MSN messenger audio connections & XP SP2?

[Andy Weller]

I currently run Zonealarm, and can't connect an MSN audio conversation
unless I shut down the firewall. A known issue because of the way that MSN
messenger needs access to a wide range of ports & UPnP, which are correctly
viewed by most respectable firewalls as security risks. This problem does
not affect Yahoo messenger, which does not demand such wide access to the
machine it's connecting to.

XP Service pack 2 (SP2) will provide a much improved firewall within XP
itself (great news!). I understand it's default setup will not allow UPnP
and block incoming port probes much as Zonealarm already does. So far so
good.

However, will users suddenly find that they can't use audio conversations
anymore on MSN messenger unless they disable some or all of the new firewall
that MS is keen to implement for security?

I think there is a big problem coming, which I guess is highlighting the
rather "odd" approach MSN messenger has taken in relation to security.

Any news or views?

Andy

 

[Jonathan Kay [MVP]]

Greetings Andy,

MSN Messenger 6.2 automatically integrates with the SP2 Windows Firewall and works without a
problem -- it's been well tested (not only by yours truly but by many others as well).
Basically it works "out of the box" (and the firewall is *on* by default).
____________________________________________
Jonathan Kay
Microsoft MVP - Windows Messenger/MSN Messenger
Associate Expert
http://www.microsoft.com/windowsxp/expertzone/
Messenger Resources - http://messenger.jonathankay.com
All posts unless otherwise specified are (c) 2004 Jonathan Kay.
You *must* contact me for redistribution rights.

 

[Andy Weller]

Jonathan

Great news! I was hoping to use the new XP SP2 firewall, and that it would
allow me to connect both Audio & webcam via MSN messenger to keep in touch
with my daughter at university.

Does this news mean that MS have somehow overcome the audio issue in
http://messenger.msn.com/Help/Issues.aspx (April 2004) which says:

"To ensure we deliver the best audio technology for computer-to-computer or
computer-to-phone communications from MSN Messenger, we have made technical
enhancements. This means you will only be able to use Messenger version 4.5
or higher for these features if:
a.. You are not behind a firewall or
b.. You are behind a Universal Plug and Play (UPnP) firewall or
c.. You are using a UPnP-enabled Network Address Translation (NAT) device"

Maybe an obvious question, but I'd expected the XP firewall would have
stopped MSN messenger audio connections - how does it allow MSN messenger
audio through without compromising security?

Cheers

Andy

 

[Jonathan Kay [MVP]]

Hi Andy,

Actually the current Windows XP Firewall supports Universal Plug and Play (UPnP) and will
automatically open the necessary ports for Messenger. The SP2 firewall also supports UPnP,
but in SP2, this is even expanded further by allowing you to be specific about which
applications can use the Internet connection (in this case MSN Messenger 6.2).

Just for fun, I took a screenshot of what it looks like (and for reference purposes, it put
"MSN Messenger 6.2" there by itself; another new feature of SP2 and MSN Messenger 6.2):
http://messenger.jonathankay.com/screens/sp2firewall.png
____________________________________________
Jonathan Kay
Microsoft MVP - Windows Messenger/MSN Messenger
Associate Expert
http://www.microsoft.com/windowsxp/expertzone/
Messenger Resources - http://messenger.jonathankay.com
All posts unless otherwise specified are (c) 2004 Jonathan Kay.
You *must* contact me for redistribution rights.

 

[Andy Weller]

Hi Jonathan
Thanks for the screenshot - is this how firewall is configured to permit
OUTBOUND connections from your PC by specified programs? (ie similar to
Zonealarm "trusting" specified programs). Or is this screen somehow
related to the program INBOUND access attempts that the firewall will let
through?

My puzzle is still that for inbound protection, the new XP firewall will
surely be working in "stealth" mode - ie the PC and ports are not visible to
any inbound intruder or other traffic. If so, then I'm still puzzled how
another MSN messenger audio session will ever "see" the target PC to connect
to - unless the firewall lets all intruders "see" the ports and the PC.

