Re: Blocking Windows Live Messenger in ISA 2004

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi Jim,

Thank you for your update.

Maybe block MSN and Window Live Messenger is a hard job. We unable to block
it completely, but we still could make the usage more difficult.

If you want to try the steps in my previous reply, I will do my best to
help you. If there's anything else about this issue I can do for you,
please do not hesitate to let me know.

Thank you and have a nice day,

Best regards,

Terence Liu (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "Jim" <jim@xxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.sbs
Subject: Re: Blocking Windows Live Messenger in ISA 2004
Date: Tue, 8 Jul 2008 20:36:00 +0100
Organization: Entanet
Lines: 431
Message-ID: <g50fho$2v3v$1@xxxxxxxxxxxxxxxxx>
References: <g4dmeb$77i$1@xxxxxxxxxxxxxxxxx>
<QIsPZGC3IHA.5340@xxxxxxxxxxxxxxxxxxxxxx> <g4gfk1$23io$1@xxxxxxxxxxxxxxxxx>
<OubqvwN3IHA.1624@xxxxxxxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: 78-32-125-76.no-dns-yet.enta.net
Mime-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Trace: energise.enta.net 1215545721 97407 78.32.125.76 (8 Jul 2008
19:35:21 GMT)
X-Complaints-To: usenet@xxxxxxxxxxxxxxxxx
NNTP-Posting-Date: Tue, 8 Jul 2008 19:35:21 +0000 (UTC)
In-Reply-To: <OubqvwN3IHA.1624@xxxxxxxxxxxxxxxxxxxxxx>
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18000
Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!TK2MSFTFE
EDS01.phx.gbl!newsfeed.cw.net!cw.net!news-FFM2.ecrc.de!news.mediascape.de!ne
ws.enta.net!not-for-mail
Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:114447
X-Tomcat-NG: microsoft.public.windows.server.sbs

Wow..this doesn;t sound as if this is a very practical thing to do then..

How come others have written 'how-to-do-it' articles that apparently work..

,,perhaps they *used* to work...but not any more...

Jim.


"Terence Liu [MSFT]" <v-terliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:OubqvwN3IHA.1624@xxxxxxxxxxxxxxxxxxxxxxxxx
Hello Jim,

Thank you for your update.

In fact this is a tough task. We may need to spend more time on it. Maybe
we cannot completely block Windows Live Messenger and MSN Messenger at
the
end, because we know users could use the Web MSN or Windows Live Web
Messenger instead.

http://messidog.live.com/
http://webmessenger.msn.com/

These are totally web site. We unable to block unless we block whole HTTP
access.

If we cannot resolve the issue after we perform the steps in my previous
reply, please help me collect some information for further investigation:

1. Please help to gather the ISA Info:

1) Download the file from the following URL:

http://www.isatools.org/tools/isainfo.zip

2) Extract all files to a folder on ISA server.

3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in
the
current folder.

4) Please send these files to me at v-terliu@xxxxxxxxxxxxx

2. Please also help to gather the ISA logs:

1) Schedule a down time.

2) Open ISA 2004 management console.

3) Expand the server node and highlight 'Monitoring'.

4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.

5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

6) Switch to the 'Fields' tab, click 'Select All', and then click OK.

7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

8) Switch to the 'Fields' tab, click 'Select All', and then click OK.

9) Click 'Apply' to save changes and update the configuration.

10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.

11) Clear the current existing W3C logs. To do that, go to the log
saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may
not
be able to deleted, that's normal.) You may backup them first and then
delete them.

12) Go back to the ISA 2004 management console, and then Start the
stopped
'Microsoft Firewall' service.

13) Reproduce the problem, stop the service, and then gather the
resulting
W3C files to me for analysis.

14) Please also let me know the IP address of the testing clients so
that
I
can filter the data.

