Instant Messaging with ISA Server

Topics on this Page

downOverview
downConcepts and Procedures
downBest Practices
downAdditional Information
downSummary

Overview

This article focuses on the issues of instant messaging from your enterprise to the Internet using Microsoft instant messaging clients — MSN Messenger 5.0+ and Windows Messenger. Windows Messenger is included with Microsoft® Windows® XP and is installed when you install the operating system. MSN Messenger 5.0 is included with MSN® 8.0 and is also available as a separate download. For more information on Windows Messenger and MSN Messenger, see the section About instant messaging applications.

Concepts and Procedures

This section includes:

  • Instant messaging issues in the enterprise
  • ISA Server issues
  • Configuring ISA Server to allow instant text messaging
  • Configuring Firewall clients for instant messaging

Instant Messaging Issues in the Enterprise

Instant messaging applications are becoming more popular. Because people become accustomed to the quick response time that instant messaging applications provide, the impetus to use the same tools in a business environment grows. Instant messaging applications provide a real-time experience that can enhance business communications. However, before considering the use of such applications, it is important to consider the security issues inherent in such systems.

Instant messaging applications like MSN Messenger and Windows Messenger are not designed to provide total user authentication and encryption for communications, although there are third-party solutions available to enhance these features. The architecture of instant messaging applications can make them difficult to deploy in a secure enterprise setting. This presents a number of security issues that might potentially compromise the security policy you have set in place to keep your internal network resources private and protected from direct access by external sources. Potential security issues include:

  • Lack of desktop control. Users might be able to independently install and use messaging client software on their computers. This could introduce potentially hazardous traffic into your internal network without the knowledge of security administrators.
  • Exposure of internal IP addresses. Some instant messaging features require exposing internal IP addresses of client computers to instant messaging servers on the Internet, or directly to other instant messaging clients.
  • Viruses. File transfer mechanisms can introduce viruses into your organization when files are sent to internal computers from external sources.
  • Performance. With uncontrolled use of instant messaging features, bandwidth and disk issues are a potential problem.
  • Privacy. The MSN protocol used by MSN Messenger and Windows Messenger has a command syntax that is ASCII-based, and messages are transmitted in plain text. This can have implications for privacy and legal issues, because messages are transferred between internal and external networks in unencrypted text.
  • Access control. Remote Assistance uses the same Remote Desktop Protocol (RDP) used in Windows Terminal Services, and allows administrators full control of the user’s computer, giving them access to any internal resources on that host. This access may extend to the domain, depending on whether the administrator has credentials there.
  • Impersonation. Although Windows Messenger and MSN Messenger use passport credentials to log on to the service, users are not forced to use strong passwords in those credentials. Their online "identity" could potentially be hijacked by malicious parties.

ISA Server Issues

There are several common issues that affect the general use of instant messaging applications with firewall devices. For Microsoft Internet Security and Acceleration (ISA) Server with MSN Messenger and Windows Messenger, these include:

  • Complex protocols. The MSN Messenger protocol used by MSN Messenger and Windows Messenger is a complex protocol that may use multiple ports to connect to the messenger server and to send and receive data for some instant messaging features. ISA Server SecureNAT clients require an application filter to handle complex protocols, and ISA Server does not provide such a filter for the complex MSN Messenger protocol. Only the Firewall client can handle complex protocols without an application filter. This means that SecureNAT (and Web Proxy clients) are limited to using only the text messaging chat feature of MSN Messenger and Windows Messenger.
  • Network address translation (NAT). ISA Server NAT functionality protects internal private IP addresses by translating private addresses to the public IP address of the ISA Server external interface, allowing a single external IP address to be shared between multiple internal clients. Some client-to-client instant messaging features, such as VoIP, whiteboard, and file transfers require that an internal computer behind the ISA Server computer make its IP address known to an external computer. Because the internal client’s address cannot be used by an external client to initiate a communications session with the internal computer, the connection will fail.
  • UPnP. UPnP-enabled NAT devices and firewalls can overcome NAT issues and determine translated IP addresses. ISA Server is not UPnP-enabled.
  • SIPS. Features such as voice, video, application sharing, and whiteboard require a connection to be made between an internal and external client, and use SIP Signaling (SIPS) to set up the communication session, which then uses dynamic ports. For example, using audio/video (AV) requires opening all UDP ports between 5004 and 65535 to allow SIP and media streams (RTP) to cross the firewall. The use of dynamic ports without an associated application filter is a problem because ISA Server does not have information about which ports to open and at what time. No ISA Server SIP application filter is available to circumvent this issue.