Sorry if I'm not very good at explaining this security stuff, but I am still
unsure how it can work!

Cheers

Andy

 

[...D.]

Look. There is no getting around it in it's current state. I guess
there is hope for the future.

Current state: MSN Messenger 6.2 or 6.xx is a badly written or badly
conceived program and it is a shame. MS is blowing it on this.

I see posts here and there, over and over, "voice problems...". Well
I have had voice problems, on & off & on & off & one way & not the
other & off, since the 1st day me and a friend tried it. That was 10
months ago. Voice didn't work for almost two weeks back then, we
tried it every day for a week, gave up, then at 2 week we tried it and
it worked. My friend was behind a hub at the time. Nowadays it
hasn't worked for a few months (one way for a while).

We are both behind Netgear firewalls now.. But I have voice problems
with others too. But that is beside the point! I can transfer files
no problem, do webcams no problem, and of course type at each other no
problem. What is the BIG deal with voice??!!

Look, I defected to Yahoo Messenger a long time ago because of this
issue. Microsoft lost me. I joined a Yahoo Messenger chatroom group.
Everyone I know uses Yahoo Messenger.

Now that I am newly behind a hardware firewall nothing has changed -
Yahoo Messenger still works fine. No settings have been changed. So
what is the catastrophe with MSN Messenger? Us Yahoo users basically
agree - keep MSN Messenger around to transfer files between Yahoo
Messenger friends. That is the one aspect MSN has been & still is
superior to Yahoo (Yahoo has a limit on file sizes for one thing).

In this day and age of competition for user attention, you'd think MS
would have fixed MSN Messenger by now.

Firewall shmirewall, it still should work, no messing around with
settings.

....D.

----------------

 

[Jonathan Kay [MVP]]

Hi Andy,

The Windows XP firewall (current and SP2) handle inbound connections only -- outgoing
connections are not blocked.

I'm not 100% sure what you mean here, so I'll simply explain how the current firewall does it
and then how the SP2 firewall can.

Current Firewall:
1. Either side of a conversation initiates an Audio conversation and accepts it
2. Messenger sends API call to firewall to open necessary port for audio conversation
3. Messenger sends information on current IP and audio port to connect to the other contact
4. Incoming connection from contact to the specified port
5. After conversation is complete, API call to remove the open port

and we're done. Also keep in mind that Windows Messenger will also open some ports when it
starts (MSN Messenger does not).

The SP2 firewall is basically the same, with the exception that the SP2 firewall will allow
you to unblock all inbound to Messenger, therefore not requiring the individual ports to be
opened.
____________________________________________
Jonathan Kay
Microsoft MVP - Windows Messenger/MSN Messenger
Associate Expert
http://www.microsoft.com/windowsxp/expertzone/
Messenger Resources - http://messenger.jonathankay.com
All posts unless otherwise specified are (c) 2004 Jonathan Kay.
You *must* contact me for redistribution rights.

 

[Andy Weller]

Hi Jonathan

Appreciate the time you're taking to help clarify this one.

I suppose the bottom line is to confirm that two XP SP2 PCs each running MSN
messenger 6.2 behind the new XP firewalls can set up an audio conversation
without needing the firewall security to be lowered or UPnP enabled. Did
you say this had been done?

Then, will the XP firewall pass the scanning tests at
https://grc.com/x/ne.dll?bh0bkyd2?

(The thing I can't get my head around is that if MSN messenger can't
currently accept a voice connection from behind a firewall (confirmed by MS
at http://messenger.msn.com/Help/Issues.aspx) - how can it work with the XP
firewall - without lowering security and opening up a lot more ports?!)

If all this works, I'd be more than delighted, and will be able to use MSN
messenger for voice when SP2 is launched.

Regards

Andy