I'm running Windows 2000 & Exchange 2000 - I'd like to use Windows Messenger
5.0 within our company but I want to stop people from accessing IM outside
the company. Also, I want to stop MSN Messenger. Is this possible - if so
how??

Greetings,

The easiest way to stop both would be (assuming you have access to do this sort of thing),
blocking messenger.hotmail.com, gateway.messenger.hotmail.com, messenger.msn.com, and
*.msgr.hotmail.com (where * could be anything), that should prevent users from using the
public.NET Messenger network.
____________________________________________
Jonathan Kay
Microsoft MVP - MSN Messenger/Windows Messenger
Associate Expert
http://www.microsoft.com/windowsxp/expertzone/
Messenger Resources - http://messenger.jonathankay.com


"M.Siler" > wrote in message
...
> I'm running Windows 2000 & Exchange 2000 - I'd like to use Windows Messenger
> 5.0 within our company but I want to stop people from accessing IM outside
> the company. Also, I want to stop MSN Messenger. Is this possible - if so
> how??
>
>

Yes, I'm the admin and I wanted to try to stop this in our firewall. I was
thinking that there was some ports that I could block.

It seems that from a business stand point this would be a fairly common
request. Is there a list of what you listed and others for yahoo & aol and
others?

"Jonathan Kay [MVP]" > wrote in message
...
> Greetings,
>
> The easiest way to stop both would be (assuming you have access to do this
sort of thing),
> blocking messenger.hotmail.com, gateway.messenger.hotmail.com,
messenger.msn.com, and
> *.msgr.hotmail.com (where * could be anything), that should prevent users
from using the
> public.NET Messenger network.
> ____________________________________________
> Jonathan Kay
> Microsoft MVP - MSN Messenger/Windows Messenger
> Associate Expert
> http://www.microsoft.com/windowsxp/expertzone/
> Messenger Resources - http://messenger.jonathankay.com
>
>
> "M.Siler" > wrote in message
> ...
> > I'm running Windows 2000 & Exchange 2000 - I'd like to use Windows
Messenger
> > 5.0 within our company but I want to stop people from accessing IM
outside
> > the company. Also, I want to stop MSN Messenger. Is this possible - if
so
> > how??
> >
> >
>
>

I think I blocked access to MSN - I blocked TPC 1863 & stopped access to
http://gateway.messenger.hotmail.com

The first is a port it try on and then if it can't get to that one it try
one the URL

MSN down, now AOL & Yahoo!

"M.Siler" > wrote in message
...
> Yes, I'm the admin and I wanted to try to stop this in our firewall. I was
> thinking that there was some ports that I could block.
>
> It seems that from a business stand point this would be a fairly common
> request. Is there a list of what you listed and others for yahoo & aol
and
> others?
>
> "Jonathan Kay [MVP]" > wrote in message
> ...
> > Greetings,
> >
> > The easiest way to stop both would be (assuming you have access to do
this
> sort of thing),
> > blocking messenger.hotmail.com, gateway.messenger.hotmail.com,
> messenger.msn.com, and
> > *.msgr.hotmail.com (where * could be anything), that should prevent
users
> from using the
> > public.NET Messenger network.
> > ____________________________________________
> > Jonathan Kay
> > Microsoft MVP - MSN Messenger/Windows Messenger
> > Associate Expert
> > http://www.microsoft.com/windowsxp/expertzone/
> > Messenger Resources - http://messenger.jonathankay.com
> >
> >
> > "M.Siler" > wrote in message
> > ...
> > > I'm running Windows 2000 & Exchange 2000 - I'd like to use Windows
> Messenger
> > > 5.0 within our company but I want to stop people from accessing IM
> outside
> > > the company. Also, I want to stop MSN Messenger. Is this possible - if
> so
> > > how??
> > >
> > >
> >
> >
>
>

M.Siler wrote:

> I'm running Windows 2000 & Exchange 2000 - I'd like to use Windows
> Messenger 5.0 within our company but I want to stop people from accessing
> IM outside the company. Also, I want to stop MSN Messenger. Is this
> possible - if so how??

