass msn throw ISA 2004

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> General >> how to pass msn throw ISA 2004

Page: [1] 2 next > >>

Message

<< Older Topic Newer Topic >>

how to pass msn throw ISA 2004 - 29.Jul.2004 5:48:00 PM

Gillisa

Posts: 1
Joined: 29.Jul.2004
From: france
Status: offline

Hi

I'm rookie in network administrator and i use ISA 2004 for my network enterprise.
My issue : I succed in passing the video and the sound within my network. But with the external connections i could only pass the video and not the sound.
To do this I create a rule which allow all protocols includind Msn messenger protocol and i allow all content type but no success...

I doawload the file msnim.vbs from isatools.org to see how the code is made.
And I create a spTcific protocol similar to the one found in msnim.vbs. That protocol include outgoin and inbound &outbound direction for spTcique ports.I use UDP & TCP protocol.

I failed, and i'm looking for some help
If someone can help me ..
Thank you

NB:Sorry for the my bad english, i'm french

Post #: 1

Featured Links*

RE: how to pass msn throw ISA 2004 - 30.Jul.2004 1:56:00 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Gillisa,

I'll move this to the general section.

Thanks!
Tom

(in reply to Gillisa)

Post #: 2

RE: how to pass msn throw ISA 2004 - 31.Jul.2004 8:04:00 AM

jseyadi

Posts: 17
Joined: 28.Jul.2004
From: Bahrain
Status: offline

Hi there,
I'm facing a funny issue with ISA 2004, Once I install it it blocks MSN massenger by default!. Even when I enable all access from/to all networks MSN does not work. I created a rule specifically for MSN using the default MSN protocol and still it doesn't work!. ICQ and yahoo massengers are working fine.
My firewall policy for now is to allow all protocols (which should include MSN massenger)from Internal to external networks.
I've searched this issue alot but all that I've found were articles on how to block MSN???.
Can anyone please direct me onto how to enable MSN massenger through ISA2004.

[ July 31, 2004, 09:10 AM: Message edited by: Jassim Seyadi ]

(in reply to Gillisa)

Post #: 3

RE: how to pass msn throw ISA 2004 - 1.Aug.2004 7:13:00 AM

jseyadi

Posts: 17
Joined: 28.Jul.2004
From: Bahrain
Status: offline

Ok I'll just update you regarding my issue. I removed all of my policies and started again with new network setup. I created the follwing policies:

1- local machine (ISA server) to access all networks using all protocols and All users.

2- Local Network to Access all Networks using all protocols and all users.

Now when I try to sign up with MSN (Either from the Local Machine or from Internal Network) I can see in the log the following:

Destination IP: 0.0.0.0
Destination Port: 80
Protocol: HTTP
Action: Denied Connection
Rule: <Empty>
Client IP: 10.10.10.5
Client Username: anonymous
Source Network: <Empty>
Destination Network: <Empty>
HTTP Method: POST
URL: http://gateway.messenger.hotmail.com/gateway.....

This is the only denied connection log I see so if someone can explain to me what does it mean i'll appreciate it.

TIA

(in reply to Gillisa)

Post #: 4

RE: how to pass msn throw ISA 2004 - 1.Aug.2004 7:49:00 AM

jseyadi

Posts: 17
Joined: 28.Jul.2004
From: Bahrain
Status: offline

Ok Another update.
I removed the option "Require users to authinticate" in the Local Network configuration and I got rid off the above problem. now I can sign in using MSN messenger. [Smile]

Now I modified my local network Access policy so that only Authinticated Users are allowed to gain access, and now i'm unable to sign in from my local network. [Confused]

I think it has to do with the MSN messenger using anonymous username to sign in??!.

I don't want to allow "All Users" for the pupose of usage log report thats why I want to use "Authinticated Users" only.

Can anybody help.....

(in reply to Gillisa)

Post #: 5

RE: how to pass msn throw ISA 2004 - 2.Aug.2004 1:33:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hey guys,

For msn, you need to use Direct Access for msn.com, passport.com and hotmail.com, if you are authenticating at the ISA firewall.

HTH,
Tom

(in reply to Gillisa)

Post #: 6

RE: how to pass msn throw ISA 2004 - 8.Aug.2004 7:21:00 AM

jseyadi

Posts: 17
Joined: 28.Jul.2004
From: Bahrain
Status: offline

Just to update you guy's, I used the firewall client and the problem resolved.

