Discussion about article on using the ISA firewall to enable selective IM use (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> General



Message


tshinder -> Discussion about article on using the ISA firewall to enable selective IM use (8.Mar.2006 2:38:34 PM)

This thead is for discussing the article on enabling selective use of Instant Messengers at http://www.isaserver.org/tutorials/ISA-Firewall-Quick-Tip-Blocking-MSN-Messenger-Access-Enabling-Access-Some-Users.html

Thanks!
Tom




jbarsodi -> RE: Discussion about article on using the ISA firewall to enable selective IM use (8.Mar.2006 11:45:19 PM)

Hi Tom,
Great article, one question though.

In your first rule you state that we are creating a 'deny' rule, but in the action you say "Allow".  Is this correct??


quote:


The first step is to create the rule that will deny access to MSN Messenger to members of the ISA firewall Group that we do not want to use this application over HTTP, but still allows users access to all other HTTP and HTTPS sites:
  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node in the left pane of the console. Click the Tasks tab in the Task Pane and click the Create New Access Rule link.
  2. On the Welcome to the New Access Rule Wizard page enter the name for the rule in the Access Rule name text box. In this example we’ll name the rule Deny MSN 7.5 over HTTP and click Next.
  3. On the Rule Action page, select the Allow option and click Next.
  4. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
  5. In the Add Protocols dialog box, click the Common Protocols folder and then double click the HTTP and HTTPS protocols. Click Close.




Timmay -> RE: Discussion about article on using the ISA firewall to enable selective IM use (8.Mar.2006 11:53:27 PM)

Thanks Tom for the article. It was quite helpful. One question when I apply it I lose all Realplayer, Skype and some other programs access as well. It not only blocks MSN 7.5 Messenger but blocks those as well. What am I doing wrong?




jbarsodi -> RE: Discussion about article on using the ISA firewall to enable selective IM use (9.Mar.2006 12:32:34 AM)

quote:

ORIGINAL: jbarsodi

Hi Tom,
Great article, one question though.

In your first rule you state that we are creating a 'deny' rule, but in the action you say "Allow".  Is this correct??




Nevermind Tom, I re-read it a few times and it makes sense now.

Thanks for the article!




Philip Colmer -> RE: Discussion about article on using the ISA firewall to enable selective IM use (11.Mar.2006 5:04:42 PM)

Tom

Thanks for the article - great example of user exceptions.

One drawback to the "allow" rule is that it does permit ALL web access. I accept that that is implied by the name of the user group but there may be circumstances when you want to craft a rule that actually only allows HTTP access for MSN Messenger.

Unfortunately, the HTTP security filters only apply to deny rules, as I understand it, so you can't use the user-agent method to work that way, and MS don't exactly make it easy to put a rule in that just allows access to the Messenger servers.

If you have some thoughts on how the HTTP rule could be tightened, I'd appreciate it.

--Philip




tshinder -> RE: Discussion about article on using the ISA firewall to enable selective IM use (12.Mar.2006 8:20:00 PM)

Hi Philip,

No, the HTTP Security filter only applies to Allow rules, they have no function for deny rules.

HTH,
Tom




Philip Colmer -> RE: Discussion about article on using the ISA firewall to enable selective IM use (13.Mar.2006 4:45:11 PM)

quote:

ORIGINAL: tshinder

No, the HTTP Security filter only applies to Allow rules, they have no function for deny rules.

Tom,

You are (of course [;)]) correct. What I meant to say was that the security filters can only be used to block. In other words, it isn't possible to say "Allow traffic through if the signature matches this pattern". You can only block traffic if the signature matches. It is an unfortunate limitation.

