Opening MSN through ISA server

In this tutorial I will show you how to open ISA up so that MSN can pass through it and so that you can communicate with other MSN clients on the internet. Please bear in mind that MSN should not be opened up if there is any chance of abuse that can take place, whilst using it you can potentially put your organization at risk.

Risks of MSN

  1. Unproductive time, due to chatting and meeting online.
  2. File sending and receiving, viruses can also be sent and received.
  3. Bandwidth can be utilized for unproductive activities.

Pros of having MSN enabled through the ISA server

  1. People in your organization can chat to other people at your branch offices for business purposes.
  2. If bandwidth is sufficient video conferencing on a peer to peer basis is possible.
  3. Using MSN on windows XP remote assistance is possible and can cut down on travel cost if used appropriately.

Something to keep in mind
Many people find that it is unnecessary to allow MSN through the ISA firewall or any firewall for that matter.  This is not to be ignored as there some substance to the concern.  MSN is on the whole very unproductive from my experienced but as with anything if there are no strict policies to manage the privilege it will fail miserably.  I am not completely against the use of MSN but heed a word of warning to those that are not aware of all the implications the technology has to offer. 

Please note that enabling MSN can compromise your network if the technology is used incorrectly, and measures such as antivirus are not in place to detect virus transmission.

Undiscovered bugs and problems may occur in the future and it is always a good idea to keep ISA as closed as possible.  Imagine ISA to be a brick wall that keeps intruders from looking and getting access to inside network resources.  Each time you open ISA up for an application to get out and then back in its like taking one or more bricks from your valuable wall that protects your network.  If you remove enough brick eventually your wall will be week and making it easier for people on the outside to get to the now not so protected inside.

As a word of advice do not only rely on ISA or any firewall as your only means of protection against hacker or any other malicious form of attack be it from external sources or internal sources.

The mere fact that the people that designed ISA have put a MSN messenger predefined protocol tell me that they knew that someone was going to try to use it through ISA and that they knew that it is as much of a risk as e-mail or any other application that can transmit files.

As with all new types of protocol definitions a protocol rule needs to be assigned to the definition before it can be activated. This is the first step in enabling MSN through your ISA server.

Creating your protocol rule

More Information
To configure Instant Messenger for sending messages:

Configuring the MSN Protocol Rule

1.    Under Access policy object in the ISA MMC Right click Protocol Rule, click New and then click Rule.

2.     Name the Protocol rule and then click Next.

3.    Click the Allow radio button, and then click Next>.

4.    In the apply this rule to drop down box, select Selected Protocols, then check the MSN Messenger check box, then click Next.

5.    This is a very important screen. In this screen you can specify when the users will have access to the MSN service; in some cases you might consider giving users access to MSN only after hours or only on weekends depending on the policy or what management allows. Select the appropriate schedule and then click Next.

6.    On this screen you can also limit the protocol rule to specific clients or groups of clients. If you have a kiosk setup near reception or in the common room or tea room, you may have a group of computers that you would like to give msn access to. To do this create client address sets with the static IP addresses of the machines within your kiosk environment.  For this example click Any Request and then click Next.

7.    Check your settings here and then click Finish.

After the protocol rule is successfully created a packet filter needs to be created so that MSN can pass through the ISA server.

Creating the packet filter for your MSN messenger

Create this packet filter to allow the MSN service through ISA.

1.    Under the IP Packet Filter object in the ISA MMC Right click IP Packet Filters, and then click New, then click Filter.

2.    Name the packet filter, and then click Next.

 

3.    Click Allow packet transmission, and then click Next.

4.    Under Use this filter: Click Custom, then click Next.

5.    Match the setting I have above and then click Next.

6.    Click Default IP addresses for each external interface on the ISA Servers computer, then click Next.

7.    Select All remote computers, then click Next.

8.    Check your setting, then click Finish.

Now test MSN through your ISA I normally restart the services just in case.

Summary

Opening MSN through your ISA can prove rewarding if managed correctly and if the users using the technology fully understand that I can potentially be dangerous to the network if it is used irresponsibly. It can be used for business purposes and have major benefits both for support and in offering the capability of being able to communicate with colleagues that are connected to the internet where ever they may be internationally. Make sure management agrees and fully understand the potential risks before opening such an application such as MSN to all your users. I do however believe that MSN is as dangerous as normal day to day corporate e-mail and has the same potential risks as the corporate e-mail system presents if not managed correctly.

About Ricky M. Magalhaes

Ricky M. Magalhaes is a security specialist that has worked as a consultant and IT technical specialist for the past 8 years. He has been primarily responsible for implementation and design of Security, network architecture, communications, network infrastructure and Security R&D for many South African organizations that he works with. He is a windows 9x product specialist and has been working with the windows product since version win 3.11. He has also written articles on security for www.windowsecurity.com ; www.ISAserver.org ; www.governmentsecurity.com and many other well known security and technology websites.

Click here for Ricky M. Magalhaes's section.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center

Readers' Choice

Which is your preferred ISA Server reporting solution?