3. Gather MPS network report on SBS:

a. Download MPSrepot_network from

http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_NETWORK.EXE

b. Run MPSRPT_NETWORK.exe.

c. The tool will automatically collect the information. This procedure
will
take 10~15 minutes.

d. Open Windows Explorer, navigate to the folder:
%SystemRoot%\MPSReports\Network\Reports\Cab\

e. Send the .cab file directly to me at v-terliu@xxxxxxxxxxxxx

Thanks and have a nice day!

Best regards,

Terence Liu (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the
corresponding
newsgroups so that they can be resolved in an efficient and timely
manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.

--------------------
From: "Jim" <jim@xxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.sbs
Subject: Re: Blocking Windows Live Messenger in ISA 2004
Date: Wed, 2 Jul 2008 19:00:51 +0100
Organization: Entanet
Lines: 228
Message-ID: <g4gfk1$23io$1@xxxxxxxxxxxxxxxxx>
References: <g4dmeb$77i$1@xxxxxxxxxxxxxxxxx>
<QIsPZGC3IHA.5340@xxxxxxxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: 78-32-125-76.no-dns-yet.enta.net
Mime-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Trace: energise.enta.net 1215021505 69208 78.32.125.76 (2 Jul 2008
17:58:25 GMT)
X-Complaints-To: usenet@xxxxxxxxxxxxxxxxx
NNTP-Posting-Date: Wed, 2 Jul 2008 17:58:25 +0000 (UTC)
In-Reply-To: <QIsPZGC3IHA.5340@xxxxxxxxxxxxxxxxxxxxxx>
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18000
Path:

TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed0

0.sul.t-online.de!t-online.de!newsfeed.freenet.de!newsfeed.kamp.net!newsfeed
kamp.net!news.mediascape.de!news.enta.net!not-for-mail
Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:113809
X-Tomcat-NG: microsoft.public.windows.server.sbs

Thanks Terence,

That's some very comprehensive info.

I'll give it a try when I'm in the office next and let you now how I get
on.

I had a suspicion that it wasn't that straightforward.

regards

Jim.

"Terence Liu [MSFT]" <v-terliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:QIsPZGC3IHA.5340@xxxxxxxxxxxxxxxxxxxxxxxxx
Hello Jim,

Thank you for posting here.

According to your description, I understand that you want to block
Windows
Live Messenger and MSN Messenger for a particular group of users. If I
have
misunderstood the problem, please don't hesitate to let me know.

Based on my research, blocking Windows Live Messenger and MSN Messenger
is
difficult to achieve, because the signature of different versions of
Windows Live Messengers are different. To block Windows Live Messenger
and
MSN Messenger for a particular group of users is more difficult.

I suggest we try the following steps to see if we can achieve this
goal:

Method 1

The same can also be achieved by the use of 2 explicit allow rules on
the
ISA Server 2004.

Rule 1 :

Allow internet ( all users ) | Allow | Protocol : HTTP , HTTPS |
internal
to external | for all authenticated Users group | All content types |

For this rule , configure HTTP policy , and go to the Signatures tab.

Name : MSN
Search in : Request Headers
HTTP Header : User-Agent :
Signature : Windows Live Messenger ( or MSN Messenger , as the case may
be )

Then go to the properties of this rules and open the users tab In the
Exceptions tab , click on Add , select the group of users that should
be
allowed internet access( MSN Allowed users group ) , and add this group
to
the exception list.
Save the rule.

Rule 2 :

Allow MSN ( allowed users ) | Allow | Protocol : HTTP , HTTPS |
internal
to
external | for MSN allowed Users group | All content types |

These 2 rules in combination should follow the DNS access rule of the
DMZ.

If this method does not work , then we will have to create explicit
allow
and deny rules for each of our user access types as shown in method 3.

