Re: isa server

Tech-Archive recommends: Fix windows errors by optimizing your registry

Creating a destination set and and site/content rule for the appropriate
domains worked! Thanks
Mark

""Brandy Nee [MSFT]"" <v-branee@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:rvHbhJBYFHA.2184@xxxxxxxxxxxxxxxxxxxxxxxx
> Hello Mark,
>
> Thank you for posting to the SBS Newsgroup.
>
> I understand that after you installed ISA server, clients cannot user MSN
> Messenger anymore. If I have misunderstood your concern, please feel free
> to let me know.
>
> This is the expected result since SBS only allows the SBS domain users to
> access the Internet and the MSN Messenger does not support the NTLM
> authentication. Please see my steps below:
>
> The newest version of MSN Messenger is able to connect to Internet through
> the proxy server by using HTTP protocol. It will first try using the proxy
> settings in Internet Options, and then try directly connecting to
> Internet.
> If you can use IE to access Internet web sites, MSN Messenger should be
> able to sign in.
>
> To allow MSN Messenger to go through the ISA Server, we need to perform
> the
> following steps:
>
> 1. Create a Destination Set to include the following domains, and then
> create a Site and Content Rule to allow this newly created Destination
> Set.
>
> *.passport.net
> *.passport.com
> *.hotmail.com.
>
> 2. Create a Protocol Rule to allow HTTP and HTTPS protocols.
>
> However, MSN Messenger does not support NTLM authentication and it only
> supports Basic Authentication. If you have applied the above 2 rules to
> Any
> Request and you have not selected "Ask unauthenticated users for
> identifications" in Outgoing Web Request, there are no problem. If you
> applied any one of the above 2 rules to some user groups to perform the
> user-based limitation, MSN Messenger will sign in failed.
>
> We may workaround by using ANY ONE of the following ways:
>
> 1. If you have installed ISA as Integrated mode or Firewall mode, the
> solution is to install the firewall client on the client machines. This is
> the recommended way.
>
> 2. If you are unable to install firewall client on the client machines or
> the ISA Server is installed in Cache mode, we may work around this issue
> by
> configuring ISA to use Basic Authentication. To do that:
>
> Step 1: Configure ISA Server
>
> 1) Open ISA Management, right click ISA server name, and then click
> Properties.
>
> 2) Click Outgoing Web Request, click to select 1 internal NIC IP that is
> being monitored by ISA, and then click Edit.
>
> 3) Click to select Basic with this domain, and then click Select Domain to
> select the domain name.
>
> 4) Clear the check box before "Integrated".
>
> 5) Click OK twice to restart Web Proxy Service.
>
> Step 2: Configure MSN Messenger
>
> 1) Open MSN Messenger, click menu Tools | Options, and then click
> Connections tab.
>
> 2) Select Use Proxy, and then type the following information:
>
> Type:HTTP Proxy
> Server: IP address of the ISA internal NIC
> Port:Port of the ISA internal NIC IP address
> User ID: <domain name>\<user name>
> Password:<type the password>
> Realm: <Please DO input the FQDN name of the ISA server. Note: It is
> case-sensitive>
>
> You can find the FQDN name of the ISA server by clicking My Computer |
> Properties | Computer Name tab on the ISA server.
>
> 3) Click OK.
>
> Note: If you configure the above settings, the NTLM authentication will be
> canceled. When the client IE access Internet, it will use the Basic
> Authentication to pass the authentication on ISA. Some people may capture
> the network traffic data to crack your password.
>
> So, I strongly recommend you install firewall client on the client machine
> to resolve the issue instead of using the above steps.
>
> 3. Another workaround is to bind a new IP that is dedicated for Basic
> Authentication to the ISA internal NIC, and then configure MSN Messenger
> to
> go through this new IP. To do that:
>
> Step 1: Bind a new IP address on ISA internal NIC