--Philip




zoubayda04 -> RE: Discussion about article on using the ISA firewall to enable selective IM use (13.Mar.2006 7:26:22 PM)

thanks alot for this articles it is so useful for isa 2000 and 2004

i am using isa 2000 ,and i want o make disable to any http but keep msn messenger working .

i try to make access policy -->protocol rule-->that deny http for certain client ,but the problem that will deny msn messenger too.
i try to make another policy -->that allow msn and masn messenger from the protocol rule to the same ip address of the client . but this was not help ,the msn was not work.
i check that i have enable socks iand its port 1080 in isa 2000,so maybe the messenger can connect through it not throw http protcol,but still not work.

so i try another thing.
from site and content. i make policy for this ip address:
first i remove the ip address from the list of the client i have put to allow for them all destination.
and make rule to him that allow only www.msn.com

but maybe this will help to open www.msn.com but i want also to allow msn messenger

please  replay to me, its important to me
zoubayda04@yahoo.com

thanks Mr.  Thomas W Shinder
 




tshinder -> RE: Discussion about article on using the ISA firewall to enable selective IM use (17.Mar.2006 4:27:41 PM)

quote:

ORIGINAL: Philip Colmer

quote:

ORIGINAL: tshinder

No, the HTTP Security filter only applies to Allow rules, they have no function for deny rules.

Tom,

You are (of course [;)]) correct. What I meant to say was that the security filters can only be used to block. In other words, it isn't possible to say "Allow traffic through if the signature matches this pattern". You can only block traffic if the signature matches. It is an unfortunate limitation.

--Philip



Hi Philip,

Yes, I agree. I wish we had that option.

Tom




denizyalcin -> RE: Discussion about article on using the ISA firewall to enable selective IM use (18.Apr.2006 6:34:22 PM)

Does anyone know if it's possible to separate the restricted MSN Messengers by their versions. I don't want the users to be able to connect through versions higher than 7.0 because those versions have so much eyecandies and features which do distract the user's attention. They spend their times to get those famous Blue Mountain thingies etc. But we need MSN as a company communication tool, too. I wasn't able to find any difference in the signatures of 7.0 and 7.5 versions. So I need something else which can separate those versions from one another. I don't want to install anything on the computers to disable those features which come with version 7.5 (And I don't even know if there is some tool which can do it). Can someone help me please ?




tshinder -> RE: Discussion about article on using the ISA firewall to enable selective IM use (19.Apr.2006 3:25:44 AM)

Hi Deni,

Is the file name the same for 7 and 7.5?

thanks!
Tom




oh2bamonkey -> RE: Discussion about article on using the ISA firewall to enable selective IM use (22.Apr.2006 8:34:11 PM)

Has anyone figured out how to grant MSN Messenger Access without giving full internet HTTP acess?

i.e. i have group a who have full internet access, group b who have access only to some sites (using Domain Name Sets) and group c who have access to MSN Messenger.  group a contains no users from group b, group c contains users from group a and group b.  users hot desk so i can't just control access to the program itself.

right now i have created Address Ranges and Domain Name Sets to try to figure out what destinations to allow for the Messenger group based on the logging, but i get problems like users not seeing their replies for 15 minutes, not being able to log on sometimes, or having their messages undeliverable plus the address sets are huge so i dont' know what other sites i have accidently allowed. 

Matt




tshinder -> RE: Discussion about article on using the ISA firewall to enable selective IM use (1.May2006 2:38:25 PM)

Hi Oh Two,

Why not allow them access to the MSN protocol instead of HTTP?

Thanks!
Tom




oh2bamonkey -> RE: Discussion about article on using the ISA firewall to enable selective IM use (1.May2006 11:53:36 PM)

Tom,

I wish it were that easy!

You need logginet.passport.com for both HTTP and HTTPS to start with.  Then the logs show a bunch of denies to *.msn.com sites - allowing MSN would then give users too much access.

Maybe I will follow your article's advice but instead of denying the MSN Messneger sig, deny the IE sig for this rule.

Matt




lithium_mx -> RE: Discussion about article on using the ISA firewall to enable selective IM use (8.May2006 8:27:59 PM)

Hello all

I'm writting from México.

This site relly help me in my new experience using ISA SERVER

I got this problem, maybe you can help me or maybe someone had a same problem.

I followed all the steps described in this article, when I finished to configurate all worked ok, nobody could acces to MSN Messenger.