Summary of Instant Messaging Features Available in ISA Server

As a result of the issues outlined previously, MSN Messenger and Windows Messenger functionality through ISA Server can be summarized thus:

  • In general, communication between internal clients inside the firewall should work, unaffected by ISA Server NAT issues. (This does not address complex internal networking configurations.) Generally, we recommend that you avoid using ISA Server to control internal communications.
  • The instant text messaging chat feature is essentially a client/server application where the client logs onto the messenger server on TCP port 1863, and sends a chat session request. The server mediates the communication between the two clients, and this avoids NAT issues that arise when an external client needs to have the IP address of the internal client.
  • Instant text messaging chat can go out through the HTTP Web Proxy client, and you can create a content group to add the instant messaging MIME-type.
  • Audio, video and whiteboard features use a variation of the SIP protocol and will not succeed through ISA Server if the session is initiated by the internal client behind the ISA Server computer. The only functional session occurs when the session is initiated by an external Internet client.
  • The Remote Assistance feature uses Remote Desktop Protocol (RDP), the same protocol used by Microsoft Terminal Services. Such a connection cannot be enabled for NAT through a non-UPnP device such as ISA Server, without applying specific ISA Server configuration for each individual Remote Assistance session.
  • The file transfer feature requires the computer sending the file to pass its IP address to the receiving computer through the messenger server, and this presents NAT problems. Firewall clients can use file transfer by making a change to the Firewall client application settings, and by creating a protocol definition with secondary connections to define the ports required for file transfer.

Configuring ISA Server to Allow Instant Text Messaging

This section provides procedures to:

  • Configure text messaging through Web Proxy
  • Configure text messaging for SecureNAT clients

Configure Text Messaging Through Web Proxy

To use instant text messaging (chat) through the Web Proxy service, you need to set up a default protocol rule to allow the HTTP protocol, and then add the content group to your HTTP available content types.

  1. In the console tree of ISA Manager, click to expand Access Policy, right-click Protocol Rules, and then click New, Rule.
  2. In Name, give the protocol rule a name, and then click Next.
  3. Click Allow, and then click Next.
  4. In Apply this rule to, click to select Selected Protocols, and then in Protocols, select HTTP. Then click Next.
  5. In Schedule, click Next to accept the default, or set up a schedule for applying the rule.
  6. In Apply the rule to requests from, select Any request, and then click Next.
  7. Click Finish to finish creating the new protocol rule.

Once you have created a protocol rule, add the content group:

  1. In the console tree of ISA Manager, click to expand Access Policy, and then click Site and Content Rules.
  2. In the details pane, right-click the ISA Server default Site and Content rule, and then click Properties.
  3. On the HTTP Content tab, select Specified content groups, and then click New.
  4. In Name, type a name for the new content group.
  5. In Available Types, type application/x-msn-messenger, and then click Add.

Note   If ISA Server requires outgoing Web requests to be authenticated, MSN Messenger 5.0 supports Basic authentication for HTTP. Earlier versions of Microsoft Messenger do not support HTTP authentication.

To enable anonymous authentication for outgoing HTTP requests on ISA Server, in ISA Management, right-click the name of the ISA Server computer, and then click Properties. On the Outgoing Web Requests tab, ensure that Ask unauthenticated users for identification is not checked. In addition, ensure that you either provide an anonymous Site and Content Rule for instant messaging content and destination, or alternatively do not authenticate any requests.

Configure Text Messaging for SecureNAT Clients

If the client computer's Web browser is not set up to use ISA Server as a proxy, and you want to configure SecureNAT clients for instant text messaging, you need to set up an access policy rule for the ISA Server MSN Messenger protocol, which is included in ISA Server predefined protocol definitions. Do this as follows:

  1. In the console tree of ISA Manager, click to expand Access Policy, right-click Protocol Rules, and then click New, Rule.
  2. In Name, type a name for the new protocol rule, and then click Next.
  3. Click Allow, and then click Next.
  4. In Apply this rule to, click to select Selected Protocols, and then in Protocols, select MSN Messenger. Then click Next.
  5. In Schedule, click Next to accept the default, or set up a schedule for applying the rule.
  6. In Apply the rule to requests from, select Any request, and then click Next.
  7. Click Finish to finish creating the new protocol rule.

Note   ISA Server pre-defined MSN protocol definition is a simple protocol definition that defines a primary connection on port 1863, which is the port MSN Messenger and Windows Messenger use for instant text messaging.

Configuring Firewall Clients for Instant Messaging

In an ISA Server deployment that follows the best security practice of denying everything and then allowing only what is necessary, the Firewall client, like the SecureNAT client, requires an access policy rule for the predefined MSN Messenger protocol for instant text messaging. To configure only the instant text messaging feature for Firewall client, follow the instructions in Configure text messaging for SecureNAT clients.