(in reply to Gillisa)

Post #: 7

RE: how to pass msn throw ISA 2004 - 9.Aug.2004 4:11:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jassim,

Good to hear you got it working!

However, if you want to use the Web proxy for the MSN client, configure those sites for Direct Access.

HTH,
Tom

(in reply to Gillisa)

Post #: 8

RE: how to pass msn throw ISA 2004 - 11.Aug.2004 6:50:00 AM

jseyadi

Posts: 17
Joined: 28.Jul.2004
From: Bahrain
Status: offline

Tom,

I tried to create a direct access for the following:
"*.msn.com"
"*.passport.com"
"*.hotmail.com"
in the properties of my Internal network. But still MSN does not work. Could you be more specific on how to configure the direct access.

Cheers,
Jassim

(in reply to Gillisa)

Post #: 9

RE: how to pass msn throw ISA 2004 - 11.Aug.2004 2:13:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jassim,

Check out:

http://www.isaserver.org/img/upl/spskit/10webproxyclients/10webproxyclients.htm

For principles of Direct Access.

Also, you might want to disable the Web Proxy filter for the HTTP protocol.

HTH,
Tom

(in reply to Gillisa)

Post #: 10

RE: how to pass msn throw ISA 2004 - 15.Aug.2004 9:18:00 AM

jseyadi

Posts: 17
Joined: 28.Jul.2004
From: Bahrain
Status: offline

Hi again,

Ok, I've done my Homework and read the basics of direct access in ISA. I followed the instructions as a good boy. Also, I removed the "Web Proxy Filter" from the HTTP protocol as you suggested.

Still MSN cannot pass my ISA.

Here's the details;
I added *.msn.com, *.passport.com, *.hotmail.com to the direct acess tabs in the Internal network properties.

I've noticed a weired behaviour though:
When I try to browse to "www.hotmail.com" it translate's this URL to "www.www.hotmail.com.com" and "www.msn.com" to "www.www.msn.com.org" ! ,,,, what's going on here????

(in reply to Gillisa)

Post #: 11

RE: how to pass msn throw ISA 2004 - 15.Aug.2004 3:10:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jassim,

You need to configure the Web Proxy clients to use the autoconfiguration script so that they can download that config.

Also, how is DNS setup on the ISA firewall's interfaces and the client's interfaces?

Thanks!
Tom

(in reply to Gillisa)

Post #: 12

RE: how to pass msn throw ISA 2004 - 16.Aug.2004 12:15:00 PM

jseyadi

Posts: 17
Joined: 28.Jul.2004
From: Bahrain
Status: offline

Hi Tom,

the web proxy clients are already configured to use the Autoconfiguration script which is "http://myisa.xxx.gov.bh:8080/array.dll?Get.Routing.Script".

Now the interesting part was that i had a miss-configured primary DNS entry on the ISA interface, I corrected it. [Big Grin]

As for DNS on the clients side they are configured through DHCP server which is on a diffrent machine.

Now, I've read the "Configure Automatic Discovery" from the ISA management help files, regarding how to "Configure DHCP for Automatic discovery of ISA Server" and followed the steps to configure my DHCP server. [Cool]

I did not configure my DNS server cause it says that i have to use port 80 while i'm using port 8080.

The DNS translation error I mentioned before still exist. Also MSN still cannot pass through. [Confused]

By the way my ISA is running in a single interface mode, does this setup have any consequences whats-so-ever on what i want to achieve???

[ August 16, 2004, 12:47 PM: Message edited by: Jassim Seyadi ]

(in reply to Gillisa)

Post #: 13

RE: how to pass msn throw ISA 2004 - 17.Aug.2004 9:20:00 PM

njtd

Posts: 11
Joined: 17.Aug.2004
Status: offline

Just create http/https rule in content types tab allow all content type, msn should work fine.

(in reply to Gillisa)

Post #: 14

RE: how to pass msn throw ISA 2004 - 22.Aug.2004 10:26:00 AM

jseyadi

Posts: 17
Joined: 28.Jul.2004
From: Bahrain
Status: offline

Thanks njtd,

But I already have a rule specifying to allow all trafic from Internal to external using all protocols and in the content type the "All content Types" is selected. I tried to simulate your solution but to no avail. [Mad]

If I use Tshnider direct access solution, I cannot see any logging for MSN tryng to access ISA.