When I finshed testing this rules, I disabled them, but nobody could acces to MSN Messenger, I tought maybe some configuration I forgot disable,
but i cheked all my rules, and the MSN deny, and MSN allow were disabled. I decided to errase them, but the problem still bother to me.

I tried everything (for example this crazy thing), I opened all the trafic to all users for a minutes, in fact, that was the unique rule in that moment, but nobody can acces to MSN messenger, It is like the signature MSN Messenger still block even the rules does not exist any more.

My problem is that some users using MSN Messenger to comunicate with some guys for tecnichal support or some provideers.

What do you think I did wrong?

Thanks.




tshinder -> RE: Discussion about article on using the ISA firewall to enable selective IM use (8.May2006 10:29:43 PM)

quote:

ORIGINAL: oh2bamonkey

Tom,

I wish it were that easy!

You need logginet.passport.com for both HTTP and HTTPS to start with.  Then the logs show a bunch of denies to *.msn.com sites - allowing MSN would then give users too much access.

Maybe I will follow your article's advice but instead of denying the MSN Messneger sig, deny the IE sig for this rule.

Matt


Hi Matt,

That sounds like a plan. Let us know how it works out for you!

Thanks!
Tom




tshinder -> RE: Discussion about article on using the ISA firewall to enable selective IM use (8.May2006 10:32:33 PM)

quote:

ORIGINAL: lithium_mx

Hello all

I'm writting from México.

This site relly help me in my new experience using ISA SERVER

I got this problem, maybe you can help me or maybe someone had a same problem.

I followed all the steps described in this article, when I finished to configurate all worked ok, nobody could acces to MSN Messenger.

When I finshed testing this rules, I disabled them, but nobody could acces to MSN Messenger, I tought maybe some configuration I forgot disable,
but i cheked all my rules, and the MSN deny, and MSN allow were disabled. I decided to errase them, but the problem still bother to me.

I tried everything (for example this crazy thing), I opened all the trafic to all users for a minutes, in fact, that was the unique rule in that moment, but nobody can acces to MSN messenger, It is like the signature MSN Messenger still block even the rules does not exist any more.

My problem is that some users using MSN Messenger to comunicate with some guys for tecnichal support or some provideers.

What do you think I did wrong?

Thanks.



Hi LiMx,

Try restarting the Firewall service do disconnect the current connections.

HTH,
Tom




lithium_mx -> RE: Discussion about article on using the ISA firewall to enable selective IM use (8.May2006 11:41:36 PM)

Thanks for your answer Tom

But is very strange the problem, I have restarted the firewall service, I've restarted my server, but the problem still there

After many attemps I could connect 1 time to the MSN Messenger today, but this was only for a few minnutes, later I lost the connection, and again I cannot connect with the MSN.

I had this problem since past thursday when I test this configuration

Do you have another idea?

Thanks

Manuel.




tshinder -> RE: Discussion about article on using the ISA firewall to enable selective IM use (21.May2006 7:14:58 PM)

Hi Manuel,

Could there by a hardware problem? Bad switches, routers, cables?

Thanks!
Tom




ivancarlo -> RE: Discussion about article on using the ISA firewall to enable selective IM use (31.May2006 5:42:16 PM)

Greetings,

I´m writing from Lima, Perú.

Thanks Tom for all your helpful articles, especially with the use of RPC Filter to publish the exchange.
But I have a few questions :
- The RPC publishing works fine here in Perú, but in Panama and Colombia seems not to work (my users are not quite expressive with their explanations), not even wireless.  Is there anything we can setup here, or its something with the ISPs?.  I´m thinking about using VPN to connect the outlook from outside Perú as plan B.
- Oh, we have here Windows 2000 server with ISA 2000.
- The director wants me to block the MSN Messenger, or any chat program to all users from the server, we try to use your Tip but we didnt find where to configure the signature text box.  Does this tip work with isa 2000? We hope so.

Thanks again

Ivan




Page: [1] 2   next >   >>