There really isn't a way, since logging in to the messenger requires remote
port 1863. Honestly, netmeeting is 1) more secure 2) more stable and 3) a
better business-related application to use. It's more configurable as
well. Still, that requires logging in to a remote server as well, I
believe. Bottom line, the only good application for doing what you want is
a program meant specifically for that, since msn and netmeeting are
designed to also be able to connect to internet meetings, not local
meetings per se. Also, btw, blocking the ports on the firewall would be
nice, but eventually all users would be able to figure out how its done
anyways, and just tell their messenger/netmeeting to use http proxy.

--
... and are endowed by their Creator with certain unalienable rights ...
-- Thomas Jefferson

Hi,

That should do it.
____________________________________________
Jonathan Kay
Microsoft MVP - MSN Messenger/Windows Messenger
Associate Expert
http://www.microsoft.com/windowsxp/expertzone/
Messenger Resources - http://messenger.jonathankay.com



"M.Siler" > wrote in message
...
> I think I blocked access to MSN - I blocked TPC 1863 & stopped access to
> http://gateway.messenger.hotmail.com
>
> The first is a port it try on and then if it can't get to that one it try
> one the URL
>
> MSN down, now AOL & Yahoo!
>
> "M.Siler" > wrote in message
> ...
> > Yes, I'm the admin and I wanted to try to stop this in our firewall. I was
> > thinking that there was some ports that I could block.
> >
> > It seems that from a business stand point this would be a fairly common
> > request. Is there a list of what you listed and others for yahoo & aol
> and
> > others?
> >
> > "Jonathan Kay [MVP]" > wrote in message
> > ...
> > > Greetings,
> > >
> > > The easiest way to stop both would be (assuming you have access to do
> this
> > sort of thing),
> > > blocking messenger.hotmail.com, gateway.messenger.hotmail.com,
> > messenger.msn.com, and
> > > *.msgr.hotmail.com (where * could be anything), that should prevent
> users
> > from using the
> > > public.NET Messenger network.
> > > ____________________________________________
> > > Jonathan Kay
> > > Microsoft MVP - MSN Messenger/Windows Messenger
> > > Associate Expert
> > > http://www.microsoft.com/windowsxp/expertzone/
> > > Messenger Resources - http://messenger.jonathankay.com
> > >
> > >
> > > "M.Siler" > wrote in message
> > > ...
> > > > I'm running Windows 2000 & Exchange 2000 - I'd like to use Windows
> > Messenger
> > > > 5.0 within our company but I want to stop people from accessing IM
> > outside
> > > > the company. Also, I want to stop MSN Messenger. Is this possible - if
> > so
> > > > how??
> > > >
> > > >
> > >
> > >
> >
> >
>
>

M.Siler wrote:

> Yes, I'm the admin and I wanted to try to stop this in our firewall. I was
> thinking that there was some ports that I could block.
>
> It seems that from a business stand point this would be a fairly common
> request. Is there a list of what you listed and others for yahoo & aol
> and others?
>

You need to make your users not part of the admin group. Also, don't use
win95/98/me at work: first off, they're meant for home use. Second, users
are admins as a default. Not a good idea. If they can't install it, they
can't log on, can they?
Also, you need to be thinking security. Win2k is the best in my opinion,
but they pale in comparison to linux/unix. If you've noticed, few if any
linux/unix security vulnerabilities arise from user programs: most of those
are server based, which can be easily fixed, and which your users won't be
using in the first place.
Also, write an agreement that each and every user must sign: something that
they agree to not install programs without your consent. Most hacks these
days come from within. Don't give out the admin password, etc, etc, etc.