I'm really amazed that all of the people using ISA 2004 are not facing this problem, only me,, [Confused]

[ August 22, 2004, 10:27 AM: Message edited by: Jassim Seyadi ]

(in reply to Gillisa)

Post #: 15

RE: how to pass msn throw ISA 2004 - 23.Aug.2004 3:11:00 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

quote:
Originally posted by Jassim Seyadi:
Hi Tom,

the web proxy clients are already configured to use the Autoconfiguration script which is "http://myisa.xxx.gov.bh:8080/array.dll?Get.Routing.Script".

Now the interesting part was that i had a miss-configured primary DNS entry on the ISA interface, I corrected it.

As for DNS on the clients side they are configured through DHCP server which is on a diffrent machine.

Now, I've read the "Configure Automatic Discovery" from the ISA management help files, regarding how to "Configure DHCP for Automatic discovery of ISA Server" and followed the steps to configure my DHCP server.

I did not configure my DNS server cause it says that i have to use port 80 while i'm using port 8080.

The DNS translation error I mentioned before still exist. Also MSN still cannot pass through.

By the way my ISA is running in a single interface mode, does this setup have any consequences whats-so-ever on what i want to achieve???

Hi Jassim,

You use TCP 80 to publish autodiscovery information when using DNS. No problem with that at all, as its the default setting.

HTH,
Tom

(in reply to Gillisa)

Post #: 16

RE: how to pass msn throw ISA 2004 - 23.Aug.2004 3:13:00 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

quote:
Originally posted by Jassim Seyadi:
Thanks njtd,

But I already have a rule specifying to allow all trafic from Internal to external using all protocols and in the content type the "All content Types" is selected. I tried to simulate your solution but to no avail.

If I use Tshnider direct access solution, I cannot see any logging for MSN tryng to access ISA.

I'm really amazed that all of the people using ISA 2004 are not facing this problem, only me,,

Hi Jassim,

Just make sure that Direct Access is configured for

*.passport.com
*.msn.com
*.microsoft.com
*.hotmail.com

HTH,
Tom

(in reply to Gillisa)

Post #: 17

RE: how to pass msn throw ISA 2004 - 27.Aug.2004 12:58:00 PM

snewby

Posts: 18
Joined: 30.Mar.2004
Status: offline

I got around it by excluding *.msn.com, *.hotmail.com, *.passport.com from my standard web access rule networks, as this rule is based on specific user groups.
I then created an additional rule that allows "all users" just to the networks listed above.
This does mean that ISA logs Messenger access and you do get the IP address using this, although the user logging does show as anonymous.

(in reply to Gillisa)

Post #: 18

RE: how to pass msn throw ISA 2004 - 3.Mar.2005 10:12:00 PM

jvanepps

Posts: 24
Joined: 28.May2003
From: Louisiana
Status: offline

Great job, that worked. All the other methods dont work. I am surprised Tom does not mention this here, as the book pretty much says the only way to allow msn is via allowing anonymous access to the msn sites.

(in reply to Gillisa)

Post #: 19

RE: how to pass msn throw ISA 2004 - 16.Jul.2006 4:51:28 PM

samipk

Posts: 4
Joined: 16.Jul.2006
Status: offline

quote:

ORIGINAL: snewby

I got around it by excluding *.msn.com, *.hotmail.com, *.passport.com from my standard web access rule networks, as this rule is based on specific user groups.
I then created an additional rule that allows "all users" just to the networks listed above.
This does mean that ISA logs Messenger access and you do get the IP address using this, although the user logging does show as anonymous.

ok i have the same problem i am getting failed connections from gateway.messenger.hotmail.com and also from login.live.com i am using isa server 2004 and have quite a few clients connected using differnet versions of msn like live messenger and msn messenger 7.0 but they cant login

i tried using direct access technique by adding *.hotmail.com;*.live.com;*.passport.com;*.msn,com;*.microsoft.com
in the exceptions tab in the internet explorer proxy setting like its stated in an article which is this one

http://www.isaserver.org/img/upl/spskit/10webproxyclients/10webproxyclients.htm

but the clients cant login the clients have firewall client installed but still no luck,
i wanted to ask another thing that i just followed the instructions for

Step-by-Step How To: Manually Configuring Web Proxy Clients for Direct Access

in that article and didnt follow instruction in the whole article as its basically for isa 2000 and not for 2004 am i ok with this??
another thing i watned to ask that do i have to leave a space after the semicolon in the exception tab of proxy section like *.hotmail.com; *.live.com

or i can use no spaces like
*.hotmail.com;*.live.com

this all might be confusing but i am really stuck in here so cant think of much :(

(in reply to snewby)

Post #: 20