Re: Blocking MSN Messenger and Windows Live Messenger

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

---

• From: "Phillip Windell" <philwindell@xxxxxxxxxxx>
• Date: Wed, 13 Feb 2008 12:28:52 -0600

---

Ok. I asked Jim.
He said that anything that uses the Web Proxy Filter can make use of
signatures and that SecureNAT Clients do use the Web Proxy Filter.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:e9e$FclbIHA.3932@xxxxxxxxxxxxxxxxxxxxxxx

Ok, well maybe SecureNAT Clients can use the signatures, I didn't think
they could. Maybe that is something Jim could clarify for me.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Nightlegend" <nightlegend@xxxxxxxxxxxxx> wrote in message
news:OiWUgJjbIHA.5400@xxxxxxxxxxxxxxxxxxxxxxx

Ok ,but I have no firewall clients or webproxy clients and still able to
block Messenger ,how do I make sure that my clients are secure NAT?
The monitoring pane is displaying requests as (SECURE NAT) along with
client's IP.

"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:uAHd9OYbIHA.4228@xxxxxxxxxxxxxxxxxxxxxxx

The article is not applying to SecureNAT Clients. The Rules in the
Article are for "All Authenticated Users" and for a custom created
Group. SecureNAT can only use anonymous Rules (All Users). Therefore
the Rules in the article can only apply to Web Proxy or Firewall
Clients.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Nightlegend" <nightlegend@xxxxxxxxxxxxx> wrote in message
news:OXeb7tWbIHA.1208@xxxxxxxxxxxxxxxxxxxxxxx

With all due respect Mr.Windell ,I have created an access rule to block
some of the SECURE NAT clients within my internal network from using
Messenger and Windows Live Messenger and it works ,I have blocked them
all the necessary protocols and it works ,we are running ISA 2004
Standard edition and clients running XP and Vista.

And Mr.Mineer can check the following tutorial:
http://www.isaserver.org/tutorials/ISA-Firewall-Quick-Tip-Blocking-MSN-Messenger-Access-Enabling-Access-Some-Users.html

Best regards

"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:ubr6PAQbIHA.3572@xxxxxxxxxxxxxxxxxxxxxxx

"David Mineer" <mineer@xxxxxxxxx> wrote in message
news:d32d2239-83fd-47f6-8b60-70bdc8f2873c@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Thanks,

I never have really understood this. Is there a good document on
switching my users to something other than securenat? What are the
reasons for using securenat?

You use SecureNAT when nothing else works, or you have special
equipment/servers that need anonymous outbound access when there is no
user logged into the machine or the machine is not capable of having a
user logged into it (like network equipment).

SecureNAT Clients:
1. Cannot authenticate
2. Resolve DNS names on their own (so ISA does not know the Domain or
URL)
3. Can use other protocols besides TCP or UDP, such as ICMP
4. Operate by tradition Dynamic NAT just like with typical "hardware
firewalls"
5. ISA must be either the Default Gateway or be within the "routing
path" to the Internet

Web Proxy Clients
1. Operate through the Browser only (proxy settings in the browser)
and through applications that "piggy back" on the browser's proxy
settings
2. Operate based on the CERN Compliant Web Proxy Standard.
3. Only provides services for HTTP, HTTPS, Download-Only FTP
4. Makes effiecient native use of web caching
5. Default Gateway and "routing pathes" are almost totally irrelevant.

Firewall Clients
1. Operate by having the Firewall Client software installed
2. The Firewall Client software was formerly known as the Winsock
Proxy Client and is a Layer Service Provider (LSP)
3. Operates on the Winsock Proxy Standard
4. Can handle most (not all) protocols based on TCP or UDP.
5. Operates without user applications ever being "aware" that the
proxy exists.
6. Default Gateway and "routing pathes" are almost totally irrelevant.

See the ISA documentation for better details on the differences
between the three Client Types.
It is possible for an individual Client to operate as all three client
types at the same time.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server
2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

.

---

• References:
  • Blocking MSN Messenger and Windows Live Messenger
    • From: David Mineer
  • Re: Blocking MSN Messenger and Windows Live Messenger
    • From: Phillip Windell
  • Re: Blocking MSN Messenger and Windows Live Messenger
    • From: David Mineer
  • Re: Blocking MSN Messenger and Windows Live Messenger
    • From: Phillip Windell
  • Re: Blocking MSN Messenger and Windows Live Messenger
    • From: Nightlegend
  • Re: Blocking MSN Messenger and Windows Live Messenger
    • From: Phillip Windell
  • Re: Blocking MSN Messenger and Windows Live Messenger
    • From: Nightlegend
  • Re: Blocking MSN Messenger and Windows Live Messenger
    • From: Phillip Windell

• Prev by Date: Re: SSL-Tunnel blocked?
• Next by Date: Re: ISAPI - Knowing if rule accepted or deny the request on POLICY_CHECK_COMPLETED
• Previous by thread: Re: Blocking MSN Messenger and Windows Live Messenger
• Next by thread: RE: OWA 403 access denied error
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ISA server 2004 and Bluecoat proxy ... i want to ask about event 14130 that related to web proxy chain fauilire. ... If you were able to work around the upstream proxy server, ... upstream ISA Server, you might want to change it back. ... SecureNAT,Firewall clients) and you can disable it. ... (microsoft.public.isa.configuration) Re: ISA server 2004 and Bluecoat proxy ... second i told you about disable HTTP web proxy filter (this filter applies ... but the web proxy filter for web proxy clients cannot be disabled (this is ... resolution on ISA 2004/2006 but when i read the article ite related to ISA ... server that is configured as firewall server. ... (microsoft.public.isa.configuration) Re: Is plain old vanilla NAT possible with ISA? ... > are clients that don't use the Web Proxy service directly, ... > logged against a SecureNAT request, ... (microsoft.public.isa) Re: What is the diff between SecureNAT and the ISA FW client? ... >> Web requests from secureNAT and Firewall clients should get converted ... the HTTP Redirector is enabled in ISA. ... a client isn't configured to be a Web Proxy Client. ... (microsoft.public.windows.server.sbs) Re: disable HTTP Filter for some Users ... Destination without passing through the Web Proxy Service,... ... this "toggle" is located within the Properties of the filter itself and is ... Firewall Clients will use only the Firewall Service, SecureNAT ... (microsoft.public.isa)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa  > 2008-02