--
... and are endowed by their Creator with certain unalienable rights ...
-- Thomas Jefferson

On Tue, 7 Oct 2003 19:12:49 -0400, M.Siler > wrote:

> I'm running Windows 2000 & Exchange 2000 - I'd like to use Windows
> Messenger
> 5.0 within our company but I want to stop people from accessing IM
> outside
> the company. Also, I want to stop MSN Messenger. Is this possible - if so
> how??
>
>


I use Raptor firewall for my company. It's pretty old but works great.
Everything there is based on ports. We have one person, the boss, who
uses various messenger programs. I had to specifically open the port for
each program in the firewall because they are all closed by default.
Depending on your firewall you'll have to open or close the right port.
I've never had to mess with blocking URLs like everyone says. I guess I'm
just lucky.

I know MSN is 1863 and AOL/ICQ is 5190. I think Yahoo is 5020 but I'm not
100% positive. The port numbers are easy enough to find with a good
google search.

AIM, ICQ, & YahooIM can all connect on alternate ports... it's gonna be
harder to block them.

MSN is easy... only 1 port, and an HTTP tunnel to that gateway.* are the
only connection methods - and the latter doesn't work for MSN 5.0/6.0 (but
does for Windows Messenger 5.0 under Win2K/XP).



"M.Siler" > wrote in message
...
> I think I blocked access to MSN - I blocked TPC 1863 & stopped access to
> http://gateway.messenger.hotmail.com
>
> The first is a port it try on and then if it can't get to that one it try
> one the URL
>
> MSN down, now AOL & Yahoo!
>
> "M.Siler" > wrote in message
> ...
> > Yes, I'm the admin and I wanted to try to stop this in our firewall. I
was
> > thinking that there was some ports that I could block.
> >
> > It seems that from a business stand point this would be a fairly common
> > request. Is there a list of what you listed and others for yahoo & aol
> and
> > others?
> >
> > "Jonathan Kay [MVP]" > wrote in message
> > ...
> > > Greetings,
> > >
> > > The easiest way to stop both would be (assuming you have access to do
> this
> > sort of thing),
> > > blocking messenger.hotmail.com, gateway.messenger.hotmail.com,
> > messenger.msn.com, and
> > > *.msgr.hotmail.com (where * could be anything), that should prevent
> users
> > from using the
> > > public.NET Messenger network.
> > > ____________________________________________
> > > Jonathan Kay
> > > Microsoft MVP - MSN Messenger/Windows Messenger
> > > Associate Expert
> > > http://www.microsoft.com/windowsxp/expertzone/
> > > Messenger Resources - http://messenger.jonathankay.com
> > >
> > >
> > > "M.Siler" > wrote in message
> > > ...
> > > > I'm running Windows 2000 & Exchange 2000 - I'd like to use Windows
> > Messenger
> > > > 5.0 within our company but I want to stop people from accessing IM
> > outside
> > > > the company. Also, I want to stop MSN Messenger. Is this possible -
if
> > so
> > > > how??
> > > >
> > > >
> > >
> > >
> >
> >
>
>

"John" > wrote in message ...
> On Tue, 7 Oct 2003 19:12:49 -0400, M.Siler > wrote:
> <<SNIP>>
> I know MSN is 1863 and AOL/ICQ is 5190. I think Yahoo is 5020 but I'm not
> 100% positive. The port numbers are easy enough to find with a good
> google search.

AIM & ICQ can connect on port 22
YahooIM can connect on port 119
MSN has no alternate method, except HTTP to that gateway.*

The above ports have to be set using manual configuration...

On Wed, 8 Oct 2003 10:16:23 -0400, Robert A. Matern
> wrote:

>
> "John" > wrote in message
> ...
>> On Tue, 7 Oct 2003 19:12:49 -0400, M.Siler > wrote:
>> <<SNIP>>
>> I know MSN is 1863 and AOL/ICQ is 5190. I think Yahoo is 5020 but I'm
>> not
>> 100% positive. The port numbers are easy enough to find with a good
>> google search.
>
> AIM & ICQ can connect on port 22
> YahooIM can connect on port 119
> MSN has no alternate method, except HTTP to that gateway.*
>
> The above ports have to be set using manual configuration...
>
>
>


I just checked my firewall for AIM. I opened port 5190 and it is
connecting on that port. Port 22 is closed and AIM is working fine. That
is just my case. Others may get different results.

question
My firewall only allows access to certain http domains. There's a type of
rule saying what domain someone can go to. If the domain is not listed
there is no access. I don't have any of the msn related domains listed.
Could that be blocking msn6 access? I'm going to test it.