In addition to instant chat messaging, the ISA Server Firewall client can use the file transfer feature. For file transfer, the initiating computer must pass its IP address to the other client through the instant messaging server. For the Firewall client to overcome NAT issues, you need to ensure that the IP address of the ISA Server external interface is exposed, instead of an internal address. This is done by adding the value of NameResolutionForLocalHost=E in the application settings for the Firewall client. The Firewall client settings must be updated after the application setting change is made on the ISA Server computer.

A new protocol definition is also required to define the secondary ports required for file transfer. (ISA Server predefined MSN Messenger protocol only defines port 1863.) For file transfer, both incoming and outgoing TCP connections use the range of ports 6891 to 6900.This allows 10 simultaneous file transfers per sender. If only port 6891 is defined, only one file transfer at a time can be done. After these settings are configured, during a file transfer the instant messenger server will receive the IP address of the external interface and pass it to the other client. The secondary ports enable the internal messenger client to receive requests from the receiving computer.

To configure these settings automatically for Firewall clients, download Msnim.vbs, available from ISA Server Tools Repository, and do the following:

  1. Run Msnim.vbs on the ISA Server computer.
  2. Restart the Firewall service.
  3. Exit the instant messaging client application. (Do not log off.)
  4. Refresh the Firewall client.
  5. Restart the instant messaging client application.
Best Practices Back to Top

By understanding the implications of using instant messaging in your organization and by implementing a clear best practice policy, you can use instant messaging features for your business advantage without compromising security requirements. Your best practice policy will be based on the following:

  • An understanding of the security implications inherent in using instant messaging features in your organization.
  • An understanding of how you can use instant messaging with your firewall system, and of the limitations imposed by your firewall configuration.
  • A secure firewall configuration to manage security for instant messaging across your enterprise.
  • A consistent implementation policy for managing instant messaging on your client computers.
  • Clear and well-publicized guidelines to users about the kind of information that can and cannot be distributed in instant messaging.
Additional Information Back to Top

In this section, an explanation of instant messaging applications is provided.

About Instant Messaging Applications

There are a number of instant messaging applications, including AOL Instant Messenger, ICQ, and Yahoo Messenger. Microsoft offers the following:

Server solutions for instant messaging:

  • Exchange 2000 Instant Messaging (IM) Service. This back-end service is included with Exchange 2000. It provides a server solution for enterprise instant messaging.
  • Microsoft .NET Messenger Service (formerly MSN Messenger service). This free back-end service is provided by Microsoft. It is tailored for public use in Internet-based communications.

Instant messaging client applications:

  • Instant Messaging (IM) client for Exchange 2000 Instant Messaging Service. This client is included with Exchange 2000. It uses Active Directory® directory service to provide additional security and identity controls critical to enterprise customers. The IM Client for Exchange 2000 uses the same MSN or Windows Messenger client interface as the Microsoft .NET Messenger Service. For more information on instant messaging within the enterprise using the IM Client for Exchange 2000, see Instant Messaging (IM) Client for Exchange 2000 Instant Messaging Service.
  • MSN Messenger. MSN Messenger is a messaging client application provided with Windows 9x, Windows NT® and Windows 2000. MSN Messenger uses NetMeeting for videoconferencing. For instructions on setting up NetMeeting, see the article entitled "H.323 GateKeeper doc" in ISA Server Tools Repository.
  • Windows Messenger. Windows Messenger is a messaging client application included with Windows XP. Windows Messenger combines the functionality of MSN Messenger and the NetMeeting videoconferencing application. Windows Messenger is included with Windows XP and is installed when you install the operating system. MSN Messenger 5.0 is included with MSN 8.0 and is also available as a separate download. Note the following:
    • You cannot install Windows Messenger on non-Windows XP-based computers.
    • Windows Messenger can be run together with MSN Messenger 5.0 on computers running Windows XP. Earlier versions of MSN Messenger cannot run alongside Windows Messenger.

    MSN Messenger client and the Windows Messenger client use the MSN Messenger protocol. The MSN Messenger protocol works over TCP/IP, and the server components support connections over port number 1863, which is the registered port number assigned by the IANA. The MSN Messenger protocol is a complex protocol (uses more than one protocol or port per session). MSN Messenger and Windows Messenger provide the following functionality:

    • Instant messaging
    • Voice or video over IP (SIP signaling)
    • Application sharing (SIP signaling)
    • Whiteboard sharing (SIP signaling)
    • File transfer
    • Remote assistance (RDP)

Summary

This article outlines the limitations that exist in using Microsoft instant messaging applications — MSN Messenger and Windows Messenger, over your ISA Server firewall. It explains some of the general concepts inherent in using instant messaging features with firewall and NAT devices, and contains some tips and hints to help you consider how you can make best use of instant messaging functionality in your organization, without compromising your security principles.

Go back to top

Source: Microsoft Corporation