We are working on this and after March we will be using a different and more
secure port.
In the current infrastructure, you'd need access to port 6667. This will
change after March to a port that is enabled by all customers, port 80.
There will be a whitepaper published on this soon. The text of this
whitepaper is below.
hth,
-mike
This posting is provided AS IS with no warranties, and confers no rights.
Firewall configuration
For MSN
Chat connection.
Purpose of this paper
We want to help you to configure their network to allow access to the MSN
chat environment where we do all of our online technical chats. By following
these steps you can open the necessary ports, but only for the selected IP
addresses - keeping out any attempts to access your networks over this port
from any other address on the internet.
Background - issues with opening port 6667
6667 is the only port used by the MSN Chat client. It's used for standard
IRCX chatting. We don't allow file transfers or anything like that via our
service.
Port 6667 is a fairly standard chat port that has been used by chat services
for years this, Many network administrators have blocked access to it and
will be reluctant to remove their blocks on the port, for these key reasons:
a.. Productivity: Chatting is usually viewed as unproductive behavior by
most corporations. However, the Technical Chats hosted by MSN for TechNet
provide useful information and direct access to Microsoft experts to help IT
Pros do their jobs more effectively.
b.. Viruses: Because it is a standard chat port, port 6667 is a favorite
port of trojan horse designers. They frequently build their programs to
communicate on port 6667 either as a chat server or as a client that
connects to a chat service as a "bot". As a result, many of the documents
that network administrators might reference for security advice will tell
them to block 6667, among others. .Blocking the port of course doesn't
prevent infection, but it may reduce the effectiveness of a trojan once it
has infected their network. The initial infection is not done via this port.
Instead, the viruses use this port for communication. The following
solutions will minimize that vulnerability:
c..
Configuration for access to chat while maintaining security on your network.
..
Please be very careful when creating access rules or adding items to your
access lists on your routers, as mistakes can remove access or open your
network to types of access you had not intended. The best way to do this is
to set this up in a test environment where you can make sure that your
changes do not open any unforeseen access
Option 1
This option allows all users direct access to the chat servers and can be
considered the least secure" of the three options presented here.
1.. Verify that web browsing is enabled. (This would mean a web proxy or
TCP port 80 outbound)
2.. Setup up an access rule on your proxy server or firewall.
3.. In this rule open TCP port 6667
4.. Set this port to be open outbound for all clients
5.. Set them to only allow incoming information on these ports from
chat.msn.com IP addresses listed below (these may change; this is up to date
as of [date], contact [] for updates.
207.68.167.157
207.68.167.158
207.68.167.159
207.68.167.160
207.68.167.161
207.68.167.162
207.68.167.163
207.68.167.164
207.68.167.165
207.68.167.166
6.. Test access to your network to make sure that this port is only open
for connection to the specific URL of MSN chat.
Option 2.
This option will allow users to access the MSN chat servers only if they are
running the correct proxy client for your proxy or firewall solution.
1. Verify that web browsing is enabled. (This would mean a web proxy or TCP
port 80 outbound)
2. Setup up an access rule on your proxy server or firewall.
3. In this rule open TCP port 6667
4. Set this port to be open outbound only for your proxy server.
5. Set them to only allow incoming information on these ports from
chat.msn.com IP addresses listed below (these may change; this is up to date
as of [date], contact [] for updates.
207.68.167.157
207.68.167.158
207.68.167.159
207.68.167.160
207.68.167.161
207.68.167.162
207.68.167.163
207.68.167.164
207.68.167.165
207.68.167.166
6. Make sure this rule only allows the port to be open inbound to your proxy
server IP
Option 3
This option will not have any traffic coming into your network on port 6667
but may require additional hardware to implement. You should note that
unless the users needing access provide their own terminal server on the
internet that this solution will require new hardware and licenses for the
terminal server that would be setup.
1.. Open port 3389 outbound on your firewall
2.. Provide a terminal server outside your firewall for the users to
connect to.
3.. Optionally they can use their own terminal server if it is already
running on the internet.
This solution is definitely the most secure as you are opening no additional
inbound ports at all. However it does require a terminal server on the
internet, either a corporate server or a server that the users are providing
themselves.