>
> 1. In TCP/IP Properties of ISA internal NIC, click Advanced button, and
> then click IP Settings tab.
>
> 2. Under IP addresses, click add button, and then add a new IP address.
> For example, you current ISA internal NIC is using 10.32.140.209. Besides
> this IP, you can bind IP 10.32.140.210 to it.
>
> Step 2: Configure Outgoing Web Request
>
> 1. Open ISA Management, right click ISA server name, and then click
> Properties.
>
> 2. Click Outgoing Web Request, click to select "Configure listener
> individual per IP address", and then click Add button to add these 2 IP
> addresses.
>
> 3. Click to select the newly binding IP address, and then click Edit.
>
> 4. Click to select Basic with this domain, and then click Select Domain to
> select the domain name.
>
> 5. Clear the check box before "Integrate".
>
> 6. Click OK twice to restart Web Proxy Service.
>
> Step 3: Configure MSN Messenger
>
> 1.Open MSN Messenger, click menu Tools | Options, and then click
> Connections tab.
>
> 2. Select Use Proxy, and then type the following information:
>
> Type:HTTP Proxy
> Server: newly binding IP address of the ISA internal NIC
> Port:Port of the ISA internal NIC IP address
> User ID: <domain name>\<user name>
> Password: <type the password>
> Realm: <Please DO input the FQDN name of the ISA server. Note: It is
> case-sensitive>
>
> You can find the FQDN name of the ISA server by clicking My Computer |
> Properties | Computer Name tab on the ISA server.
>
> 3. Click OK.
>
> Now only MSN Messenger uses Basic Authentication. IE will still use NTLM
> authentication to pass ISA.
>
> The above information is regarding how to configure ISA to allow MSN
> Messenger to sign in. By performing the above steps, your internal
> clients
> can sign in for chatting. However, if you would like to use video/audio
> conversation, you may need to perform the folllowing steps:
>
> Step 1: Video Conversation
>
> Note: Please do not use Jim Harrison's script in http://isatools.org
> because it is for the old version of Messenger:
>
> 1. Create a Protocol Definition based on the following information:
>
> Protocol Definition Name : MSN Msgr (Real)
> Initial Connection Port Number: 1863
> Initial Protocol Type: TCP
> Initial Direction: Outbound
> Secondary Connections:
>
> Port Range: 5004 - 65535
> Protocol Type: UDP
> Direction: Send and then Receive
>
> Port Range: 6891 - 6900
> Protocol Type: TCP
> Direction: Inbound
>
> Port Range: 6891 - 6900
> Protocol Type: TCP
> Direction: Outbound
>
> Port Range: 6901 - 6901
> Protocol Type: TCP
> Direction: Outbound
>
> Port Range: 9010 - 9010
> Protocol Type: TCP
> Direction: Outbound
>
> Port Range: 9000 - 9000
> Protocol Type: TCP
> Direction: Outbound
>
> Port Range: 9000 - 9000
> Protocol Type: TCP
> Direction: Inbound
>
> 2. Create a Protocol Rule to enable the above newly created Protocol
> Definition:
>
> Protocol Rule Name : MSN Msgr
> Enabled : True
> Action taken with requests : Allow
> Rule applies to : Selected Protocols
> Protocols : MSN Msgr (Real) , Net2Phone ,
> Rule Applies to : Any Request
>
> 3. The clients must install Firewall Client.
>
> Step 2: Audio Conversation
>
> Since MSN Messenger uses SIP signaling that is not supported in the ISA
> Server in audio conversation, we are unable to do so. Based on our tests,
> the audio conversation only works if we configure the following settings
> on
> ISA:
>
> 1. Two clients are using MSN Messenger.
>
> 2. One of the clients is directly connecting to Internet. Another one is
> a
> firewall client and it is behind an ISA.
>
> 3. Add a "Allow all outbound traffic?" protocol rule on the ISA.
>
> 4. The internet client click Audio icon on the MSN messenger first, and
> then the firewall client click Accept.
>
> Hope this information helps. If there is anything unclear or you have any
> concern, please feel free to post back. I am looking forward to hearing
> from you.
>
> Best regards,
>
> Brandy Nee
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>


.

Quantcast