Blocking Windows Messenger for access outside the company

[M.Siler]

I'm running Windows 2000 & Exchange 2000 - I'd like to use Windows Messenger
5.0 within our company but I want to stop people from accessing IM outside
the company. Also, I want to stop MSN Messenger. Is this possible - if so
how??

 

[Jonathan Kay [MVP]]

Greetings,

The easiest way to stop both would be (assuming you have access to do this sort of thing),
blocking messenger.hotmail.com, gateway.messenger.hotmail.com, messenger.msn.com, and
*.msgr.hotmail.com (where * could be anything), that should prevent users from using the
public.NET Messenger network.
____________________________________________
Jonathan Kay
Microsoft MVP - MSN Messenger/Windows Messenger
Associate Expert
http://www.microsoft.com/windowsxp/expertzone/
Messenger Resources - http://messenger.jonathankay.com

 

[M.Siler]

Yes, I'm the admin and I wanted to try to stop this in our firewall. I was
thinking that there was some ports that I could block.

It seems that from a business stand point this would be a fairly common
request. Is there a list of what you listed and others for yahoo & aol and
others?

 

[M.Siler]

I think I blocked access to MSN - I blocked TPC 1863 & stopped access to
http://gateway.messenger.hotmail.com

The first is a port it try on and then if it can't get to that one it try
one the URL

MSN down, now AOL & Yahoo!

 

[NeoSadist]

I'm running Windows 2000 & Exchange 2000 - I'd like to use Windows
Messenger 5.0 within our company but I want to stop people from accessing
IM outside the company. Also, I want to stop MSN Messenger. Is this
possible - if so how??

There really isn't a way, since logging in to the messenger requires remote
port 1863. Honestly, netmeeting is 1) more secure 2) more stable and 3) a
better business-related application to use. It's more configurable as
well. Still, that requires logging in to a remote server as well, I
believe. Bottom line, the only good application for doing what you want is
a program meant specifically for that, since msn and netmeeting are
designed to also be able to connect to internet meetings, not local
meetings per se. Also, btw, blocking the ports on the firewall would be
nice, but eventually all users would be able to figure out how its done
anyways, and just tell their messenger/netmeeting to use http proxy.

 

[Jonathan Kay [MVP]]

Hi,

That should do it.
____________________________________________
Jonathan Kay
Microsoft MVP - MSN Messenger/Windows Messenger
Associate Expert
http://www.microsoft.com/windowsxp/expertzone/
Messenger Resources - http://messenger.jonathankay.com

 

[NeoSadist]

Yes, I'm the admin and I wanted to try to stop this in our firewall. I was
thinking that there was some ports that I could block.

It seems that from a business stand point this would be a fairly common
request. Is there a list of what you listed and others for yahoo & aol
and others?

You need to make your users not part of the admin group. Also, don't use
win95/98/me at work: first off, they're meant for home use. Second, users
are admins as a default. Not a good idea. If they can't install it, they
can't log on, can they?
Also, you need to be thinking security. Win2k is the best in my opinion,
but they pale in comparison to linux/unix. If you've noticed, few if any
linux/unix security vulnerabilities arise from user programs: most of those
are server based, which can be easily fixed, and which your users won't be
using in the first place.
Also, write an agreement that each and every user must sign: something that
they agree to not install programs without your consent. Most hacks these
days come from within. Don't give out the admin password, etc, etc, etc.

 

[John]

I'm running Windows 2000 & Exchange 2000 - I'd like to use Windows
Messenger
5.0 within our company but I want to stop people from accessing IM
outside
the company. Also, I want to stop MSN Messenger. Is this possible - if so
how??

I use Raptor firewall for my company. It's pretty old but works great.
Everything there is based on ports. We have one person, the boss, who
uses various messenger programs. I had to specifically open the port for
each program in the firewall because they are all closed by default.
Depending on your firewall you'll have to open or close the right port.
I've never had to mess with blocking URLs like everyone says. I guess I'm
just lucky.

I know MSN is 1863 and AOL/ICQ is 5190. I think Yahoo is 5020 but I'm not
100% positive. The port numbers are easy enough to find with a good
google search.

 

[Robert A. Matern]

AIM, ICQ, & YahooIM can all connect on alternate ports... it's gonna be
harder to block them.

MSN is easy... only 1 port, and an HTTP tunnel to that gateway.* are the
only connection methods - and the latter doesn't work for MSN 5.0/6.0 (but
does for Windows Messenger 5.0 under Win2K/XP).

 

[Robert A. Matern]

<<SNIP>>
I know MSN is 1863 and AOL/ICQ is 5190. I think Yahoo is 5020 but I'm not
100% positive. The port numbers are easy enough to find with a good
google search.

AIM & ICQ can connect on port 22
YahooIM can connect on port 119
MSN has no alternate method, except HTTP to that gateway.*

The above ports have to be set using manual configuration...

 

[John]

AIM & ICQ can connect on port 22
YahooIM can connect on port 119
MSN has no alternate method, except HTTP to that gateway.*

The above ports have to be set using manual configuration...

I just checked my firewall for AIM. I opened port 5190 and it is
connecting on that port. Port 22 is closed and AIM is working fine. That
is just my case. Others may get different results.

question
My firewall only allows access to certain http domains. There's a type of
rule saying what domain someone can go to. If the domain is not listed
there is no access. I don't have any of the msn related domains listed.
Could that be blocking msn6 access? I'm going to test it.

 

[John]

I just checked my firewall for AIM. I opened port 5190 and it is
connecting on that port. Port 22 is closed and AIM is working fine.
That is just my case. Others may get different results.

question
My firewall only allows access to certain http domains. There's a type
of rule saying what domain someone can go to. If the domain is not
listed there is no access. I don't have any of the msn related domains
listed. Could that be blocking msn6 access? I'm going to test it.

Nope, that's not it. That user has full http access through the
firewall. Oh well. I thought I had this msn problem solved. Guess not.

 

[Robert A. Matern]

I believe there's a hotmail domain that's used as an alternate...

Jonathan Kay posted this in a previous message:
"If you block messenger.hotmail.com, gateway.messenger.hotmail.com,
messenger.msn.com, and
*.msgr.hotmail.com (where * could be anything), that should prevent users
from using
Messenger."

 

[M.Siler]

I was testing with MSN 6.0 and TPC 1863 &
http://gateway.messenger.hotmail.com blocked it.