Method 2

We need create rules to explicitly block the MSN protocol on the ISA.
Further we also need to confirm that we have allow rules for users who
should be allowed messenger
And finally we need a generic rule to allow internet access to all the
authenticated users
( This rule is in addition to the rule of basic internet access )

The rules can be implemented as follows :
1. Allow MSN ( allowed users ) | Allow | Protocol : HTTP , HTTPS |
internal
to external | for MSN allowed Users group | All content types |

2. Deny MSN ( blocked users ) | Deny | Protocol : MSN Messenger |
internal
to external | for MSN Blocked Users group | All content types |

3. Allow internet ( all users ) | Allow | Protocol : HTTP , HTTPS |
internal to external | for all authenticated Users group | All content
types |

For rule 3 , configure HTTP policy , and go to the Signatures tab.

Name : MSN
Search in : Request Headers
HTTP Header : User-Agent :
Signature : Windows Live Messenger

In case we are using different versions of MSN Messenger , we might
have
to
use
different signatures accordingly.
Few other signatures that can help are :
MSN 8 BETA Signature / Request Headers: / User-Agent:8.0.689.0
MSN 8 Live Messenger Build 8.0.0787.0 / Request Headers: /
User-Agent:8.0.787.0
MSN 8 Live Messenger Build 8.0.0792.0 / Request Headers: /
User-Agent:8.0.792.0
MSN 8 Live Messenger Build 8.0.0812.00 / Request Headers : /
User-Agent:8.0.812.0

For all the above signatures the signature field will contain "MSN
messenger".
For blocking Windows Live Messenger specifically , the signature field
can
contain "Windows Live Messenger".
An Engineer referring to this article may also try and search the
internet
to find the latest available signature types linking to MSN Messenger
or
Windows Live Messenger.

Method 3: In addition, we can also use the Software Restriction
Policies
to
prevent Windows Live Messenger from running. Please refer to the
following
information.

Use the Software Restriction Policies to block Windows Live Messenger
---------------------------------------------
1. Open GPO editor by typing gpedit.msc in Start/Run.
2. Navigate to Computer Configuration\Security Settings\Software
Restriction Policies
3. Create a new Software Restriction Policy if there is no one exists.
4. Right click on the Additional Rules in the left panel->New Path
Rule.
5. Click Browse->Select the path "C:\Program Files\MSN
Messenger\msnmsgr.exe"
6. Set the Security Level to "Disallowed" and then click OK.

After that, the Windows Message cannot be executed from the local hard
drive and the relevant error message will be received. For more
information
regarding the Software Restriction Policy, please refer to the
following
website:

Software Restriction Policy for Windows XP Clients


http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch
06.mspx

I hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the
corresponding
newsgroups so that they can be resolved in an efficient and timely
manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there
are
any updates in your thread. When responding to posts via your
newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly.
Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.

--------------------
From: "Jim" <jim@xxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.sbs
Subject: Blocking Windows Live Messenger in ISA 2004
Date: Tue, 1 Jul 2008 17:36:26 +0100
Organization: Entanet
Lines: 17
Message-ID: <g4dmeb$77i$1@xxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: 78-33-113-50.no-dns-yet.enta.net
X-Trace: energise.enta.net 1214930187 7410 78.33.113.50 (1 Jul 2008
16:36:27 GMT)
X-Complaints-To: usenet@xxxxxxxxxxxxxxxxx
NNTP-Posting-Date: Tue, 1 Jul 2008 16:36:27 +0000 (UTC)
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Path:


TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!msrnews.!


msrtrans!msrn-in!newshub.sdsu.edu!newsfeed.freenet.de!ecngs!feeder2.ecngs.de


!peer1.news.newnet.co.uk!213.210.46.30.MISMATCH!peernews.inweb.co.uk!news.en
ta.net!not-for-mail
Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:113688
X-Tomcat-NG: microsoft.public.windows.server.sbs

I know its been covered before.. :-(

I've tried the advice at isaserver.org and MS KB 925120

...but it just doesn't seem to work..

Where am I going wrong ?

Basically I want to block Windows Live Messenger and MSN Messenger for
a
particular group of users.

I've used this group of users 'Restircted Internet Access' for other
access
rules and the group works OK.

Jim.










.

Quantcast