MSN Messenger problem

Hi,

Got a problem here which I can't see a way around, hope someone can
help.

Running ISA 2004 with latest service pack on a 2003 Server.

I have a rule configured to allow general web access. This is
configured for "All Users" as we need to permit web access to
un-authenticated clients. This works fine.

I now need to permit access to MSN/Live Messenger but only to a few
specific users. By default the above rule will permit any user to
access MSN Messenger via the standard web proxy. This is undesirable.

Now I can add HTTP header filtering to this rule to block MSN without
any problems - works a treat. What I did, therefore was add a
duplicate web proxy rule, above the existing one, but rather than for
"All Users", I set this to a new user group containing the users who
need MSN access. This rule has no HTTP filtering and thus permits MSN
to get through.

The original web proxy rule, just below the new one, is still for "All
Users" yet has the HTTP filters in to block MSN.

Now this sort of works. Users in the "MSN Users" group I've created
are matched by the first rule and permitted unrestricted web access
including MSN. All other users should fail to match this rule and be
caught by the next (original) one which permits web access but blocks
MSN.

Great! - Not quite :(

Whilst this all works fine for authenticated users with IE,
unauthenticated users are now prompted for credentials by the proxy
server when the try to access the web. It looks to me like the first
of the web proxy rules is asking for authentication as it's set to
match only on specific users. What I want is for it to realise the
user isn't authenticated, let alone a member of the "MSN Users" group,
and fall through to the following rule.

First question is, can this be done?

Failing that, I had an alternative plan. The users who require MSN
Messenger access also have the Firewal Client installed for other
purposes. I figured I could just block all MSN Messenger access via
the standard web proxy for all users and then use a specific rule for
the "MSN Messenger" protocol for the "MSN Users" group and permit them
access via this on the 1863 port.

Alas this doesn't work - the rule matches ok but I get an error from
the ISA server saying the destination server "actively refused" the
connection. The client then tries its "backup plan" of using port 80,
which the standard web proxy then blocks on the HTTP header filters.

Can anyone help me here, I'm running out of ideas :(

Many thanks for any and all advice.

--
Toby
.

Relevant Pages

  • Re: OE 6& SP2 CORRECTION TO PREVIOUS
    ... > mail using my MSN account. ... Put the connection back the way it was; the router is not the problem. ... Even my server uses port 25. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Python on a public library computer
    ... >I want to run python scripts from this computer. ... to web proxy) but I needed to access my company's internal mail server ... logged on to the domain) if I could run a putty session with forwarding ... employee's account had only access to a web proxy, ...
    (comp.lang.python)
  • Re: ISA Problem or Firewall Client issue?
    ... "disabling the web proxy in IE" means unchecking the setting ... in IE to use a proxy server (all thre options". ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Web proxy SSL-tunnel
    ... Understanding the ISA 2004 Access Rule Processing ... Troubleshooting Client Authentication on Access Rules in ISA Server 2004 ... Microsoft Internet Security & Acceleration Server: ... Access to the Web Proxy service is ...
    (microsoft.public.isa.configuration)
  • Re: Cannot send E Mail
    ... That message means that there is a problem between the mail servers of MSN and rr.com. ... talk to your ISP to have them track down the problem. ... > to remove Norton Antivirus and FireWall because of the ... >>> We are unable to connect to your e-mail server. ...
    (microsoft.public.internet.mail)