On Wed, 08 Oct 2003 10:25:46 -0400, John > wrote:

> On Wed, 8 Oct 2003 10:16:23 -0400, Robert A. Matern
> > wrote:
>
>>
>> "John" > wrote in message
>> ...
>>> On Tue, 7 Oct 2003 19:12:49 -0400, M.Siler > wrote:
>>> <<SNIP>>
>>> I know MSN is 1863 and AOL/ICQ is 5190. I think Yahoo is 5020 but I'm
>>> not
>>> 100% positive. The port numbers are easy enough to find with a good
>>> google search.
>>
>> AIM & ICQ can connect on port 22
>> YahooIM can connect on port 119
>> MSN has no alternate method, except HTTP to that gateway.*
>>
>> The above ports have to be set using manual configuration...
>>
>>
>>
>
>
> I just checked my firewall for AIM. I opened port 5190 and it is
> connecting on that port. Port 22 is closed and AIM is working fine.
> That is just my case. Others may get different results.
>
> question
> My firewall only allows access to certain http domains. There's a type
> of rule saying what domain someone can go to. If the domain is not
> listed there is no access. I don't have any of the msn related domains
> listed. Could that be blocking msn6 access? I'm going to test it.


Nope, that's not it. That user has full http access through the
firewall. Oh well. I thought I had this msn problem solved. Guess not.

I believe there's a hotmail domain that's used as an alternate...

Jonathan Kay posted this in a previous message:
"If you block messenger.hotmail.com, gateway.messenger.hotmail.com,
messenger.msn.com, and
*.msgr.hotmail.com (where * could be anything), that should prevent users
from using
Messenger."



"John" > wrote in message ...
> On Wed, 08 Oct 2003 10:25:46 -0400, John > wrote:
>
> > On Wed, 8 Oct 2003 10:16:23 -0400, Robert A. Matern
> > > wrote:
> >
> >>
> >> "John" > wrote in message
> >> ...
> >>> On Tue, 7 Oct 2003 19:12:49 -0400, M.Siler >
wrote:
> >>> <<SNIP>>
> >>> I know MSN is 1863 and AOL/ICQ is 5190. I think Yahoo is 5020 but I'm
> >>> not
> >>> 100% positive. The port numbers are easy enough to find with a good
> >>> google search.
> >>
> >> AIM & ICQ can connect on port 22
> >> YahooIM can connect on port 119
> >> MSN has no alternate method, except HTTP to that gateway.*
> >>
> >> The above ports have to be set using manual configuration...
> >>
> >>
> >>
> >
> >
> > I just checked my firewall for AIM. I opened port 5190 and it is
> > connecting on that port. Port 22 is closed and AIM is working fine.
> > That is just my case. Others may get different results.
> >
> > question
> > My firewall only allows access to certain http domains. There's a type
> > of rule saying what domain someone can go to. If the domain is not
> > listed there is no access. I don't have any of the msn related domains
> > listed. Could that be blocking msn6 access? I'm going to test it.
>
>
> Nope, that's not it. That user has full http access through the
> firewall. Oh well. I thought I had this msn problem solved. Guess not.

I was testing with MSN 6.0 and TPC 1863 &
http://gateway.messenger.hotmail.com blocked it.

"Robert A. Matern" > wrote in message
...
> AIM, ICQ, & YahooIM can all connect on alternate ports... it's gonna be
> harder to block them.
>
> MSN is easy... only 1 port, and an HTTP tunnel to that gateway.* are the
> only connection methods - and the latter doesn't work for MSN 5.0/6.0 (but
> does for Windows Messenger 5.0 under Win2K/XP).